JP4168188B2 - Management system, management server and management program - Google Patents

Description

  The present invention relates to a technique for ensuring security in an internal system (in-house system) in a company or the like, and in particular, security of the internal system for users (employees, employees) who use the internal system. E-education to ensure security in accordance with the actual situation and personal information and confidential information held in information processing devices such as personal computers (user terminals, servers, etc.) TECHNICAL FIELD OF THE INVENTION

In general, in an information processing system (internal system) constructed in a company or the like, a user terminal (information processing apparatus; PC, etc.) operated and used by each employee
Hereinafter, the terminal may be simply referred to as “terminal”), and is connected to other user terminals via a local area network (LAN) so that each user terminal is connected to the LAN. It can be connected to an external communication network such as the Internet through a connected proxy server, and can receive services provided by various servers on the Internet (for example, see Patent Document 1 below).

  By the way, in recent years, security awareness of information processing systems (internal systems) built in the company has increased, and in large companies, information leakage countermeasures and security measures have been implemented in the company systems (each terminal). If you are getting more.

  In addition, even in the small and medium-sized enterprises that do not have a system administrator, the number of terminals has increased in recent years, and there are many cases where an internal system as described above is constructed by connecting terminals via a LAN. In many cases, security awareness is not as high as in large corporations, and there is a case in which connection to an external communication network such as the Internet is possible without taking any security measures.

Therefore, for example, the techniques disclosed in Patent Document 2 and Patent Document 3 below may be applied as security measures to internal systems of large companies and small and medium businesses.
Patent Document 2 below relates to a business management technique for safely performing business processing, and diagnoses the safety level against computer viruses of a plurality of business processing devices in multiple stages (three stages in Patent Document 2), and obtains the diagnosis result. It is disclosed that a given safety level is notified to a plurality of business processing devices.

  Patent Document 3 below relates to a technology that enables a person without advanced skills to efficiently and effectively perform security management by using a system that standardizes know-how of security management. It is disclosed that a question is presented, an answer to the question from the terminal is evaluated, an education plan is created based on the evaluation result, and the user receives education based on the plan.

  The technology disclosed in Patent Document 4 below relates to the configuration and usage of resources of each information device in a network, and a method / system for monitoring traffic with a centralized monitoring device arranged outside the network. The purpose is to solve the problem of unauthorized access to information resources in the network and countermeasures against unauthorized connection to the network. In this patent document 4, for example, in claim 4 or claim 6, information on resource configuration and usage status of information equipment collected by an agent is acquired via the Internet, and when unauthorized use or unauthorized connection is detected, It is disclosed to notify the administrator.

  The technique disclosed in Patent Document 5 relates to a security education method and a security education support computer that can be preferably used for information security education, management, and auditing. It is described that a security education attendance procedure is performed by sending and receiving security-related educational content in response to a request from a client computer.

  In addition, the technology disclosed in Patent Document 6 relates to a business management system for safely performing business processing, and aims to easily and effectively implement security measures without the user performing business processing being conscious. Yes. For example, claim 4 in Patent Document 6 describes that the safety level of each business processing device against a computer virus is diagnosed based on the security information received from each business processing device. No. 5 describes diagnosing the safety level of a plurality of business processing devices against computer viruses based on the safety level of each business processing device against computer viruses.

  Further, the technology disclosed in Non-Patent Document 1 below relates to the creation of a standard (standard document) related to security operation. In “Point 4” on the left column of page 107 of Non-Patent Document 1, a security violator For this, it is described that security re-education will be implemented. In this case, it is considered that the same education is performed again.

  In recent years, along with the heightened awareness of protection of personal information, it has been desired to reliably prevent inadvertent leakage / leakage of personal information and unauthorized use of personal information. In particular, with the enforcement of the Personal Information Protection Law, there is a need for businesses that handle personal information to more reliably prevent the leakage or leakage of personal information and unauthorized use. Here, personal information is information that can identify a specific individual by itself or in combination, and includes, for example, name, date of birth, contact information (address, address, telephone number, e-mail address, etc.). . Customer information, business partner information, etc. stored and handled in various companies often correspond to personal information.

  Naturally, such personal information corresponds to confidential information with high confidentiality for companies, but as confidential information for companies, in addition to personal information, new products before publication, technology before patent application, Information related to management strategies, etc. According to the Institute of Systems Audits, confidential information is defined as information that may impair the value of management resources when disclosed to anyone other than the authorized person or used for other purposes. Has been.

  In order to reliably prevent the outflow / leakage and unauthorized use of personal information and confidential information as described above, it is desirable to introduce a centralized management system and centrally manage such personal information and confidential information. However, in reality, personal information such as customer information and business partner information in a company includes a plurality of user terminals [personal computers (hereinafter sometimes abbreviated as PCs)] used by individual employees, In many cases, they are distributed and stored in department servers. More specifically, individual employees store their personal information (customer information, etc.) on their PCs for their own work, or a central database or a subset of personal information collected by each employee. It exists in various places on the PC.

  For this reason, when constructing the above centralized management system, the administrator first identifies personal information and confidential information that are scattered in the company, and what kind of personal information and confidential information is located in the company. It is necessary to grasp whether it exists, but personal information and confidential information are identified by the manager instructing each employee and with the cooperation of the entire company and all departments in person-to-person relations. .

For example, in Patent Document 7 below, in accordance with the enforcement of the Personal Information Protection Law, a technique for providing a personal information protection service that prevents personal information from being leaked or leaked or used illegally is described as “Personal Information Protection Service Business Processing Method”. And device "have been proposed and disclosed. In this patent document 7, it is possible to identify and warn a company that has improperly acquired personal information, and to prevent illegal leakage of personal information from a company that has acquired it appropriately. However, it does not disclose how to deal with the case where personal information is distributed in the company as described above.

  Further, for example, Patent Document 8 below discloses a file copy management technique for preventing unauthorized copying of a file in a computer system or other data processing device or system, and in particular, a special copy prohibition measure is taken for a file. Technology for preventing unauthorized copying of source code files written in a specific language or multimedia data files of a specific file format has been disclosed. There is no disclosure of what to do if they exist in a distributed manner.

Further, for example, in Patent Document 9 below, an integrated internal information leakage prevention system is disclosed, and in particular, offline information leakage through an output device and a movable storage device and online information leakage by a communication program are fundamentally prevented. And the technology to prevent important information from leaking from the internal system by monitoring is disclosed, but again, as mentioned above, coping with the case where personal information is distributed in the company Is not disclosed.
Republished patent WO2003 / 038634 JP 2005-202620 A JP 2002-279057 A JP 2002-149435 A JP 2004-302585 A JP 2005-202620 A JP 2002-183367 A JP 2001-350671 A Special table 2003-535398 gazette CS-ND-2004-00109-011, Come with Don, who develops while looking at the sample! , Information security policy making the “standard” of the final security measures 7, N + I NETWORK, Japan, Softbank Publishing Co., Ltd., Yoshihiro Sato et al., January 1, 2003, Vol. 3, No. 1, p.104-p.109

  However, in Patent Document 2, only the safety level of a plurality of business processing devices is diagnosed and the result of the diagnosis is notified to the business processing device. Processing to ensure thoroughness (for example, electronic education) is not performed. Moreover, in the said patent document 3, the educational plan is created based on the answer with respect to the question regarding security, and only the reference by the user of each terminal is referred, and the actual situation (actual state) in each terminal is shown. Since it is not possible to refer to it, it is difficult to say that appropriate security education according to the actual situation can be executed unless the user gives an honest answer.

  For this reason, regardless of the size of the enterprise such as large enterprises and small and medium enterprises, in order to ensure security in the information processing system, the information processing system is provided to users (employees, employees) who use the information processing system. In addition to making it possible to conduct electronic education to ensure security in accordance with the actual conditions of each user terminal, it is also possible to grasp the security status of the information processing system extremely accurately and easily. Is desired.

  Further, in Patent Documents 1-6 and Non-Patent Document 1 described above, it is impossible to take measures against violations that are highly likely to have been intentionally performed by the user after electronic education about security in general. . Therefore, thorough user education (employee education) is not sufficient, and it cannot be said that it contributes to securing and maintaining a safe environment.

  In addition, in relation to security, it is desired that information such as personal information files distributed in a large number of terminals in a company is reliably searched and managed. Here, in order to reliably identify a personal information file newly created / added in each terminal, for example, it is necessary to periodically search the personal information file. Even if the personal information file of each PC is grasped and managed by a server or the like, a storage medium (FD, CD-R (RW), DVD-R (RW), semiconductor memory) written from each terminal, electronic Personal information may be leaked from email or file transfer software.

Therefore, in addition to the Turkey to manage the personal information file for each PC, it is necessary to perform also management on actions to perform transmission to the writing unloading or other computer to an external storage medium of the electronic file. However, there is currently no system that considers information diffusion by writing or transmitting personal information from each terminal.

  In addition, as described above in Patent Document 7, if personal information and confidential information are identified with human cooperation such as reporting from each employee as described above, not only is it time-consuming, but all personal information is also collected. It is difficult to ensure that confidential information is clearly identified without omission. In particular, when personal information and confidential information are being distributed, it is extremely difficult to identify personal information and confidential information. In addition, if there is a leak in identifying personal information or confidential information, the state of the personal information or confidential information cannot be managed, and there is a risk of inadvertent outflow / leakage or unauthorized use.

Further, Patent Document 8 discloses a technique for preventing unauthorized copying, but does not disclose how to deal with personal information distributed in a company as described above.
Furthermore, Patent Document 9 discloses a technique for preventing important information from leaking from the internal system of the organization. However, as described above, when personal information exists in a distributed manner in the company. No response has been disclosed.

  The present invention was devised in view of such a situation. Electronic education for ensuring the security of an internal system in a company or the like is conducted in accordance with the actual situation of each user terminal. In addition, the primary objective is to raise the user's security awareness, ensure and maintain a safe environment in the internal system of the company, etc., and deter the spread of information by enabling thorough implementation. .

  In addition, the present invention evaluates and notifies the security status of the internal system in a company or the like, so that even if a system administrator is not placed, or even if a manager or administrator is indifferent to security measures, To make it possible to grasp the security status of internal systems and terminals in an extremely accurate and easy manner, to raise the security awareness of managers, managers and users, and to secure and maintain a safe environment in internal systems of companies, etc. The second purpose.

  In addition, the present invention was devised in view of such a situation, and even if personal information and confidential information are distributed and stored in a plurality of PCs and servers in a company, without human cooperation. In addition, it is possible to manage the state of personal information and confidential information without imposing a special burden on the person in charge, and to reliably prevent inadvertent leakage, leakage, or unauthorized use of personal information or confidential information. It is said.

In order to achieve the above object, the gist of the present invention is to use the following management system, management server, and management program.
[1] In the management system of the present invention, a plurality of user terminals are connected to the plurality of user terminals so as to be able to communicate with each other, and the plurality of user terminals are set in accordance with a management condition predetermined as a usage state of the user terminals. A management server that manages the user terminals, and environmental information collection means that collects environmental information related to the management conditions in each of the plurality of user terminals from each user terminal to the management server. Each of the user terminals in the storage unit stores data including an electronic file, and a search for specifying and searching for a management target file holding a personal information element or a confidential information element from the data in the storage unit Means and a transmission means for transmitting a result of the search by the search means to the management server via the network. The management server is collected from each user terminal. Based on the environment information, determining means for determining whether each user terminal meets the management conditions, the use of electronic education including matters related to the management conditions depending on the determination result satisfies the control conditions For the electronic education control means to be executed by the user terminal and the user terminal that has not completed the electronic education, the access log for the management target file is collected and recorded from the user terminal based on the search result. Log collecting means, and management means for restricting the operation of the user terminal according to the security level of the user terminal determined based on the access log for the management target file. Features.

[2] The management system of the present invention is connected to a plurality of user terminals and the plurality of user terminals so that they can communicate with each other, and the plurality of user terminals according to a management condition predetermined as a usage state of the user terminals. A management server that manages the user terminals, and environmental information collection means that collects environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server, Each user terminal identifies and searches for a storage unit that holds data including electronic files, and a management target file that holds a predetermined number or more of personal information elements or confidential information elements from the data in the storage unit a search means for, through the network is configured to result of the search by said search means includes a transmitting means for transmitting to said management server, the management server, according to the management condition An electronic education control means for executing an electronic education including a term in said plurality of user terminals, on the basis of the environment information of each user terminal that has been collected by the environment report collection means after the electronic education by electronic education control means and determining means for determining whether each user terminal meets the management condition for the user terminal is determined not to satisfy the control conditions based on the result of the search, access to the management object file Log collecting means for collecting and recording logs from the user terminal, and changing / setting the security level in the user terminal based on the access log for the management target file, and using the usage according to the security level And management means for changing the operation restriction of the person terminal.

[3] The management system of the present invention is connected to a plurality of user terminals so as to be able to communicate with the plurality of user terminals, and the plurality of user terminals according to a management condition predetermined as a usage state of the user terminals. A management server that manages the user terminals, and environmental information collection means that collects environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server, Each user terminal identifies and searches for a storage unit that holds data including electronic files, and a management target file that holds a predetermined number or more of personal information elements or confidential information elements from the data in the storage unit And a transmission means for transmitting a result of the search by the search means to the management server via the network. First electronic education control means for causing the plurality of user terminals to execute electronic education, and the environmental information in each user terminal collected by the environmental information collecting means after electronic education by the first electronic education control means Based on the above, the determination means for determining whether or not each user terminal satisfies the management conditions, and the user terminal that is determined not to satisfy the management conditions by the determination means of a second electronic education control means for executing the detailed electronic education, the user terminal is determined not to satisfy the control conditions or for user terminals that do not complete the second electronic education, the exploration based on the results, a log collecting means for recording the access log for the management object file to collect from the user terminal, the access to the management object file And a management means for changing / setting the security level of the user terminal based on the security level and changing the operation restriction of the user terminal according to the security level. .

  [4] In the management system of the present invention, in the above [2] or [3], the security level is set high for the user terminal on which the management unit has executed the processing / operation related to the management target file. The operation restriction of the user terminal is tightened while the security level is set low for the user terminal that has not executed the process / operation related to the management target file for a predetermined period of time. It is characterized by releasing or relaxing the restriction.

  [5] The management system according to the present invention provides the management system according to any one of [2] to [4], in which the management unit has the security level for the user terminal having the management target file in the storage unit. Is set high to tighten the operation restriction of the user terminal, while the user terminal that does not have the management target file in the storage unit is set to a low security level to operate the user terminal. It is characterized by releasing or relaxing the restriction.

  [6] The management system of the present invention is used in any one of the above [2] to [5], wherein the management means is not set with an encryption function for automatically encrypting a file sent to the outside. For a user terminal, the security level is set high to tighten the operational restrictions of the user terminal, while for the user terminal set with the encryption function, the security level is set low to use the user terminal. It is characterized in that the operation restriction on the user terminal is released or relaxed.

  [7] In the management system of the present invention, in any one of the above [2] to [6], the security means sets the security level high for a user terminal that is accessing a browsing prohibited site. While restricting the operation restrictions of the user terminal, the user terminal that does not access the browsing prohibited site is set to a low security level to release or relax the operation restriction of the user terminal. It is characterized by that.

  [8] In the management system of the present invention, in any one of the above [2] to [7], the management means restricts or prohibits the Internet connection of the user terminal as the operation restriction of the user terminal. It is characterized by that.

  [9] In the management system of the present invention, in any one of the above [2] to [8], the management unit displays the contents of the management target file on the user terminal as an operation restriction on the user terminal. At the time, the personal information element or the confidential information element in the content is masked and displayed.

  [10] In the management system of the present invention, in any one of the above [2] to [9], the management unit prints the contents of the management target file in the user terminal as an operation restriction of the user terminal. In this case, the personal information element or the confidential information element in the content is mask-printed.

  [11] The management system according to the present invention provides the management system according to any one of the above [2] to [10], in which when the management unit restricts the operation of the user terminal, the user terminal performs the search by the search unit. The search of the storage unit is executed, and the result of the search is transmitted to the management server by the transmission means.

[12] The management server of the present invention is connected to a user terminal via a network so as to be able to communicate with each other, and the management target file has a predetermined number or more of personal information elements or confidential information elements in the user terminal Management information collecting means for collecting environmental information related to the management conditions in each of the plurality of user terminals from each user terminal to the management server, and items related to the management conditions. Electronic education control means for causing the plurality of user terminals to perform electronic education including, and based on the environmental information in each user terminal collected by the environmental information collection means after electronic education by the electronic education control means, user terminal and determining means for determining whether meets the management condition for the user terminal is determined not to satisfy the control conditions, the user Log collecting means for collecting and recording an access log for the management target file from the user terminal based on a search result of the management target file searched by the searching means from data in the storage unit at the end; , based on the access log for the management object file, the security level of the user terminal to change and set, equipped with a management means for changing the operation restriction of the user terminal in accordance with the security level configuration It is characterized by being.

[13] A management program of the present invention is connected to a plurality of user terminals so as to be able to communicate with each other, and manages the plurality of user terminals according to a management condition predetermined as a usage state of the user terminals. Management program for causing a computer to function as a server, environmental information collecting means for collecting environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server, and each user terminal based on the collected the environment information from the electronic each user terminal including matters related to the management condition in response to said determining means for determining whether meets the control conditions, or the determination result satisfies the control conditions electronic educational control means for executing the teaching to the plurality of user terminals, the user terminals that do not complete the electronic education, the data in the storage unit of the user terminal Probed by probing means from the log collecting means for the access log for the management object file records collected from the user terminal based on the results of the exploration of the management object file, the access log for the management object file The computer is caused to function as management means for changing the operation restriction of the user terminal according to the security level of the user terminal determined based on the above.

[14] A management program according to the present invention is connected to a plurality of user terminals so as to communicate with each other, and manages the plurality of user terminals according to management conditions predetermined as usage states of the user terminals. as a server, a management program for causing a computer to function, the environment information relating to the management conditions in each of the plurality of user terminals, environmental information collection means for collecting the said management server from each user terminal, the management condition Electronic education control means for causing the plurality of user terminals to perform electronic education including such matters , based on the environmental information in each user terminal collected by the environmental information collection means after electronic education by the electronic education control means , determination means for each user terminal to determine whether meets the management condition for the user terminal that is judged not to satisfy the control conditions A log that collects and records an access log for the management target file from the user terminal based on the search result of the management target file searched by the search means from the data in the storage unit of the user terminal collecting means, based on the access log for the management object file, the security level of the user terminal to change and set, the computer as a management means for changing the operation restriction of the user terminal in accordance with the security level Is made to function.

  [A] In the above management system, management program or management server, the plurality of user terminals are connected to a common local area network to constitute an internal system, and the management server is connected to the local area network And the plurality of user terminals are communicably connected to each other via the external communication network and the local communication network, and the evaluation unit of the management server evaluates the security level of the plurality of user terminals. By doing so, the evaluation level of the entire internal system may be evaluated.

  [B] In the above management system, management program, or management server, the evaluation means in the management server is based on a ratio of user terminals satisfying the at least one management condition among the plurality of user terminals. Thus, the evaluation levels for the plurality of user terminals may be digitized for evaluation.

[C] In the management system or management program or management server described above, a ratio of user terminals satisfying the at least one management condition among the plurality of user terminals;
Based on the importance of the management condition, the evaluation levels for the plurality of user terminals may be converted into numerical values and evaluated.

  [D] In the above management system, management program, or management server, a plurality of management conditions for evaluating the evaluation level are set in advance, and the importance of the plurality of management conditions is higher than that of other management conditions. Is set in advance as important management conditions, and the evaluation means in the management server first determines whether or not each of the plurality of user terminals satisfies the important management conditions, and the plurality of users If even one of the terminals does not satisfy the important management condition, the evaluation level for the plurality of user terminals is determined as the lowest level, while one user terminal does not satisfy the important management condition. If there is no device, based on the percentage of user terminals that satisfy at least one of the management conditions other than the important management conditions The valuation of a plurality of user terminals may be evaluated by digitizing.

[E] In the above management system, management program, or management server, the management condition may be a desired use condition or use state of the user terminal determined by the administrator side.
(1) The security software is installed on the user terminal and turned on.
(2) The security patch update information of the security patch update software as security countermeasure software on the user terminal is the latest.
(3) The update information of the virus definition file of the antivirus software as the security software on the user terminal is the latest.
(4) Dangerous software is not installed on the user terminal,
(5) User terminal does not have unauthorized copy,
It is preferable that at least one of them is included.

In the above management system or management program or management server, the management condition further includes:
(a) No software other than licensed software is installed on the user terminal,
(b) No prohibited software is installed on the user terminal,
(c) No data for software other than licensed software is stored on the user terminal,
(d) No data for prohibited software is stored in the user terminal.
(e) No sharing settings that are not permitted to be used on the user terminal,
(e) No unauthorized folder has been created on the user terminal,
(f) Peripheral devices other than authorized peripheral devices are not connected to the user terminal,
(g) No prohibited peripheral devices are connected to the user terminal,
It is preferable that at least one of them is included.

[F] In the above management system, management program, or management server, the environment information collection unit includes an environment information collection agent file transmission unit and an environment information reception unit in the management server, and an environment in each of the plurality of user terminals. The environment information collection agent file transmission means in the management server collects the environment information and notifies the management server of the collection result to each of the plurality of user terminals. The environment information collection agent file to be executed is transmitted to the plurality of user terminals, and the environment information collection agent file execution means in each user terminal receives the environment information collection agent file transmitted from the management server. By executing it, the user terminal The environmental information is collected, the collection result is transmitted to the management server for notification, and the environmental information receiving means in the management server receives the environmental information transmitted from each user terminal, and the evaluation means Or you may comprise so that it may hand over to this judgment means.

  [G] In the above management system, management program, or management server, the first electronic education control means in the management server conducts electronic education on security including matters relating to the at least one management condition to the plurality of users. First electronic education agent file creation / holding means for creating or holding a first electronic education agent file to be executed by each terminal, and the first electronic education agent file creation / holding means First electronic education agent file transmission means for transmitting an electronic education agent file to the plurality of user terminals, and each of the plurality of user terminals is transmitted from the management server to the first electronic education agent file. By executing the agent file, the user terminal It said at least one electronic education about security, including the matters relating to the control conditions may include a first electronic educational agent files execution means for executing to the user of the user terminal.

  [H] In the above management system, management program, or management server, the second electronic education control means in the management server performs electronic education on matters related to management conditions determined not to be satisfied by the determination means. A second electronic education agent file creation / holding means for creating or holding a second electronic education agent file to be executed by the user terminal determined not to satisfy the management condition by the determination means; and the second electronic education A second electronic education agent file transmitting means for transmitting the second electronic education agent file created / held by the agent file creating / holding means to the user terminal; Execute the second electronic education agent file sent from the server The second electronic education agent file execution means for executing electronic education on the matters relating to the management conditions determined not to be satisfied by the determination means in the user terminal for the user of the user terminal May be provided.

  [I] In the management system or management program of the items [1] to [12] and [A] to [H], the evaluation unit in the management server is periodically collected by the environmental information collection unit. Based on the environmental information, periodically evaluates the evaluation level for the plurality of user terminals, and the notification means in the management server sends the periodic evaluation results to the users of the plurality of user terminals and Alternatively, the administrator may be notified.

[J] The management server of the present invention is connected to a plurality of user terminals so as to communicate with each other, and manages the plurality of user terminals. Environment information is stored in each of the plurality of user terminals. Environment information collection agent file transmission means for transmitting an environment information collection agent file for executing collection and notification of the collection result to the management server to the plurality of user terminals, the environment transmitted from each user terminal Environment information receiving means for receiving information, first electronic education control means for causing the plurality of user terminals to perform electronic education on security including matters relating to at least one management condition, electronic by the first electronic education control means It is received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after education. Based on the environment information in each user terminal, a determination means for determining whether or not each user terminal satisfies the at least one management condition, and a use determined by the determination means that the management condition is not satisfied E-education on matters relating to the management conditions to the warning means for issuing a warning to the user and / or the administrator of the user terminal, and the user terminal determined to not satisfy the management conditions by the determination means Second electronic education control means for executing the electronic file, even if an electronic file writing or transmission command is issued to the user terminal determined to not satisfy the management conditions by the judging means Alternatively, it may be configured with operation restriction control means for stopping transmission.

According to the management system, management server, and management program of the present invention described above, at least one of the following effects or advantages can be obtained.
(I) At least one management condition (for example, at least one of the above items (1) to (5) or the above items (1) to (5) and (a) to (g)) in each user terminal After executing the electronic education on security including matters concerning at least one of the above, environmental information on each user terminal is collected from each user terminal to the management server and collected on this management server Based on the environmental information, it is determined whether each user terminal satisfies the management conditions. For user terminals that are determined not to satisfy the management conditions, Electronic education is executed. In other words, if there is a violation of management conditions after e-education for security in general, the violation is likely due to the intention of the user, and e-learning about violations is executed for the violating user. Will be.

  Therefore, electronic education to ensure security for users can be conducted thoroughly and thoroughly in accordance with the actual situation of each user terminal, raising the user's awareness of security, and ensuring a safe environment in the internal system of companies, etc. Can further contribute to securing and maintaining In other words, since it is possible to conduct electronic education for violations that are likely to have been intentionally performed by users after electronic education on security in general, thorough user education (employee education) It will be possible to do this, and it will contribute to securing and maintaining a safe environment for the internal system.

  (Ii) Environmental information in each of the plurality of user terminals is collected from each user terminal to the management server, and in this management server, the plurality of user terminals are based on the collected environment information in each user terminal. The evaluation level of the system, that is, the security status of the internal system in the company or the like is evaluated, and the evaluation result is notified to the user and the administrator. As a result, a service that evaluates the security status of internal systems in a company, etc., can be provided to the company, etc., even if there is no system administrator in place, and the manager and administrator are indifferent to security measures. Even so, the security status of internal systems and terminals can be grasped extremely accurately and easily, raising the security awareness of managers, administrators and users, and ensuring a safe environment in internal systems of companies, etc. Can be maintained. In particular, services such as those mentioned above are effective for small and medium-sized enterprises that are not as conscious of security as large enterprises. By using this service, managers and managers of such small and medium-sized enterprises can use their services. The system security status and electronic education can be done very easily and thoroughly.

(Iii) In the management server, at least one management condition among a plurality of user terminals (
For example, a user terminal satisfying at least one of the items (1) to (5) or at least one of the items (1) to (5) and (a) to (g) It is possible to evaluate the evaluation levels of a plurality of user terminals (internal systems) by quantifying them based on the ratio of the above or based on the ratio and the importance of each management condition. When performing quantification / evaluation based only on the above ratio, for example, management of at least one of the above items (1) to (5) or the above items (1) to (5) and (a) to (g) If the percentage of user terminals that satisfy at least one of the conditions is 100%, the highest evaluation is given. Hereinafter, a graded evaluation level corresponding to the ratio may be given to the internal system to be evaluated. it can. That is, a higher evaluation level can be given to a system with more user terminals that satisfy the management conditions, and an evaluation according to the level of safety can be given to the internal system to be evaluated. In addition, by quantifying / assessing based on the importance of management conditions, for systems with user terminals that do not satisfy management conditions with high importance,
A low evaluation level can be given, and an evaluation according to the high safety can be given to the internal system to be evaluated.

  (Iv) at least of a plurality of management conditions (for example, the above items (1) to (5), or at least one of the above items (1) to (5) and (a) to (g)), for example. On the other hand, if the importance for ensuring the safety of the internal system is extremely high, by setting the management condition as an important management condition, if there is even one user terminal that does not satisfy the important management condition Regardless of the ratio of other items, by assigning a low evaluation level to the internal system to be evaluated, the evaluation level (security status) of the internal system to be evaluated can be easily and reliably evaluated.

  (V) Sending environment information collection agent files from the management server to a plurality of user terminals and causing the environment information collection agent file to be executed on each user terminal to collect environment information on the user terminals in the management server. Is possible. Therefore, the management server creates an environment information collection agent file, and transmits the environment information collection agent file to a plurality of user terminals belonging to the internal system to be evaluated at the same time. Environmental information can be collected very easily.

  (Vi) The first or second electronic education agent file is transmitted from the management server to the user terminal, and the first or second electronic education agent file is executed on each user terminal, so that electronic education or violations related to security in general. It is possible to cause the user of the user terminal to perform electronic education on matters. Therefore, the management server can send electronic education about security in general to multiple user terminals by simply sending the first electronic education agent file to multiple user terminals belonging to the internal network to be evaluated. In addition, the second electronic education agent file can be transmitted to the violator's user terminal, and electronic education about violations for the violator can be executed very easily.

(Vii) Based on the environmental information collected regularly, evaluate the evaluation level for multiple user terminals (evaluation target internal systems) regularly, and the periodic evaluation results for multiple user terminals By notifying users and administrators, the users and administrators can periodically grasp the security status of the internal system and contribute to ensuring and maintaining a safe environment for the internal system. Become.

  (viii) On the user terminal determined by the management server that the management conditions are not satisfied, the management target file (file containing personal information, confidential information, etc.) is searched for, and the result of the search by the management server (management means) And / or the user terminal is managed based on the access log for the management target file. More specifically, the security level of the user terminal is changed / set based on the search result and the access log, and the operation restriction of the user terminal is changed according to the security level, and the management target file itself and its management are changed. Information included in the target file is prevented from leaking from the user terminal. As a result, even if personal information and confidential information are distributed and stored in multiple user terminals, each user terminal can be managed without human cooperation and without placing a special burden on the person in charge. Thus, the state of the management target file can be managed, and the inadvertent leakage / leakage or unauthorized use of personal information or confidential information can be surely prevented.

  In this case, as a management server, access to the management target file is not performed only for all user terminals, but for user terminals that violate the management conditions and user terminals that have not completed the predetermined electronic education (second electronic education). Since management based on logs is sufficient, efficient and leak-free management can be performed.

  In addition, in the user terminal that satisfies the management condition, the operation restriction of the user terminal according to the security level does not occur, so that there is no problem with the normal use of the user terminal.

  (Ix) When the first electronic education and the second electronic education are provided in stages, the files to be managed (including personal information and confidential information) are sent to the user terminal that executes the second electronic education. The file is searched, and the user terminal is managed by the management server (management means) based on the search result and / or the access log for the management target file. More specifically, the security level of the user terminal is changed / set based on the search result and the access log, and the operation restriction of the user terminal is changed according to the security level, and the management target file itself and its management are changed. Information included in the target file is prevented from leaking from the user terminal.

  In this case, the management server only needs to perform management based on the access log for the management target file not only for all user terminals but only for user terminals that violate the management conditions for which the second electronic education has not been completed. Efficient and leak-free management.

  In addition, user terminals that have only received the first electronic education without receiving the second electronic education do not have any restrictions on the operation of the user terminal according to the security level. Never come.

  In addition, user terminals that are likely to cause inadvertent outflow / leakage or unauthorized use of managed files (for example, terminals that have executed processing / operations related to managed files, and have managed files in storage For terminals that do not have the encryption function set, terminals that access browsing-prohibited sites, etc., set a high security level to restrict operation on user terminals (for example, user terminals) Internet connection restrictions / prohibition, personal information element / confidential information element mask display and mask printing, etc., while user terminals with a low possibility are set to a low security level. By removing or relaxing the operation restrictions, it is possible to provide an environment where the terminal can be used efficiently when the above possibility is low. Therefore, users will voluntarily move their terminals to a state with a low possibility, and more reliably prevent inadvertent leakage / leakage or unauthorized use of personal information or confidential information. be able to.

  Furthermore, when restricting the operation of the user terminal, the user terminal is searched for the storage unit, and the result of the search is transmitted to the management server. On a user terminal that is highly likely to be leaked or illegally used, the management target file (file containing personal information, confidential information, etc.) is searched again. As a result, the management target file in the user terminal with the high possibility can be surely put under the management of the management server, personal information or confidential information is inadvertently leaked or leaked, or personal information or confidential information is illegal. Use and the like can be prevented more reliably.

Embodiments of the present invention will be described below with reference to the drawings.
[1] Configuration of this embodiment:
[1-1] Schematic configuration of management system:
FIG. 1 is a block diagram showing the configuration of a management system 1 such as a security management service providing system and a personal / confidential information management system as an embodiment of the present invention. As shown in FIG. The system 1 includes a management server 20 in addition to a plurality of user terminals 11, and these terminals 11 and the server 20 are connected to each other via an external communication network 30 serving as a network.

  Each user terminal 11 is constituted by a terminal device such as a personal computer (PC) used by each employee (user) in an in-company system such as a company, and has a functional configuration as described later. . Each user terminal 11 in the present embodiment is installed with a program (described later) for realizing various functions (described later) including searching for a personal information file and a confidential information file from the management server 20 as described later. Is.

In this embodiment, personal information and confidential information (collectively, personal / confidential information) are prevented from being leaked or illegally used. For the sake of explanation, personal information will be used as a specific example. Although specific explanation will be given, it is also applied to confidential information in the same manner as in the case of personal information.

[1-3] General operation of management system:
The management system according to the present embodiment operates as a security management service providing system or an information management system. As shown in FIG. 2A, security management (1) (step S1001 in FIG. 2). The environmental information is collected at the user terminal 11 and the security is thereby evaluated. Based on the evaluation result, personal / confidential information management (step S1002 in FIG. 2) is performed. Collecting access logs to information files and confidential information, setting security levels, restricting various operations, and providing electronic education based on the evaluation results as security management (2) (step S1003 in FIG. 2) The result notification is performed.

  Further, the management system of the present embodiment operates as a security management service providing system or an information management system, and as shown in FIG. 2B, security management (step S1001 ′ in FIG. 2). Collecting environmental information in the user terminal 11 and evaluating security based thereon, providing electronic education based on the evaluation result, notifying the result, and managing personal and confidential information based on the evaluation result ( Step S1002) in FIG. 2 searches for personal / confidential information, collects access logs to personal / confidential information files, sets security levels, and restricts various operations.

  The flowchart in FIG. 2 shows the overall schematic operation of the management system 1, and includes security management (steps S1001, 1003, 1001 ′ in FIG. 2) and personal / confidential information management (in FIG. 2). Details of each operation such as step S1002) will be described later.

[1-3] Detailed configuration of management system (security management service providing system):
FIG. 3 is a block diagram showing the configuration of a management system (management server and user terminal) 1 as an embodiment of the present invention. As shown in FIG. 3, the management system (security management service providing system) of this embodiment is shown in FIG. ) 1 receives the request of the administrator (system manager, manager of the company, etc.) of the in-company system 10 and performs security management of the in-company system 10 that is an evaluation target (managed object) by the management server 20 described later. A service (security management service) for providing electronic education and preventing information leakage is provided to the in-company system 10.

  Therefore, in the system 1 of the present embodiment, as shown in FIG. 3, a plurality of in-company systems 10 that can be evaluated and a plurality of user terminals 11 belonging to each in-company system 10 to provide the service. A management server (security management service providing server) 20 that can be managed is connected to be communicable with each other via an external communication network 30. Here, the external communication network 30 includes the Internet, a public line network, and the like.

  In an in-house system (internal system) 10, a plurality of user terminals 11 are connected to be communicable with each other via a common local area communication network LAN 12, and a proxy server 13 and a printer 19 are connected to the LAN 12. It is connected.

  Each user terminal 11 is connected to the external communication network 30 via the LAN 12 and the proxy server 13 so as to be communicably connected to various external servers (including the management server 20). That is, each user terminal 11 and the management server 20 are configured to be communicable with each other via the LAN 12, the proxy server 13, and the external communication network 30.

  Each user terminal 11 belonging to the in-company system 10 is a personal computer or the like used / carried by a user who is an employee of the company, and includes a storage unit (not shown) such as a hard disk and an agent file described later. A processing unit (CPU) 110 that can function as execution means 111, 112, 113, and 119 described later by executing various programs is provided.

  In addition, the management server 20 is connected to each user terminal 11 belonging to a plurality of in-company systems 10 that can be evaluated as described above so as to be able to communicate with each other. Provides management service and personal / confidential information management service. Environment information collection agent file transmission means 21, environment information reception means 22, evaluation means 23, evaluation result notification means 24, first electronic education control means 25, determination means 26, the warning means 27, the second electronic education control means 28, and the operation restriction control means 29.

  The functions of these means 21 to 29 are realized by executing a management program (security management service providing program) installed in advance by a processing unit (CPU; not shown) constituting the management server 20. .

  The environment information collection agent file transmission means 21 transmits the environment information collection agent file to each of the plurality of user terminals 11 in the evaluation target system 10 by attaching it to an e-mail or the like. At this time, information (e-mail address, etc.) related to each user terminal 11 of the transmission destination is received together with a security management request from the administrator of the in-company system 10. The environment information collection agent file to be transmitted to each user terminal 11 is once transmitted to the management terminal or the like (not shown) of the in-company system 10 by the environment information collection agent file transmission means 21, and the management terminal Or the like may be transmitted to each user terminal 11 through the LAN 12.

  In the management server 20, a process (task) desired to be executed by each user terminal 11 is created in advance as an agent file, and the agent file is stored in the storage unit or the like. Here, the environment information collection agent file causes each user terminal 11 to execute a process of collecting environment information in each user terminal 11 and a process of notifying the collection result to the management server 20.

  The management server 20 is connected to a plurality of user terminals 10 so as to be able to communicate with each other via the network 30, and manages the personal information file in each user terminal 10 as a management target file. It also has a functional configuration as a server (a server that manages access to a management target file).

Here, in the present embodiment, the management target file means an electronic file having a predetermined number or more of personal information elements or confidential information elements. In other words, the personal information file as the management target file in the present embodiment has a predetermined condition that it has a predetermined number or more of personal information elements that can identify a specific individual. 1100), and as described above, personal information is information (a variety of personal information elements) that can identify a specific individual by itself or in combination, such as name, date of birth, and contact information. (Address, whereabouts, telephone number, e-mail address). In addition to these, personal information includes title, basic resident register number, account number, credit card number, license number, passport number, and the like.

  The environment information collection agent file transmitted to each user terminal 11 is automatically or on the user terminal 11 when the user performs a predetermined operation (for example, a double click operation with a mouse) on the file. It is executed by the processing unit 110. That is, the processing unit 110 functions as the environment information collection agent file execution unit 111, and the environment information in the user terminal 11 is collected along with the execution operation, and the collection result is the LAN 12, the proxy server 13, and the external communication. The information is transmitted / notified to the management server 20 through the network 30.

  Here, the environment information collected in each user terminal 11 is information (operating information / inventory information / execution environment information) related to the operating environment in each user terminal 11, and an evaluation process in the evaluation unit 23 as described later. And information necessary for the determination process in the determination means 26 (information related to the contents of management conditions described later; for example, information related to all software installed in each user terminal 11) and information related to managed files However, if necessary, it is possible to collect the following information regarding hardware resources and software resources in the user terminal 11 as environmental information.

  As information about hardware resources, for example, computer name / OS / CPU / CPU speed / keyboard type / physical memory / available memory / video card / resolution / printer / swap size / domain name / logon user name / model name / Network card / MAC address / IP address / Net mask / Default gateway / DNS server / Socket version / Total capacity and free space for each local drive / BIOS version / BIOS manufacturer / machine manufacturer / machine name / machine serial machine UUID / motherboard manufacturer Information on name / motherboard name / CPU ID and the like.

  As information regarding software resources, information (for example, product name, detailed version, file size, file update date, etc.) regarding software (various application programs) held in the user terminal 11 may be mentioned. If the user terminal 11 has security patch update software (for example, “Windows (registered trademark) Update”) for repairing an OS security hole, the security patch update information (whether it is the latest one or not) Whether or not) is also collected. In addition, when the user terminal 11 has anti-virus software (for example, “Norton AntiVilus (registered trademark)” etc.), the update information of the virus definition file in the anti-virus software (whether it is the latest or not) Is also collected. Furthermore, when the user terminal 11 has security software such as security patch update software, anti-virus software, anti-spyware software, etc., the setting status (security setting; on / off status, etc.) is also included. Collected.

The environment information receiving means 22 receives the environment information transmitted from each user terminal 11 and passes it to the evaluation means 23 and the judging means 26.
In the management system 1 of the present embodiment, the environment information collection agent file transmission unit 21 and the environment information reception unit 22 in the management server 20 and the environment information collection agent file execution unit 111 in each user terminal 11 provide a plurality of users. Environmental information collecting means for collecting environmental information in each terminal 11 from each user terminal 11 to the management server 20 is configured.

  The evaluation means 23 is based on the environmental information in each user terminal 11 collected by the environmental information collecting means, that is, the environmental information in each user terminal 11 of the in-company system 10 received by the environmental information receiving means 22. By evaluating whether each user terminal 11 satisfies at least one management condition (described later) and quantifying the degree of safety for the plurality of user terminals 11, the overall evaluation level of the in-company system 10 is determined. (Evaluation level of security status) is evaluated and determined.

  At that time, as will be described later with reference to FIG. 5, the evaluation means 23 is the proportion of the user terminals 11 that satisfy at least one management condition (described later) among the plurality of user terminals 11 in the in-company system 10. The degree of safety may be quantified based on the above, or as described later with reference to FIGS. 6 and 7, the degree of safety may be quantified based on the ratio and the importance of management conditions (described later). Good.

  And the evaluation means 23 of this embodiment determines the evaluation level of the security condition of the in-company system 10 step by step according to the result of quantifying the degree of safety (the ratio P and evaluation value V described later). It has become. For example, the evaluation level is 5 levels of 1 to 5, the evaluation level is “5” when the safety level of the in-company system 10 is the highest, and the evaluation level is “1” when the safety level of the in-company system 10 is the lowest. To do.

  Moreover, the management conditions mentioned above mean the desirable use conditions or use states of the user terminal determined by the administrator, and specifically include the following items (1) to (5). Any of the management conditions is such a condition that the degree of safety is higher when each user terminal 11 satisfies the management condition than when the user terminal 11 does not satisfy the management condition.

(1) The security software is installed on the user terminal 11 and turned on.
(2) The security patch update information of the security patch update software as the security countermeasure software in the user terminal 11 is the latest.

(3) The update information of the virus definition file of the antivirus software as the security countermeasure software in the user terminal 11 is the latest.
(4) No dangerous software is installed on the user terminal 11. Examples of dangerous software include virtual VPN software, P2P software, spyware, and file exchange software (for example, Winny).

(5) The user terminal 11 does not have an unauthorized copy of software or the like.
Alternatively, the management conditions include the following items (a) to (g) in addition to the above (1) to (5) as desirable usage conditions or usage states of the user terminal determined by the administrator. Any of the management conditions is such that the degree of safety is higher when each user terminal 11 satisfies the management condition than when the user terminal 11 does not satisfy the management condition.

(a) No software other than licensed software is installed on the user terminal,
(b) No prohibited software is installed on the user terminal,
(c) No data for software other than licensed software is stored on the user terminal,
(d) No data for prohibited software is stored in the user terminal.
(e) No sharing settings that are not permitted to be used on the user terminal,
(e) No unauthorized folder has been created on the user terminal,
(f) Peripheral devices other than authorized peripheral devices are not connected to the user terminal,
(g) No prohibited peripheral devices are connected to the user terminal,
In addition, this management condition satisfies which item among the above items (1) to (g), or how many items, as a desirable use condition or use state of the user terminal determined by the administrator You may decide.

  In addition, the management condition may be set uniformly for a plurality of user terminals, may be set for each user terminal, or may be changed according to the situation. Also good.

  Here, “change according to the situation” means that more strict management conditions are set for user terminals that violate the management conditions, or more strict management conditions are set for user terminals that hold personal information. And, conversely, loosely setting management conditions for user terminals that do not have violations or possess personal information.

When the evaluation means 23 performs the evaluation process by the method shown in FIG. 5 or FIG. 6, all the management conditions of these items (1) to (5) or (1) to (5) and (a) to (g) are set. The evaluation level may be determined by calculating the proportion of the user terminals 11 that satisfy, or the management conditions of these items (1) to (5) or (1) to (5) and (a) to (g) The evaluation level may be determined by calculating the ratio of the user terminals 11 that satisfy at least one of the above. When performing the evaluation process by the method shown in FIG. 6, as described later, item (1)
~ (5) or (1) ~ (5) and at least one of the management conditions of (a) ~ (g) shall be extremely important to ensure the safety of the corporate system 10 The important management conditions are set in advance.

  When the evaluation process is performed by the method shown in FIG. 7, the safety of the internal system 10 with respect to each management condition (1) to (5) or (1) to (5) and (a) to (g). An importance level for ensuring the security level is set. In this case, the importance Mi (i = 1 to 5) as a weight used for calculating an evaluation value V to be described later with reference to FIG. 7 is the management condition (1) to (5) or (1). It is preset for each of (5) and (a) to (g). The importance Mi is set so as to increase as the necessity of satisfying the management condition in order to ensure the safety of the internal system 10 increases.

  The evaluation result notifying means (notifying means) 24 sends the evaluation result (including the calculated ratio, table value, and evaluation level) obtained by the evaluating means 23 to each user terminal 11 or a terminal such as an administrator (not shown). ) To be displayed and notified to the users and managers of the plurality of user terminals 11 (such as the manager of the in-company system 10).

  When a periodic evaluation is requested in the evaluation request (security management request) of the in-company system 10, in the management system 1 of the present embodiment, the environment information of each user terminal 11 of the in-company system 10 is the above. It is periodically collected by the environmental information collecting means, and the evaluating means 23 periodically determines the degree of safety (security level evaluation level) for the plurality of user terminals 11 (in-house system 10) based on the periodic collection results. The evaluation result notifying means 24 notifies the periodic evaluation results to the managers and users of the plurality of user terminals 11 and displays them on the terminals of the managers and the user terminals 11. .

The first electronic education control means 25 is an electronic education (e-learning) on security including at least the matters relating to the management conditions (1) to (5) or (1) to (5) and (a) to (g). In other words, the electronic education about security in general when using the in-company system 10 is executed by the plurality of user terminals 11 belonging to the in-company system 10, and the first electronic education agent file creating / holding means 251 and The first electronic education agent file transmission means 252 has a function.

  The first electronic education agent file creation / holding means 251 generates a first electronic education agent file that causes each of a plurality of user terminals 11 belonging to the in-company system 10 to execute electronic education about security in the in-company system 10 in general. Create or hold. As described above, in the management server 20, a process (task) desired to be executed by each user terminal 11 is created as an agent file.

  Here, the first electronic education agent file is for causing each user terminal 11 to perform electronic education about the overall security in the in-company system 10, and the first electronic education agent file creation / holding means 251 as necessary. The first electronic education agent file for security in general in the in-company system 10 may be created in advance and held in the first electronic education agent file creation / holding means 251.

  The first electronic education agent file transmission means 252 attaches the first electronic education agent file created or held by the first electronic education agent file creation / holding means 251 to an e-mail after creation or reading. Are transmitted to a plurality of user terminals 11 in the system 10 to be evaluated. At this time, information (email address and the like) related to each user terminal 11 as the transmission destination is received together with a security management request from the administrator of the in-company system 10 as described above. The first electronic education agent file to be transmitted to each user terminal 11 is once transmitted to the management terminal or the like (not shown) of the in-company system 10 by the first electronic education agent file transmission means 252. You may transmit to each user terminal 11 via LAN12 from a management terminal.

  Note that the first electronic education control means 25 in this embodiment is obtained by the evaluation means 23 in addition to the functions described above (functions used in steps S107 and S108 in FIG. 4 as described later with reference to FIG. 4). It also has a function of causing a plurality of user terminals 11 belonging to the in-company system 10 to execute electronic education (e-learning) corresponding to the obtained evaluation result (evaluation level or the like). As will be described later with reference to FIG. 4, this function is used in the processing in steps S118 and S119 in FIG. 4, but can also be used in the processing in steps S107 and S108 in FIG.

  In this case, the first electronic education agent file creation / holding means 251 is an electronic that causes each of the plurality of user terminals 11 belonging to the in-company system 10 to execute electronic education according to the evaluation result obtained by the evaluation means 23. Create or maintain educational agent files. This electronic education agent file causes each user terminal 11 to execute electronic education according to the evaluation result by the evaluation means 23. When the evaluation result is obtained, the first electronic education agent file creation / holding means 251 Alternatively, an electronic education agent file corresponding to the evaluation result may be created in advance for each evaluation result and held in the first electronic education agent file creation / holding means 251. The first electronic education agent file transmission means 252 then sends the electronic education agent file according to the evaluation result created or held by the first electronic education agent file creation / holding means 251 to the first electronic education agent described above. Similar to the transmission of a file, it is transmitted to a plurality of user terminals 11 in the system 10 to be evaluated by attaching it to an e-mail after creation or reading.

The first electronic education agent file transmitted to each user terminal 11 or the electronic education agent file according to the evaluation result is automatically or the user performs a predetermined operation (for example, double-clicking with the mouse). When the operation is performed, it is executed by the processing unit 110 on the user terminal 11. That is, the processing unit 110 functions as the first electronic education agent file execution unit 112, and in accordance with the execution operation, the electronic corresponding to the electronic education or the evaluation result of the overall security in the in-company system 10 at the user terminal 11 is performed. Education is executed for the user of the user terminal 11.

  At this time, the first electronic education agent file execution means 112 in each user terminal 11 manages information regarding whether or not the electronic education has been completed in each user terminal 11 through the LAN 12, the proxy server 13, and the external communication network 30. It may be configured to transmit / notify to the server 20 or notify the administrator of the in-company system 10 or the like. As a result, the management server 20, the administrator, and the like can grasp the user (employee) who has performed electronic education / the user (employee) who has not performed electronic education, and can perform more thorough electronic education. .

  In addition, the electronic education is used so that the operation of the electronic education (electronic education for security in general or electronic education according to the evaluation result) is not terminated until the user completes and completes the electronic education in each user terminal 11. It may be configured to force the person to execute. Thereby, electronic education can be executed reliably and thoroughly regardless of the user's will and consciousness.

  Furthermore, the user terminal 11 that has completed the electronic education displays a completed desktop stamp indicating that the electronic education has been completed on the desktop, while the user terminal 11 that has not completed the electronic education displays the desktop. In addition, an incomplete desktop stamp indicating that the electronic education has not been completed may be displayed in a stamped manner. This desktop stamp (bitmap image) cannot be deleted / moved on the user terminal 11 side, and is pasted on the desktop wallpaper. Therefore, the user can delete the desktop stamp by himself or herself. It cannot be moved, is always displayed on the desktop, and is exposed not only to the user but also to others. Therefore, by displaying the completed desktop stamp and the incomplete desktop stamp on the desktop, it is possible to encourage the user's will and awareness to voluntarily execute the electronic education, and the electronic education (security E-education in general or e-education according to evaluation results) can be executed reliably and thoroughly.

  When all of the plurality of user terminals 11 belonging to the in-company system 10 satisfy the above management conditions, electronic education for each user terminal 11 (according to electronic education and evaluation results for overall security) However, even in such a case, it is preferable to conduct electronic education to confirm and re-recognize security.

  The determination means 26 is based on the environmental information in each user terminal 11 collected periodically by the environmental information collecting means described above after the first electronic education control means 25 performs electronic education on the plurality of user terminals 11. Whether each user terminal 11 satisfies at least the management conditions (1) to (5) or (1) to (5) and (a) to (g) (whether or not a management condition is violated) ).

  The warning unit 27 issues a warning indicating that the management condition is violated to the user or the administrator of the user terminal 11 that is determined not to satisfy the management condition by the determination unit 26. Is transmitted to the terminal of the violator's user terminal 11 or a terminal of the manager or the like and displayed, and a warning is given to the violator or the manager (such as the manager of the in-company system 10).

The second electronic education control means 28 causes the user terminal 11 determined not to satisfy the management conditions by the determination means 26 to execute electronic education on matters relating to the management conditions (violation management conditions). It has functions as second electronic education agent file creation / holding means 281 and second electronic education agent file transmission means 282.

  The second electronic education agent file creation / holding means 281 performs detailed electronic education on matters relating to management conditions (violation management conditions) determined not to be satisfied by the determination means 26 by the determination means 26. The second electronic education agent file to be executed by the user terminal 11 determined not to satisfy the above is created or held. As described above, in the management server 20, a process (task) desired to be executed by each user terminal 11 is created as an agent file.

  Here, the second electronic education agent file causes the user terminal 11 that made the violation to execute detailed electronic education on the matters relating to the violation management condition, and the determination means 26 determined that there was a violation. The second electronic education agent file creation / retention means 281 may be created at the time, or a second electronic education agent file creation / retention means is created in advance for the violator for each management condition. You may hold | maintain to 281.

  The second electronic education agent file transmission means 282 attaches the second electronic education agent file created or held by the second electronic education agent file creation / holding means 281 to the e-mail after creation or reading. , It is transmitted to the user terminal 11 that made the violation. At this time, information (e-mail address, etc.) regarding the user terminal 11 that has violated the transmission destination is already received together with a security management request from the administrator of the in-company system 10 and managed by the management server 20 as described above. It shall be. The second electronic education agent file to be transmitted to the user terminal 11 is once transmitted to a management terminal or the like (not shown) of the in-company system 10 by the second electronic education agent file transmission means 282, and the management is performed. You may transmit to the user terminal 11 applicable via LAN12 from a terminal.

  The second electronic education agent file transmitted to the user terminal 11 is automatically or on the user terminal 11 when the user performs a predetermined operation (for example, a double click operation with a mouse) on the file. It is executed by the processing unit 110. That is, the processing unit 110 functions as the second electronic education agent file execution unit 113, and in accordance with the execution operation, detailed electronic education on matters relating to the violation management condition in the user terminal 11 is performed on the user terminal. It is executed for 11 users (management condition violators).

  At this time, the second electronic education agent file execution means 113 in the user terminal 11 of the violator obtains information regarding whether or not the electronic education has been completed at the user terminal 11 through the LAN 12, the proxy server 13 and the external communication network 30. It may be configured to transmit / notify the management server 20 or notify the administrator of the in-company system 10 or the like. As a result, the management server 20, the administrator, and the like can grasp whether the violator has performed electronic education, and can perform more thorough electronic education.

  Also, do not end the operation of electronic education (detailed electronic education on matters related to violation management conditions) until the violator (user) completes and completes electronic education at user terminal 11 of the violator. You may comprise so that a user may perform electronic education compulsorily. Thereby, regardless of the user's will and consciousness, detailed electronic education on matters related to violation management conditions can be executed reliably and thoroughly.

Further, as in the case where the electronic education using the first electronic education agent file is completed, in the user terminal 11 that has completed the detailed electronic education on the matters relating to the violation management condition, the electronic education is completed on the desktop. The user terminal 11 that has not completed the electronic education is displayed on the desktop with an incomplete desktop stamp indicating that the electronic education has not been completed. May be. As a result, completed desktop stamps and incomplete desktop stamps are stamped on the desktop, enabling users to work on their will and awareness to voluntarily execute electronic education. It is possible to ensure that detailed electronic education on matters related to is executed thoroughly and thoroughly.

  The operation restriction control unit 29 imposes various operation restrictions on the user terminal 11 that is determined not to satisfy the management condition by the determination unit 26. The operation restriction control management unit 290, the operation restriction control agent file creation / It has functions as holding means 291 and operation restriction control agent file transmission means 292.

  Here, when the management condition is not satisfied, the operation restriction control management unit 290 collects and records the access log for the management target file from the user terminal, and records the search result and / or the management target. Management means for changing / setting the security level of the user terminal 11 based on the access log for the file and changing the operation restriction of the user terminal 11 according to the security level.

  Further, the operation restriction control management unit 290 sets the security level high for the user terminal 11 that has executed the processing / operation related to the management target file, and tightens the operation restriction of the user terminal. For the user terminal 11 that has not executed the process / operation related to the management target file for a predetermined period, the security level is set low, and the operation restriction of the user terminal is released or relaxed.

  Further, the operation restriction control management means 290 makes the operation restriction of the user terminal 11 stricter by setting the security level higher for the user terminal 11 having the management target file in the storage unit. On the other hand, for the user terminal 11 that does not have the management target file in the storage unit, the security level is set low, and the operation restriction of the user terminal 11 is released or relaxed.

  In addition, the operation restriction control management unit 290 sets the security level to a high level for the user terminal 11 that is not set with an encryption function for automatically encrypting a file sent to the outside. While restricting the operation restrictions of the terminal, the user terminal 11 to which the encryption function is set is set to a low security level to release or relax the operation restriction of the user terminal.

  Further, the operation restriction control management means 290 sets the security level to be high for the user terminal 11 accessing the browsing prohibited site, and tightens the operation restriction of the user terminal 11. For the user terminal 11 that has not accessed the browsing-prohibited site, the security level is set low, and the operation restriction of the user terminal 11 is released or relaxed.

Further, the operation restriction control management means 290 restricts or prohibits the Internet connection of the user terminal 11 as the operation restriction of the user terminal 11.
Further, the operation restriction control management means 290 displays a mask display of the personal information element or the confidential information element in the contents when the contents of the management target file are displayed on the user terminal 11 as the operation restriction of the user terminal 11. Do.

Further, the operation restriction control management means 290 performs mask printing of the personal information element or the confidential information element in the contents when the contents of the management target file are printed in the user terminal 11 as the operation restriction of the user terminal 11. Do.

  Further, the operation restriction control management means 290, when restricting the operation of the user terminal 11, causes the user terminal 11 to search the storage unit by the search means, and transmits the search result to the transmission terminal. It is transmitted to the management server 20 by means.

  Here, the operation restriction control agent file creation / holding unit 291 collects an access log for the management target file from the user terminal 11 when the determination unit 26 determines that the management condition is not satisfied, An operation restriction control agent file for changing the operation restriction of the user terminal 11 in accordance with the set security level is created or held. As described above, in the management server 20, a process (task) desired to be executed by each user terminal 11 is created as an agent file.

  Here, the operation restriction control agent file collects the access log for the management target file from the user terminal 11 and executes the operation restriction of the user terminal 11 according to the set security level. When the means 26 determines that there is a violation, the operation restriction control agent file creation / holding means 291 may create the action restriction control agent file for the violator in advance for each management condition. The agent file creation / holding unit 291 may hold the file.

  The operation restriction control agent file transmission unit 292 is configured to execute the violation by attaching the operation restriction control agent file created or held by the operation restriction control agent file creation / holding unit 291 to an e-mail after creation or reading. It transmits to the user terminal 11 which performed.

  At this time, information (e-mail address, etc.) regarding the user terminal 11 that has violated the transmission destination is already received together with a security management request from the administrator of the in-company system 10 and managed by the management server 20 as described above. It shall be. The operation restriction control agent file to be transmitted to the user terminal 11 is once transmitted to the management terminal or the like (not shown) of the in-company system 10 by the operation restriction control agent file transmission unit 292, and the management terminal or the like is transmitted. To the corresponding user terminal 11 through the LAN 12.

  The operation restriction control agent file transmitted to the user terminal 11 is processed automatically or when the user performs a predetermined operation (for example, a double click operation with a mouse) on the file. Execution is started in section 110. Then, the processing unit 110 functions as the operation restriction control agent file execution unit 119, and the restriction is executed in the user terminal 11 when a command for various operations set is generated.

  That is, the operation restriction control agent file execution unit 119 in the user terminal 11 executes various operation restrictions in the user terminal 11 and operates as an operation restriction control unit in the user terminal 11.

  Also, do not end the operation of electronic education (detailed electronic education on matters related to violation management conditions) until the offender (user) completes the second electronic education at the user terminal 11 of the offender. The second electronic education may be forcibly executed by the user, and the operation restriction control of the electronic file may be canceled when the second electronic education is completed. Thereby, regardless of the user's will and consciousness, detailed electronic education on matters related to violation management conditions can be executed reliably and thoroughly.

  Furthermore, in the user terminal 11 which has not completed electronic education, at the time of execution of various set operations, an explanatory text with contents indicating that the electronic education has not been completed in accordance with the operation to be used. It is configured to be attached to an electronic file, or to send an explanatory text file indicating that e-education has not been completed, instead of an attached file of an e-mail, to be displayed on a display screen, or to be printed from a printer. May be. As a result, the electronic education incompletion is informed to the surroundings, and as a result, the user can work on the will and awareness of the user to voluntarily execute the electronic education. Detailed electronic education about can be executed reliably and thoroughly.

[2] Operation of embodiment (security management operation):
Next, the operation of the management system 1 of the present embodiment configured as described above will be described with reference to FIG. As described with reference to FIG. 2, the management system 1 of this embodiment is characterized by performing security management and personal / confidential information management. Hereinafter, it demonstrates in order.

[2-1] Security management operation:
[2-1-1] Security evaluation operation:
Here, as security management, security evaluation and electronic education for the user terminal 11 will be described first.

First, the security management operation of the management server 20 of this embodiment will be described with reference to the flowchart shown in FIG. 4 (steps S101 to S124).
As shown in FIG. 4, the management server (security management service providing server) 20 determines whether or not there is a new security management request for the in-company system 10 connected via the external communication network 30, and periodically. Whether or not the evaluation timing has come is monitored regularly (every predetermined control cycle) (steps S101 and S111), and when a new security management request is received from the administrator of the in-house system 10 or the like (in step S101) YES route), the environment information collection agent file is electronically converted by the environment information collection agent file transmission means 21 based on the information (email address etc.) regarding each user terminal 11 of the transmission destination sent together with the security management request. Multiple attachments in the corporate system 10 such as by attaching to an email Sent to each use terminal 11 (step S102).

  Here, according to the flowchart (steps S51 to S54) shown in FIG. 8, the environment information collecting operation of each user terminal 11 in the in-company system 10 of the present embodiment will be described. As shown in FIG. 8, each user terminal 11 monitors whether or not an environment information collection agent file has been received from the management server 20 (step S51), and when an environment information collection agent file is received (step S51). YES route of S51), or automatically or when the user performs a predetermined operation (for example, a double click operation with a mouse) on the file, the environment information collection agent file is processed by the processing unit 110 on the user terminal 11. (Step S52). Thereby, the environment information (asset information / inventory information / execution environment information; information related to the contents of the management condition; for example, information about all software installed in each user terminal 11, Information on peripheral devices such as external storage media connected to the user terminal 11) is collected (step S53), and the collection result is transmitted / notified to the management server 20 through the LAN 12, the proxy server 13 and the external communication network 30. (Step S54).

The management server 20 receives environment information from each user terminal 11 belonging to the in-company system 10 (step S103), and receives environment information from all user terminals 11 belonging to the in-company system 10 (step S103). (YES route of S104), security evaluation by the evaluation means 23 is executed (step S105).

  In step S104, security evaluation is performed when environment information is received from all user terminals 11 belonging to the in-company system 10. However, even if a predetermined time elapses, all user terminals 11 receive the security evaluation. When environment information cannot be received, security evaluation by the evaluation unit 23 may be performed based on environment information received at the time when the predetermined time has elapsed.

  In step S104, it is not determined whether environment information has been received from all the user terminals 11 as described above, but a predetermined number or more or a predetermined ratio of the user terminals 11 belonging to the in-company system 10. It is determined whether or not environmental information has been received from the above user terminals 11, and evaluation is performed based on the received environmental information when environmental information is received from a predetermined number or more or a predetermined ratio of user terminals 11 or more. Security evaluation by means 23 may be performed.

Next, a first example to a third example of the security evaluation method performed by the evaluation unit 23 that can be executed in step S105 will be described with reference to FIGS.
FIG. 5 is a flowchart (steps S21 to S23) for explaining the operation (first example of the security evaluation method) of the evaluation unit 23 in the management server 20 of this embodiment. As shown in FIG. In the first example of the technique, for example, at least one of the above-described management conditions (1) to (5) or (1) to (5) and (a) to (g) is set as the management condition in advance. deep.

  Then, the evaluation unit 23 refers to the environmental information in each user terminal 11 of the in-company system 10 received by the environment information receiving unit 22, and sets one user terminal 11 belonging to the in-company system 10. It is determined whether or not all set management conditions are satisfied (step S21). When the management conditions for all the user terminals 11 that have received the environment information have been determined, the ratio of the user terminals 11 that satisfy the management conditions (the ratio to the total number of user terminals 11 in the in-company system 10) P is calculated. (Step S22).

  The higher the ratio P of the user terminals 11 that satisfy the management conditions, the higher the ratio P of the user terminals 11 that may have some adverse effects on the in-company system 10 (such as causing a security problem, being infected with a virus, The proportion (number) of user terminals 11 that are likely to cause information leakage due to wear or the like and user terminals 11 that have performed illegal copying is low, and the degree of safety of the corporate system 10 is high. The security situation is considered good.

  Therefore, when the degree of safety (security status) of the in-house system 10 is evaluated in, for example, five levels (evaluation levels 1 to 5) as described above, the evaluation level “5” is set when the ratio P is 90 to 100%. Allocation, evaluation level “4” is allocated when the ratio P is 80 to 90%, evaluation level “3” is allocated when the ratio P is 70 to 80%, and evaluation level when the ratio P is 50 to 70% “2” is assigned, and an evaluation level “1” is assigned in advance when the ratio P is less than 50%. Based on such evaluation level setting, the evaluation means 23 determines an evaluation level corresponding to the ratio P calculated in step S22 for the in-company system 10 (step S23).

In the first example of the security evaluation method shown in FIG. 5, the management condition is at least one of items (1) to (5) or (1) to (5) and (a) to (g). Although the case has been described, the present invention is not limited to this, and under these management conditions other than these items (1) to (5) or (1) to (5) and (a) to (g) There may be management conditions other than items (1) to (5) or (1) to (5) and (a) to (g).

FIG. 6 is a flowchart (steps S31 to S36) for explaining the operation of the evaluation unit 23 (second example of the security evaluation method) in the management server 20 of this embodiment. As shown in FIG. In the second example of the technique, for example, at least one of the management conditions (1) to (3) and (5) described above is set as the management condition in advance. “No dangerous software is installed on the user terminal” is assumed to have a very high degree of importance for ensuring the safety of the in-company system 10 and is set as an important management condition.

Then, the evaluation unit 23 refers to the environment information in each user terminal 11 of the in-company system 10 received by the environment information receiving unit 22, and first, for a plurality of user terminals 11 belonging to the in-company system 10, Management conditions set as important management conditions one by one (4)
Is determined (step S31). At this time, if there is at least one user terminal 11 that does not satisfy the management condition (4) (YES route in step S32), that is, if there is at least one user terminal 11 that has installed dangerous software, Without determining other management conditions, a predetermined low evaluation level (for example, “1”) is determined as the evaluation level of the in-company system 10 to which the user terminal 11 belongs. This is given to the system 10 (step S33).

On the other hand, when there is no user terminal 11 that does not satisfy the management condition (4) (step S
32 NO route), that is, if there is no user terminal 11 in which dangerous software is installed, the same evaluation process as in the first example described with reference to FIG. 5 is performed.

That is, it is determined whether each of the plurality of user terminals 11 belonging to the in-company system 10 satisfies all the management conditions set excluding the management condition (4) (step S).
34). The ratio of the user terminals 11 that satisfy the management condition at the time when the determination of the management conditions is completed for all the user terminals 11 that have received the environment information (ratio to the total number of user terminals 11 in the in-company system 10) P Is calculated (step S35). Then, based on the same evaluation level setting as in the first example, the evaluation unit 23 determines an evaluation level corresponding to the ratio P calculated in step S35 for the in-company system 10 (step S36).

In the second example of the security evaluation method shown in FIG. 6, the case where the important management condition is the management condition of the item (4) has been described, but the present invention is not limited to this, and other items The management conditions (1) to (3) and (5) may be set as important management conditions, or these items (1) to (5) or (1) to (5) and (a) to (a) Management conditions other than g) may be set as important management conditions, or a plurality of management conditions may be set as important management conditions.

  FIG. 7 is a flowchart (steps S41 to S48) for explaining the operation of the evaluation unit 23 (third example of the security evaluation method) in the management server 20 of the present embodiment. As shown in FIG. In the third example of the technique, for example, the management conditions (1) to (5) or (1) to (5) and (a) to (g) described above are set as management conditions in advance. In the third example, the importance levels M1 to M5 as described above are set in advance.

Then, the evaluation unit 23 refers to the environment information in each user terminal 11 of the in-company system 10 received by the environment information receiving unit 22, and sets one unit for the plurality of user terminals 11 belonging to the in-company system 10. It is determined whether each of the management conditions (1) to (5) or (1) to (5) and (a) to (g) is satisfied (step S41). When all the management conditions (1) to (5) or (1) to (5) and (a) to (g) have been determined for all the user terminals 11 that have received the environment information, User terminal 1 that satisfies the conditions (1) to (5) or (1) to (5) and (a) to (g)
1 (the ratio to the total number of user terminals 11 in the in-company system 10) P1 to P5 are calculated (steps S42 to S46).

  Thereafter, the evaluation unit 23 calculates an evaluation value V, which becomes a larger value as the number (ratio) of the user terminals 11 that do not satisfy the management condition having a high importance Mi (i = 1 to 5) increases. Calculate (step S47).

Evaluation value V = Σ (100−Pi) × Mi,
Here, Σ means the sum of (100−Pi) × Mi calculated when i is 1, 2, 3, 4, 5 respectively.

  This evaluation value V satisfies all the management conditions (1) to (5) or (1) to (5) and (a) to (g) for all user terminals 11 belonging to the in-company system 10. In this case, since the ratios P1 to P5 are all 100%, the evaluation value V is 0. As the number (ratio) of user terminals 11 that do not satisfy the management conditions (1) to (5) or (1) to (5) and (a) to (g) increases, in particular, the importance Mi The evaluation value V increases as the number (ratio) of user terminals 11 that do not satisfy the management condition having a large value increases.

  That is, as the evaluation value V is smaller (closer to 0), the user terminal 11 that may have some adverse effect on the in-company system 10 (such as causing a security problem, being infected with a virus, The ratio (number) of the user terminals 11 that are likely to cause information leakage due to, etc. or the user terminals 11 that have performed illegal copying is low, and the in-company system 10 has a high degree of safety. The situation is considered good.

  Alternatively, as the evaluation value V is smaller (closer to 0), the user terminal 11 (a user who is more likely to cause information leakage due to transmission of an electronic file or the like) that may have some adverse effects in the in-company system 10. The ratio (number) of the terminal 11) is low, and the degree of reliability of the in-company system 10 is high, that is, the security situation is considered good.

  Therefore, when the degree of safety (security status) of the in-company system 10 is evaluated in, for example, five levels (evaluation levels 1 to 5) as described above, in the third example of the security evaluation method, the evaluation value V is 0 to K1. Is assigned an evaluation level “5”, assigned an evaluation level “4” when the evaluation value V is K1 to K2 (> K1), and assigned an evaluation level “4” when the evaluation value V is K2 to K3 (> K2). 3 ”is assigned, the evaluation level“ 2 ”is assigned when the evaluation value V is K3 to K4 (> K3), and the evaluation level“ 1 ”is assigned when the evaluation value V is K4 to K5 (> K4). , Set in advance. Based on such evaluation level setting, the evaluation means 23 determines an evaluation level corresponding to the evaluation value V calculated in step S47 for the in-company system 10 (step S48). Note that K5 which is the maximum value of the evaluation value V is the value of the evaluation value V when the ratios P1 to P5 are all 0%, that is, 100 × (M1 + M2 + M3 + M4 + M5).

  In the third example of the security evaluation method shown in FIG. 7, the case where the management conditions are items (1) to (5) or (1) to (5) and (a) to (g) has been described. The present invention is not limited thereto, and may be management conditions other than these items (1) to (5) or (1) to (5) and (a) to (g), Management conditions other than items (1) to (5) or (1) to (5) and (a) to (g) may be included.

As described above, when the security evaluation result of the in-company system 10 is obtained in step S105 (any one of the security evaluation methods in FIGS. 5 to 7), the evaluation result notification means 24 determines that the evaluation result is a plurality of It is displayed on a terminal (not shown) of the user terminal 11 or an administrator (such as an administrator of the in-company system 10) and notified to each user or administrator (step S106 in FIG. 4).

  At this time, the notified evaluation result includes at least the five evaluation levels obtained in step S105. In addition to this evaluation level, more detailed information, for example, calculated ratios P, P1 to P5, The evaluation value V may be included, or more detailed information, for example, information such as which user terminal 11 does not satisfy which management condition may be included. Note that what kind of information is notified as the evaluation result may be determined in advance in the management server 20, or may be determined in accordance with an instruction from the administrator who has requested the security management.

  In the management server 20 of the present embodiment, at least electronic management education (e) including the matters relating to the management conditions (1) to (5) or (1) to (5) and (a) to (g). Learning), that is, an electronic education agent file (first) in order to execute a plurality of user terminals 11 belonging to the in-company system 10 for an electronic education about security in general when using the in-company system 10. 1 electronic education agent file) is created by the first electronic education agent file creation / holding means 251 or read from the first electronic education agent file creation / holding means 251 (step S107).

  Note that the first electronic education agent file may correspond to each of the above-described five evaluation levels, or performs electronic education related to environmental information that is particularly problematic based on the detailed information of the evaluation results. It may be a thing. If an agent file for executing the corresponding electronic education is held in the first electronic education agent file creation / holding means 251, the agent file is read out and held as the first electronic education agent file. If not, it is created by the first electronic education agent file creation / holding means 251.

  In this way, the agent file read from the first electronic education agent file creation / retention means 251 or the agent file created by the first electronic education agent file creation / retention means 251 is sent together with the security management request. A plurality of users in the in-company system 10 are attached to an e-mail or the like by the first electronic education agent file transmission means 252 based on the received information (e-mail address or the like) regarding each user terminal 11 of the transmission destination. It is transmitted to each of the terminals 11 (step S108).

[2-1-2] Electronic educational operation based on security evaluation:
Here, according to the flowchart (steps S61 to S64) shown in FIG. 9, the electronic education operation of each user terminal 11 in the in-company system 10 of the present embodiment will be described. As shown in FIG. 9, each user terminal 11 monitors whether or not the first electronic education agent file has been received from the management server 20 (step S61). (YES route of step S61) When the user performs a predetermined operation (for example, a double click operation with a mouse) on the file, the first electronic education agent file is stored on the user terminal 11. It is executed by the processing unit 110 (step S62). Thereby, the electronic education about the security in general is performed for the user of the user terminal 11 in the user terminal 11 (step S63). In this embodiment, the electronic education result (for example, each user) Information regarding whether or not the electronic education has been completed at the terminal 11 is transmitted / notified to the management server 20 through the LAN 12, the proxy server 13, and the external communication network 30 (step S64).

The management server 20 receives an electronic education result from each user terminal 11 belonging to the in-company system 10 (step S109), and the electronic education result is sent to the administrator of the in-company system 10 via the management server 20. And the user of each user terminal 11 is notified (step S110). The electronic education result may be notified directly from each user terminal 11 to the administrator of the in-company system 10 or the like.

  On the other hand, when the regular evaluation timing is reached for the in-company system 10 that has completed the processing of steps S102 to S110 (system evaluation / notification processing and electronic security processing for security in general) as described above (YES in step S101 to step S111). Route), the environment information collection agent file is sent by the environment information collection agent file transmission means 21 based on the information (email address, etc.) regarding each destination user terminal 11 sent at the time of the new security management request. And is transmitted to each of the plurality of user terminals 11 in the in-company system 10 (step S112). At this time, the environment information collection operation executed at each user terminal 11 that has received the environment information collection agent file is the same as the procedure described above with reference to FIG.

  If the evaluation level is low in the security evaluation (step S105 in FIG. 4), the time interval set as the regular evaluation timing (step S111 in FIG. 4) is set short, and the electronic education is executed again (in FIG. 4). Step S118) or the second electronic education is preferably executed (Step S123 in FIG. 4). In this case, it is desirable to set the periodic evaluation timing to be shorter according to the level as the evaluation level is worse.

  The management server 20 receives environment information from each user terminal 11 belonging to the in-company system 10 (step S113), and receives environment information from all user terminals 11 belonging to the in-company system 10 (step S113). (YES route of S114), security evaluation by the evaluation means 23 is executed (step S115).

  In step S114, security evaluation is performed when environment information is received from all user terminals 11 belonging to the in-company system 10. However, even if a predetermined time elapses, all user terminals 11 receive the security evaluation. When environment information cannot be received, security evaluation by the evaluation unit 23 may be performed based on environment information received at the time when the predetermined time has elapsed.

  In step S114, it is not determined whether environment information has been received from all the user terminals 11 as described above, but a predetermined number or more or a predetermined ratio of the user terminals 11 belonging to the in-company system 10. It is determined whether or not environmental information has been received from the above user terminals 11, and evaluation is performed based on the received environmental information when environmental information is received from a predetermined number or more or a predetermined ratio of user terminals 11 or more. You may make it perform the security evaluation process (step S115) by the means 23, and the judgment process (step S120) by the judgment means 26. FIG.

  In step S115, when the security evaluation result of the in-company system 10 is obtained by the security evaluation method described above with reference to FIGS. 5 to 7, for example, the evaluation result is notified to the plurality of user terminals by the evaluation result notification unit 24. 11 or a manager (such as a manager of the in-company system 10) (not shown) and notifies each user or manager (step S116 in FIG. 4).

Further, the management server 20 determines whether or not it is necessary to perform common electronic education for all of the plurality of user terminals 11 belonging to the in-company system 10 based on the security evaluation result in step S115. (Step S117). For example, when all of the plurality of user terminals 11 belonging to the in-company system 10 satisfy the above management conditions, or when the current security evaluation result for the in-company system 10 is not different from the previous time or better than the previous time. If it is, it is determined that electronic education is not necessary (NO route of step S117), and the process is terminated (return to step S101).

  On the other hand, if this is not the case, that is, if the current security evaluation result for the corporate system 10 is worse than the previous time, it is determined that electronic education is necessary (YES route in step S117), and The same electronic education on general security is performed, or the electronic education (e-learning) corresponding to the security evaluation result obtained in step S115 is performed. In the present embodiment, it is assumed that the latter electronic education, that is, electronic education corresponding to the security evaluation result obtained in step S115 is performed.

  At this time, according to the security evaluation result obtained in step S115, the management server 20 of the present embodiment provides electronic education (e-learning) according to the security evaluation result to a plurality of user terminals 11 belonging to the in-company system 10. The electronic education agent file is created by the first electronic education agent file creation / holding means 251 or read from the first electronic education agent file creation / holding means 251 (see FIG. Step S118).

  Here, the electronic education agent file corresponding to the security evaluation result may correspond to each of the above-described five evaluation levels, or may be particularly problematic environmental information based on the detailed information of the evaluation result. Such electronic education may be performed. If the agent file for executing the corresponding electronic education is held in the first electronic education agent file creation / holding means 251, the agent file must be held while being read as the electronic education agent file. For example, the first electronic education agent file creation / holding means 251 creates the file.

  In this way, the agent file read from the first electronic education agent file creation / retention means 251 or the agent file created by the first electronic education agent file creation / retention means 251 is stored at the time of a new security management request. Based on the information (e-mail address, etc.) regarding each user terminal 11 that has already been sent, the first electronic education agent file transmission means 252 attaches it to an e-mail, etc. Is transmitted to each of the user terminals 11 (step S119).

  At this time, the electronic education operation executed by each user terminal 11 that has received the electronic education agent file is the same as the procedure described above with reference to FIG. Thereafter, the management server 20 receives the electronic education result from each user terminal 11 belonging to the in-company system 10 (step S109), and the electronic education result is sent to the in-company system 10 via the management server 20. The administrator or the like or the user of each user terminal 11 is notified (step S110).

  In this embodiment, in step S117, it is determined that electronic education is necessary when the current security evaluation result for the in-company system 10 is worse than the previous time. The case where all of the plurality of user terminals 11 belonging to the above-mentioned management conditions satisfy the above-mentioned management conditions, the case where the current security evaluation result for the in-company system 10 is not different from the previous time, or the case where it is better than the previous time. However, in order to confirm and re-recognize security, electronic education for each user terminal 11 (electronic education for security in general and electronic education according to evaluation results) may be performed.

Now, in the management server 20, all user terminals 11 belonging to the in-company system 10 are used.
When environment information is received from (YES route of step S114), the following steps S120 to S124 are executed in parallel with the above-described steps S115 to S119.

  That is, first, based on the environmental information in each user terminal 11 received in step S113 by the judging means 26, each user terminal 11 has at least the management conditions (1) to (5) or (1) to (5). ) And (a) to (g) are determined (whether the management condition is violated) (step S120).

  If there is no management condition violation in the user terminal 11 (NO route in step S120), the process ends (returns to step S101). On the other hand, if there is a violation of the management condition (YES route in step S120), the warning means 27 sends a warning indicating that the management condition is violated to the user terminal 11 of the violator or the terminal of the administrator. Then, a warning is given to the violator, manager, etc. (administrator, etc. of the company system 10). The warning is performed by a pop-up display or a warning sound on the terminal display unit.

  Then, in the management server 20 of the present embodiment, in order to cause the violator's user terminal 11 to execute electronic education (e-learning) on matters relating to violation management conditions, an agent file for electronic education (first The second electronic education agent file) is created by the second electronic education agent file creation / retention means 281 or read from the second electronic education agent file creation / retention means 281 (step S123).

  If the agent file for executing the corresponding electronic education is held in the second electronic education agent file creation / holding means 281, the agent file is read out as the second electronic education agent file and held. If not, it is created by the second electronic education agent file creation / holding means 281.

  In this way, the agent file read from the second electronic education agent file creation / retention means 281 or the agent file created by the second electronic education agent file creation / retention means 281 is already at the time of the security management request. From the sent information (e-mail address, etc.) regarding each of the plurality of user terminals 11 belonging to the in-company system 10, the e-mail address of the violator's user terminal 11 is searched and based on the e-mail address. Then, the second electronic education agent file transmission means 282 transmits it to the user terminal 11 of the violating management condition by attaching it to an electronic mail (step S124).

  At this time, the electronic education operation (detailed electronic education about the matter related to the violation management condition) executed on the user terminal 11 of the violator who has received the second electronic education agent file has been described above with reference to FIG. Since it is the same as the procedure, its description is omitted.

[2-2] Personal / confidential information management operation:
Next, the personal / confidential information management operation (step S1002 in FIG. 2) will be described with reference to the drawing in FIG. In this embodiment, in the security management (step S1001 in FIG. 2), electronic education is given when the security evaluation result is not good. In some cases, it is desirable to perform personal and confidential information management operations in parallel with electronic education. That is, when the security evaluation result is not desirable, there is a possibility of leakage of personal information and confidential information at the user terminal 11, so that information leakage is prevented by personal and confidential information management promptly together with electronic education. There is a need.

  That is, in the management server 20 of the present embodiment, the violator's user terminal 11 is caused to execute electronic education (e-learning) on matters relating to the violation management condition, and the operation restriction control agent file includes an operation restriction. It is created by the control agent file creation / holding means 291 or read from the operation restriction control agent file creation / holding means 291.

  If the agent file for executing the operation restriction in the user terminal 11 is held in the operation restriction control agent file creation / holding means 291, the agent file is read as the operation restriction control agent file, If not, it is created by the operation restriction control agent file creation / holding means 291.

  In this way, the agent file read from the operation restriction control agent file creation / holding means 291 or the agent file created by the action restriction control agent file creation / holding means 291 has already been sent at the time of security management request. The mail address of the violator's user terminal 11 is searched from information (email address, etc.) related to each of the plurality of user terminals 11 belonging to the in-company system 10, and the operation is performed based on the mail address. The restriction control agent file transmission unit 292 transmits the file to the user terminal 11 of the person who violates the management condition by attaching it to an e-mail. The second electronic education agent file and the operation restriction control agent file described above are sent to the same user terminal 11, but may be at the same timing or at different timings.

  In this embodiment, when it is found that the management condition is not satisfied in the security management operation, the operation restriction control for personal / confidential information management described below is performed together with the first electronic education or the second electronic education. It is desirable to perform.

In addition to the case where the management conditions are not satisfied or the case where the electronic education is not completed, the following operations for personal / confidential information management may be executed independently as necessary.
FIG. 10 shows the operation restriction control for personal / confidential information management executed at the user terminal 11 of the violator who has received the operation restriction control agent file at this time.

  First, the operation restriction control agent file execution means 119 in the processing unit 110 of the user terminal 11 violates a management condition in the evaluation in the security management operation described above when various operation commands are generated (step S2001 in FIG. 10). Whether there is a problem in the evaluation, such as whether the execution means 113 is executing the first electronic education (incomplete) or the second electronic education is being executed (incomplete) (Step S2002 in FIG. 10). In this case, it may be referred to whether the second electronic education agent file exists in the processing unit 110 or whether a report of completion is notified to the management server.

  Here, when the electronic education has already been completed or no management condition violation has been found (NO in step S2003 in FIG. 10), various operations are executed in a normal state with no restrictions on personal / confidential information management (FIG. 10). Step S2009 in 10).

  In the above case, a predetermined flag is set for the state of the management condition (whether there is a violation) or the completion of the electronic education, and the operation state can be determined by referring to the flag.

In this case, the security evaluation (step S115) described in FIG. 4 and the management condition violation determination (step S120 in FIG. 4) each time various operation commands are generated in the user terminal 11 or periodically at predetermined intervals. Is preferably executed for each user terminal 11 and a predetermined flag is set.

  If there is a problem in the evaluation such as a violation of management conditions or the completion of electronic education (YES in step S2003 in FIG. 10), the file to be managed is managed as personal / confidential information management. Is collected from the user terminal 11 and based on the result of the search transmitted from the user terminal 11 and / or the access log for the management target file, the user terminal 11 The security level is changed / set, and the operation restriction state of the user terminal is determined according to the security level (step S2004 in FIG. 10). The collection of the access log for the management target file, the change / setting of the security level, and the state determination of the operation restriction will be described in detail later.

  The contents of this operation restriction (network use restriction, electronic file transmission restriction, electronic file encryption, restriction by mask at the time of printing / displaying) may be set by the operation restriction control agent file, It may be set in a nonvolatile memory (not shown) in the user terminal 11 or the like.

  Further, the content of the operation restriction may be the same for each of the plurality of user terminals, or may be different for each user terminal. Moreover, when it differs for every user terminal, you may change a restriction | limiting state according to the content, level, etc. of violation.

  In response to a separately defined restriction setting (step S2005 in FIG. 10), the operation restriction control agent file execution means 119 is an electronic file based on a password that is determined in advance by the administrator and is unknown to the user. Is encrypted (steps S2006 and S2009 in FIG. 10).

  It should be noted that the encryption program and password at the time of encryption may be included in the operation restriction control agent file by the administrator together with the designation of performing encryption as restrictions. In this case, the operation restriction control agent file execution unit 119 also serves as an encryption unit.

  When the electronic file is encrypted and transmitted, and the user terminal 11 satisfies the management conditions described above, the password necessary for decryption is transmitted from the management server side to the user terminal 11 or the electronic file destination. Is done.

  If the use of the user terminal 11 in the network connection is restricted in accordance with a separately set restriction setting (step S2005 in FIG. 10), the operation restriction control agent file execution unit 119 The connection itself in the connection and the exchange of data via the network are restricted (steps S2007 and S2009 in FIG. 10). Further, when electronic file transmission in the network connection in the user terminal 11 is restricted, file transfer in the network connection is restricted by an operation restriction unit described later (steps S2007 and S2009 in FIG. 10). In this case, transmission of the electronic file may be completely prohibited, or a file with a message indicating that the operation restriction control has occurred due to the relationship between the second electronic education incomplete and the access log of the management target file may be transmitted. .

It is also possible to change the transmission destination of the electronic file to the management server. In that case, the mail address or IP address of the management server may be included in the operation restriction control agent file together with the designation of destination change. In addition, when the destination is changed to the management server, the operation restriction control agent file includes a specification for deleting the corresponding electronic file from the storage unit of the user terminal, so that the corresponding electronic file is stored in the management server. It becomes possible to collect.

  If an electronic file attached to an e-mail is sent, send the e-mail body with the attached electronic file part deleted, or both the e-mail body and the attached file. Any of transmission may be sufficient. In this case, it is desirable to inform the user that an electronic file or email is not sent.

  The above various restrictions may be determined according to the degree of management conditions, but whether the electronic file to be sent contains personal information or confidential information, whether it is a managed file or not. Alternatively, it may be determined according to the amount of personal information or confidential information contained therein. In this case, the operation restriction control agent file uses a table in which words that may correspond to personal information and confidential information are stored in advance. If there is a word that matches or resembles this table, the personal information or confidential information is stored. Judge that there is. The determination as to whether personal information or confidential information is included in the electronic file will be described later. In addition, when the user terminal 11 tries to transmit a plurality of electronic files, it is possible to change the restriction content for each electronic file depending on the presence or absence of personal information. That is, when the user terminal 11 tries to transmit a plurality of electronic files, the electronic file having personal information can be restricted in transmission, and the electronic file not having personal information can be restricted in transmission.

  Further, when the user terminal 11 tries to transmit a plurality of electronic files, the electronic file is limited in transmission degree (stop, encryption, destination change, destination change +) according to a Pr mark of personal information described later. It is also possible to determine (deletion).

  Alternatively, the operation restriction control agent file execution unit 119 displays the contents to be displayed or printed when displaying on the display screen or when printing out, in accordance with the restriction set separately (step S2005 in FIG. 10). Mask it so that it cannot be read (step S2008 in FIG. 10).

  If the second electronic education has been completed (NO in step S2003 in FIG. 10), or the second electronic education has not been completed (YES in step S2003 in FIG. 10), it is caused by the management target file. If it is not related to the operation restriction to be performed (NO in step S2004 in FIG. 10), various operations are executed without restriction (step S2009 in FIG. 10).

In the above description, the operation restriction is executed when there is a violation of the management condition or when the electronic education is not completed. However, the present invention is not limited to this.
For example, it is determined whether or not there is a management condition violation after the execution of the first electronic education (first determination). If there is a violation of the management condition, the second electronic education is executed. If a determination (second determination) is made and a management condition violation is found by this second determination, the operation restriction may be executed even after the second electronic education execution is completed. In this case, it is desirable to execute both the operation restriction based on the first determination and the operation restriction based on the second determination while changing the restriction level. That is, a light operation restriction is applied by the first determination, and then a severe operation restriction is applied by the second determination.

  In addition, after the execution of the first electronic education, it is determined whether or not there is a management condition violation (first determination). If there is a violation of the management condition, the second electronic education is executed. Judgment (second judgment), three-stage operation restriction, such as low operation restriction by the first judgment, moderate operation restriction due to incomplete second electronic education, severe restriction by second judgment after the second electronic education It is good.

  In addition, after the execution of the first electronic education, it is judged whether or not there is a management condition violation (first judgment). If there is a violation of the management condition, the second electronic education is executed. If the management condition violation is found by the second determination, the operation restriction may be executed after the second electronic education execution is completed. In this case, the operation restriction is not applied depending on the first determination, but the operation restriction is applied based on the second determination.

  In addition, after the execution of the first electronic education, it is determined whether or not there is a management condition violation (first determination). If there is a violation of the management condition, the second electronic education is executed. The determination (second determination) may be performed, and the operation restriction may be applied only by the first determination regardless of the second determination. In this case, it is desirable to release the operation restriction if the violation is permitted in the second determination.

[3] Operation of embodiment (personal / confidential information management operation):
Here, handling of personal / confidential information in the user terminal 11 of the present embodiment will be described.

  In the present embodiment, in addition to the first condition that the second electronic education is not completed, the access log for the management target file is collected from the user terminal 11 in the user terminal 11 corresponding to the first condition. In accordance with the set security level, an access log for the management target file is collected from the user terminal, and the search result transmitted from the user terminal and / or the access log for the management target file are stored in the access log. Based on this, the security level in the user terminal is changed and set, and the operation limit of the user terminal is changed according to the security level, with the security level as the second condition.

  Here, each user terminal 11 is constituted by a terminal device such as a personal computer (PC) used by each employee (user) in the company or the like, and will be described later with reference to FIGS. It has a functional configuration.

  In the present embodiment, as the plurality of user terminals 11, a personal information search program (personal information element or confidential information element for executing search for a personal information file in the user terminal 11 in connection with the operation restriction). Search means (exploration program)) that specifies and searches for management target files having a predetermined number or more. The personal information search program may be included in the above-described operation restriction control agent file, or may be held separately by the user terminal 11.

In addition, the operation | movement regarding the personal and confidential information management performed with respect to personal information and confidential information is demonstrated here by making the case of personal information mainly into a specific example here.
[3-1] Functional configuration of the user terminal 11 of the present embodiment:
FIG. 11 is a block diagram showing a functional configuration of a personal information search program resident terminal as the user terminal 11 of the present embodiment.

  The configuration of the user terminal 11 shown in the block diagram of FIG. 11 is a functional block diagram realized by the operation restriction control agent file execution means 119 described above executing the operation restriction control agent file.

As shown in FIG. 11, the user terminal 11 according to the present embodiment includes a CPU (Central Processin Unit) 110a that executes various processes and a storage unit 1110b that can hold an electronic file including personal information and the like. The quarantine table 1110 provided from the management server 20
c or Pr mark (Privacy level mark; a level indicating the high possibility of being a personal information file, a level determined by a judgment value described later) of the electronic file held in the storage unit 1110b A table 1110d and a display unit 1110e for displaying characters or images are provided.

  As will be described later, a personal information search program for causing the processing unit (CPU) 110 to function as personal information search means 1100 described later is installed from the management server 20. The personal information search program may be included in the operation restriction control agent file.

  Here, the storage unit 1110b is a hard disk built in the user terminal 11 or a storage device connected to or externally attached to the user terminal 11, such as a flexible disk, CD (CD-ROM, CD-R, CD-RW). Etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.), magnetic disks, optical disks, magneto-optical disks, IC cards, ROM cartridges, magnetic tapes and other recording media This is a storage device to be used. The quarantine table 1110c and the Pr mark table 1110d described above may be held in a RAM (Random Access Memory), a hard disk, or the like that constitutes the user terminal 11, or may be held in the storage unit 1110b.

  The processing unit (CPU) 110 executes the operation restriction control agent file to thereby execute a personal information search unit 1100, a detection unit 1200, a first control unit 1300, an access monitoring unit 1400, a transmission request monitoring unit 1600, a transmission / reception unit 1500, It functions as the operation restriction control means 1800 and the display control means 1900. These functions are executed when the processing unit (CPU) 110 executes a personal information search program or a personal / confidential information management program included in the operation restriction control agent file installed from the management server 20 as described later. It shall be realized.

  The personal information search unit 1100 executes a personal information search program installed from the management server 20, thereby functioning as a text extraction engine that converts an electronic file stored in the storage unit 1110b into a text file, and a quarantine table 1110c. It functions as an exploration engine for exploring a personal information file from data in the storage unit 1110b.

  Here, the personal information searching means 1100 is basically searched for a necessary information element from a text file or the like, but in addition, when there is a flag or the like of a result searched in advance by another searching means, It is also possible to search for the flag. In this case, the search for the information element from the text fill or the like and the search for the flag may be performed in parallel.

  It should be noted that the personal information search unit 1100 immediately changes the operation restrictions of the user terminal 10 immediately after installing a program that causes the CPU 110a to function as the personal information search unit 1100, or when the user terminal 10 is activated. When performing or specifying a personal information file (management target file) satisfying the above-mentioned predetermined condition from data in the storage unit 1110b at every predetermined cycle, each file (exploration) held in the storage unit 1110b is searched. It functions as a text extraction engine that converts a target file) into a text file, and also functions as a search engine that searches a personal information file from data in the storage unit 1110b using a quarantine table 1110c.

That is, the personal information searching unit 1100 searches for a personal information file by referring to various electronic files existing in the storage unit 1110b of the user terminal 11 according to the condition (quarantine table 1110c) instructed from the management server 20. An electronic file determined to be a personal information file is written in a log (local cache database). In the present embodiment, the Pr mark determined based on the determination result (determination value) obtained by the personal information searching unit 1100 is registered in the Pr mark table 1110d. Details of the functional configuration of the personal information searching means 1100 will be described later with reference to FIG.

  The detection unit 1200 detects a change to an electronic file already stored in the storage unit 1110b of the user terminal 11 and an addition of a new electronic file to the storage unit 1110b.

  That is, the detection unit 1200 detects an access executed on the user terminal 10 with respect to a file determined to be a personal information file by the personal information search unit 1100, and records the access contents as an access log for each file. The access log is stored, and the access log is stored in the management server 20 through the transmission / reception unit 1500 and the network 30 at the time of access detection, periodically, or when requested from the management server 20 (collection unit described later). Is sent and notified. The access contents include access types (for example, printing, writing to an external storage medium, deletion, rename (change), overwriting, uploading to an FTP (File Transfer Protocol) server), and access for each access type. Number of times.

  The first control means 1300 makes the personal information search means 1100 first (when this management system 1 is started up / at the time of installation of the personal information search program / new of the user terminal 11) in the procedure described later with reference to FIG. Each time the personal information file is searched for all data in the storage unit 1110b of the user terminal 11 at the time of connection), the detection unit 1200 detects the addition / change of the electronic file. The program is started, and the personal information searching means 1100 is caused to execute real-time search for determining whether the added / changed electronic file is a personal information file.

  The access monitoring unit 1400 monitors the electronic file (electronic file to which the Pr mark is assigned) that has been searched by the personal information searching unit 1100 and determined to be a personal information file, and accesses to the electronic file (for example, renaming, When data changes due to copying, erasing, moving, etc.), the fact is written as log information and notified to the management server 20 through the transmission / reception means 1500.

  The transmission / reception unit 1500 transmits / receives various information to / from the management server 20 (or file access management server 20 ′) via the network, and transmits a determination result by the personal information search unit 1100 to the management server 20. It functions as. When the transmission / reception unit 1500 functions as the transmission unit, a difference between the determination result (link destination information and determination value of the personal information file) and the previously transmitted search result is obtained, and the difference is transmitted to the management server 20. In addition, the information to be transmitted may be encrypted.

  The transmission / reception unit 1500 transmits / receives various information to / from the management server 20 and other user terminals 10 via the network 30. The transmission / reception unit 1500 is obtained by the search result by the personal information search unit 1100 and the detection unit 1200. It also serves as a transmission means for transmitting an access log or the like to the management server 20.

The transmission request monitoring unit 1600 monitors an electronic file (an electronic file to which a Pr mark is added) that has been searched by the personal information searching unit 1100 and determined to be a personal information file, and a transmission request for access to the electronic file is received. If it occurs, the fact is written as log information, and predetermined operation restriction control is executed through the operation restriction control means 1800 and the transmission / reception means 1500.

  The operation restriction control unit 1800 restricts various operations of the user terminal (network connection restriction, file transfer restriction, file encryption) when it is determined that the electronic file is a personal information file according to the designation of the action restriction control. File printing, display masking, etc.).

The operation restriction control unit 1800 also has functions as an external recording medium driver, encryption unit / registration unit, and the like.
Here, the external storage medium driver is a function realized by the user (owner) of the user terminal 10 executing a program installed from the outside by his own will, and is a file designated by the user. Is read from the storage unit 1110b and written to an external storage medium. Examples of the external storage medium in the present embodiment include various storage media such as a flexible disk, CD, DVD, magnetic disk, optical disk, magneto-optical disk, memory card, USB (Universal Serial Bus) memory, and external hard disk. .

  The encryption means / registration means is also a function realized by the user (owner) of the user terminal 10 executing a program installed from the outside by his / her own will, and this encryption means / registration means 15 is This is to realize an encryption function for automatically encrypting a file sent to the outside.

  When the function as the encryption unit / registration unit is set (installed), particularly when the function as the encryption unit is set, the encryption unit is attached to the mail or the external storage medium 40. The file that is written out and sent to the outside is converted into a completed document file having a container function [here, a PDF (Portable Document Format) file that is difficult to falsify], and further using the container function After the original file of the electronic file is stored in the PDF file, the PDF file is received by a predetermined encryption key (actually received from the server 20) managed by a function (described later) as a file access management server in the management server 20 To create an encrypted file. Note that conversion to a PDF file is performed by, for example, a PDF driver, and when the PDF driver is activated, the electronic file is converted to PDF and a PDF file file is generated.

  In addition to the encryption operation, the user (user) who accesses the encrypted file has the authority to access the encrypted file (for example, in addition to viewing, annotation, printing, copying, It is assumed that the setting of the authority to execute the one selected from the access such as fetching, editing of the fetched file, and attachment is automatically performed on the server 20 from the encryption means. Here, for example, only the necessary minimum access authority (for example, viewing authority) is set.

  On the other hand, when the function as the registration unit is set, the registration unit uses the file attached to the mail or written to the external storage medium and sent to the outside as the file access management server in the management server 20. Is registered in the server 20 so as to be managed under the function (described later). At the time of registration, the management target file is transmitted to the server 20, and the encryption unit of the server 20 responds to the registration process as described later. It fulfills the function of receiving the created encrypted file.

The display control unit 1900 sends display data to the display unit 1110e. According to the designation of the operation restriction control, according to the completion of the electronic education in the user terminal 11,
Depending on whether the electronic file is a personal information file such as a management target file, control is performed to limit the sending of display data to the display unit 1110e.

[3-2] Detailed functional configuration of personal / confidential information search in user terminal:
FIG. 12 is a block diagram illustrating a detailed functional configuration of the personal information search unit 1100 included in the processing unit (CPU) 110 in the user terminal 11 according to the present embodiment.

  As shown in FIG. 12, the personal information exploration means 1100 of this embodiment includes an extraction means 1110, a cutout means 1120, a first determination means 1130, a character determination means 1140, a collation means 1150, and a second determination means 1160. These functions are also realized by the processing unit (CPU) 110 executing the personal information search program included in the operation restriction control agent file sent from the management server 20.

The extraction unit 1110 extracts text data (for example, CSV (Comma Separated Value) format data) of an electronic file (determination target file) in the storage unit 1110b, and functions as the text extraction engine.

  In the file buffer, 2-byte code characters (double-byte characters) are captured so as not to be lost at the end of the file buffer. In addition, when data is cut out and taken in from a file buffer to a data shaping buffer (not shown), which will be described later, by the cut-out means 1120, the corresponding amount of data is taken into the file buffer.

  The cutout unit 1120 cuts out character sections delimited by delimiters from the text data extracted by the extraction unit 1110 and sequentially writes them as a determination target / collation target in a buffer (not shown). Here, the delimiter is, for example, a half-width space, a half-width comma (half-width comma + half-width space is also regarded as a half-width comma), a tab character (half-width), CR (Carrige Return), or LF (Line Feed).

Here, as the predetermined delimiter position, an appearance position of a delimiter character set in advance or a boundary position between a 1-byte code character and a 2-byte code character (a portion where a single-byte character / ASCII character is followed by a double-byte character) Or, a half-width character / ASCII character is followed by a half-width character / ASCII character), or a boundary position between a full-width arithmetic number “0” to “9” and a character excluding the full-width arithmetic number and the hyphen. The delimiter is a delimiter that is a delimiter of data. Specifically, a half-width space, half-width comma (half-width comma + half-width space is also considered a half-width comma), tab character (half-width), CR (Carrige Return) , LF (Line Feed
), “: (Colon)”, “; (semi-colon)”, “>”, “}”, “]”.

  Further, symbols other than alphanumeric characters, katakana, hiragana, kanji characters, such as hyphens, underbars, parenthesis symbols, and the like are removed from the character section cut out by the cutting means 1120. In the present embodiment, it is assumed that the cutting means 1120 has a function of removing the symbol characters as described above.

  The first determination unit 1130 is a personal information element other than the name (specifically, in the present embodiment, a telephone string) in a character section (hereinafter simply referred to as a character string) from which the symbol character has been removed by the cutout unit 1120. In order to determine whether or not any one of a number, an e-mail address, and an address), the telephone number determination unit 1130a, the e-mail address determination unit 1130b, and the address determination unit 1130c are provided. . Note that the first determination unit 1130 of the present embodiment performs the character string determination process in order of lighter determination processing load, that is, in the order of a telephone number, an e-mail address, and an address.

  The telephone number determination means 1130a determines whether or not the character string corresponds to a telephone number. If the character string satisfies the telephone number determination condition set in the quarantine table 1110c, the character string is a telephone number. It judges that it corresponds to a number, notifies that to the 2nd judgment means 1160, and terminates the judgment process by the 1st judgment means 1130 with respect to the said character string. In the present embodiment, it is assumed that the telephone number determination condition includes a 9-15 digit number in the character string.

  The e-mail address determination unit 1130b determines whether or not the character string corresponds to a telephone mail address when the telephone number determination unit 1130a determines that the character string does not correspond to a telephone number. If the character string satisfies the e-mail address determination condition set in the quarantine table 1110c, it is determined that the character string corresponds to the e-mail address, and that is notified to the second determination means 1160. The determination processing by the first determination means 1130 is terminated.

  In the present embodiment, the e-mail address determination condition is as follows: “One or more ASCII (American Standard Code for Information Interchange)” + “@ (at sign)” + “One or more ASCII characters” + “. It is assumed that the character string “dot)” + “ASCII of one or more characters” is included. In this case, the shortest e-mail address is “a@a.a”, for example.

  The address determination unit 1130c determines whether or not the character string corresponds to an address (residence) when the e-mail address determination unit 1130b determines that the character string does not correspond to an e-mail address. When the character string satisfies the address determination condition set in the quarantine table 1110c, it is determined that the character string corresponds to an address, and the fact is notified to the second determination unit 1160. In the present embodiment, the address determination condition includes a character string of “one or more double-byte characters” + “city” or “city” or “county” + “one or more double-byte characters” in the character string. Suppose that At this time, if the processing capacity of the processing unit (CPU) 110 is sufficiently high, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. Good. In addition, the address determination condition is that the character string includes a 7-digit numeric string corresponding to the postal code or “3-digit numeric string” + “− (−” instead of the above-described conditions. Hyphens) ”+“ a digit string of four digits ”may be included.

  When the first determination unit 1130 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address, the character determination unit 1140 sets the character string in the quarantine table 1110c. Specifically, it is determined whether the number of characters in the character string is within a predetermined range and whether all the characters in the character string are kanji. In the present embodiment, the character determination condition is that, as described above, the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. Is set to a general (appropriate) number range, for example, 1 to 6 as the number of characters of the name (including only the last name and only the name).

  The collating unit 1150 is a character section determined by the first determining unit 1130 as not corresponding to any of a telephone number, an e-mail address, and an address, and is further within the predetermined range by the character determining unit 1140 and For a character section in which all characters are determined to be kanji, a character / character string included in the character section and an inappropriate character / inappropriate character string preset as a character / character string that cannot appear in the name Is checked to determine whether or not the character section includes an inappropriate character / unsuitable character string, and the verification determination result is notified to the second determination means 1160.

  Here, inappropriate characters / unsuitable character strings are set in advance in the quarantine table 1110c. For example, Tokyo, Osaka, Yokohama, Kyushu, Hokkaido, Kyoto, capital, private, school, store, stock, prefecture, university , Gakuin, Tokyo Stock Exchange, Research, Administration, General Affairs, Accounting, Sales, Administration, Pharmaceutical, Sales, School, Education, Specialty, Architecture, Machine, Corporation, Factory, Manufacturing, Technology, Commerce, Books, Unknown, Deputy Director, Public, Publication , Advertising, Broadcasting, Target, Wholesale, Retail, Planning, HR, Information, Department, President, Regulatory, General Manager, Section Manager, Section Manager, Officer, Head Office, Branch Office, Business, Business, Education, Precision, Oil, Transportation, Management, Strategy , Materials, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, banking, research, English, quality, warranty, equipment, charge, chief , Supervisor, audit, support, design, insurance, safe, business, representative, transportation, first 2nd, 3rd, 4th, 5th, 6th, 7th, 8th, 9th, Special Sales, Facility, Name, Mail, Name, Name, City Hall, Affiliation, Characteristic, Childhood, Christianity, Association, Church , Union, cult, commerce, nationwide, branch, contact, assembly, life, consumption, promotion, city hall, ward office, synthesis, modification, function, overview, composition, company, organization, association, deletion, document, deadline, valid, A character / character string that cannot appear in a general name, that is, a character / character string that is inappropriate as a name.

  The second determination means (determination means) 116 is based on the determination result by the telephone number determination means 1130a, the e-mail address determination means 1130b and the address determination means 1130c in the first determination means 1130 and the verification determination result by the verification means 1150. It is determined whether or not the determination target file is a personal information file.

  More specifically, the second determination unit 1160 receives notification of determination results from the telephone number determination unit 1130a, the e-mail address determination unit 1130b, and the address determination unit 1130c. Counts the number of character sections considered to be applicable, and receives the collation determination result from the collation means 1150, and the character section determined by the collation means 1150 as not including an inappropriate character / inappropriate character string as the name Count the number.

  Then, the second determination means 1160 is based on the counting results (four count values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, e-mail address, address, and name. A determination value that increases as these count values increase is calculated. For example, the second determination unit 1160 may calculate the sum of four count values as the determination value, or set a weighting factor in advance for each of the telephone number, e-mail address, address, and name. The sum of the multiplication results of the weighting coefficient and the count value for the personal information element may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, the second determination unit 1160 determines whether the determination target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the determination target file is a personal information file. When making such a determination, the second determination means 1160 further assigns a Pr mark (private level mark) according to the size of the determination value to the determination target file and sets it in the Pr mark table 1110d. Register and rank. As described above, the Pr mark is a level indicating the high possibility that the determination target file is a personal information file. The larger the determination value, the higher the Pr mark is set.

For example, when the determination value is 10 or more, it is determined that the determination target file is a personal information file. When the determination value is 10 or more and less than 100, “Pr1” is assigned as the Pr mark, and when the determination value is 100 or more and less than 1000, “Pr2” is assigned as the Pr mark. When it is 1000 or more and less than 10,000, “Pr3” is assigned as the Pr mark, and when the determination value is 10000 or more, “Pr4” is assigned as the Pr mark. The predetermined threshold for determining the personal information file and the reference value for determining the Pr mark are set as appropriate from the management server 20 (a management console 24 described later). Here, the Pr mark is ranked into four “Pr1” to “Pr4”, but the number of ranks is not limited to this.

  As described above, the Pr mark (Pr mark table 10d) given to the determination target file is, together with information (for example, a file name) for specifying the file for each file determined to be a personal information file. The data is transmitted to the management server 20 via the transmission / reception unit 1500 and the network 30, and is stored in the database 20b by the collection unit 203 as described later with reference to FIG. Then, the management target file (personal information file) to which the Pr mark is assigned corresponds to the rank of the Pr mark, as will be described later with reference to FIG. 11, the management server 20 (second personal information management means 208 described later). ) To be managed as a management target file as described later.

  The above is the general ranking of the Pr mark, but it can also be handled as follows. For example, character strings such as disease name (medical history), hospital name (visit history, hospitalization history), drug name (medicine history), annual income, occupation, criminal record (crime history) appear in general sentences regardless of personal information. However, if it is related to personal information such as an address, name, telephone number, or email address, it is considered that the personal information is not desired to be known to others. Must be set.

  In other words, disease name (medical history), hospital name (visiting history, hospitalization history), drug name (medicine history), annual income, occupation, criminal history (crime history), character strings, address, name, phone number, e-mail address, etc. If the personal information is associated as a character string, the Pr mark calculated by setting a particularly large weighting coefficient is assigned to the determination target file, set and registered in the Pr mark table 1110d, and ranked. Do.

  In addition, when it is determined that the electronic file is a personal information file as described above, the personal information of the electronic file is stored in the Pr mark table 1110d serving as a storage unit in a state associated with the Pr mark information described above. (Corresponding to the address in the electronic file) is stored.

  As will be described later, the management server sets the security level based on the presence or absence of the above personal information and changes the operation restriction. However, the operation restriction may be determined according to the Pr mark.

  For example, the management server restricts the operation of the user terminal 11 based on the presence / absence of the personal information described above according to the Pr mark (Pr mark table 1110d) given to the determination target file as described above.

For example,
In Pr1, when an electronic file is transferred, it is encrypted and transferred. When the above management conditions are satisfied, a password necessary for decryption is transmitted from the management server side.
In Pr2, transmission of the electronic file is stopped.
In Pr3, the transmission destination is changed to the management server when the electronic file is transmitted.
In Pr4, the user terminal prohibits transmission including all electronic files not corresponding to Pr4, and the corresponding electronic file is deleted from the user terminal.
It is possible to limit the operation of electronic files step by step.

Here, not only imposing the limitation of the operation according to the Pr mark as described above, but also changing the content of the operation limitation according to the sum or product of the evaluation level for the management condition and the rank of the personal information Pr. Is also possible.

[3-3] Other functional configuration of the management server:
[3-3-1] Functional configuration of the management server 20:
In the above description, on the user terminal 11 side, the operation restriction of the user terminal 11 is executed according to the degree of safety in the management conditions and the presence / absence of personal information and confidential information. May be managed on the management server 20 side.

FIG. 13 is a block diagram showing the functional configuration of the management server 20 of the present embodiment when managing the presence / absence of personal information and confidential information on the management server side. As shown in FIG. The server 20 includes a CPU 20a that executes various processes and a database (RDB: Relational DataBase) that stores and saves log information and personal information files from each user terminal 11.
) 20b and a display unit 20c for displaying various information including log information and personal information stored in the database 20b.

  The CPU 20a includes client information collection means 201, installation means 202, collection means 203, second personal information search means 204, difference extraction means 205, second control means 206, management console 207, second personal information management means 208, display control. Functions as the means 209, the transmission / reception means 210, and the digital signature means 211 are realized by the CPU 20a executing a personal information management server program (including a personal information search program).

  The client information collection unit 201 sets the network and transmission / reception unit 210 when starting the search and management of the personal information file, such as when the management system 1 is started up or when a new user terminal 11 is connected to the network. Client information (host information) is collected from the user terminals 11 that are communicably connected to each other, and the user terminal 11 that is the object of searching and managing the personal information file is recognized. At this time, information on whether or not each user terminal 11 requests installation of the personal information search program described above (whether or not the personal information search program is desired to reside) is also collected.

  The installation unit 202 installs the personal information search program described above on the user terminal 11 connected to the network via the network and the transmission / reception unit 210 in response to a request from the user of the user terminal 11. Is. Then, the user terminal 10 is caused to execute the user terminal program to search for a management target file in the storage unit 1110b of the user terminal 10.

  Note that the user terminal 11 in which the personal information search program is installed by the installation means 202 becomes the user terminal 11 (personal information search program resident terminal), and the user terminal 11 in which the personal information search program is not installed is the user. It becomes terminal 11 (personal information search program non-resident terminal).

The collection unit 203 receives and collects the search result of personal information file (link destination information of personal information file, determination value, Pr mark, etc.) executed by the user terminal 11 via the network and the transmission / reception unit 210, In addition to performing the function of storing in the database 20b, in order to search for a personal information file in the user terminal 11, a function of sucking up all files in the user terminal 11 via the network and transmission / reception means 210 at the time of the first search, A function of sucking up a difference file (described later) in the user terminal 11 via the network and the transmission / reception means 210 at the time of the periodic search after the first search, or the latest file information at the user terminal 11 at the time of the first search or the periodic search. (To be described later) via network and transmission / reception means 210 Gel functions are also intended to fulfill.

  Further, the collecting unit 203 grasps the personal information file in each user terminal 11 based on the search result transmitted from each user terminal 11, and each personal information file via the network 30 and the transmission / reception unit 210. It functions as a log collecting means for collecting and recording the access log from the user terminal 11.

  The access log collection by the collection unit 203 may be performed passively by receiving the access log of each user terminal 11 or periodically from the collection unit 203 side to each user terminal 11. This may be done actively by making an access log transmission request.

  As described above, the access log collected here is detected and recorded for each personal information file by the detecting means 1200 of each user terminal 11, and includes the access type and the number of accesses. In association with the name, information (PC name) that can identify the user terminal 11 that has accessed the personal information, and information (owner name) that can identify the owner of the user terminal 11, It is registered and stored in the database 20b. In the present embodiment, the collection unit 203 also collects the number of accesses to the browsing-prohibited site at each user terminal 11 as an access log, and registers and saves it in the database 20b in association with each user terminal 11. Shall.

  The second personal information search means 204 searches the personal information file in the user terminal 11 via the network by executing the above-described personal information search program by the CPU 20a. In the present embodiment, the second personal information search means 204 searches the personal information file. The file extracted from the user terminal 11 is determined as a determination target, and it is determined whether or not the file is a personal information file.

  This second personal information search means 204 also functions as a text extraction engine that converts the determination target file into a text file, as well as the personal information search means 1100 described above, and also includes a quarantine table 20b-1 (user terminal described above) in the database 20b. 11 is the same as the quarantine table 1110c in FIG. 11) and functions as a search engine that searches for personal information files from the data in the storage unit 1110b of the user terminal 11. That is, the second personal information searching unit 204 searches the personal information file by referring to various electronic files existing in the storage unit 1110b of the user terminal 11 according to the quarantine table 20b-1, and is a personal information file. The determined electronic file is written in a log. In the present embodiment, the Pr mark determined based on the determination result (determination value) obtained by the second personal information exploration means 204 is the Pr mark table 20b-2 in the database 20b (the above-described user terminal). 11 is the same as the Pr mark table 1110d in FIG.

  The second personal information searching unit 204 has the same functional configuration as the personal information searching unit 1100 shown in FIG. 12, but in the second personal information searching unit 204, the extracting unit 1110 includes a storage unit 1110b. Instead, the collection means 203 is connected, and the quarantine table 20b-1 and the Pr mark table 20b-2 are used instead of the quarantine table 1110c and the Pr mark table 1110d. In addition, the transmission / reception unit 210 is connected to the second determination unit 1160 instead of the transmission / reception unit, and the determination result by the second personal information search unit 204 is notified to the user terminal 11.

Then, the determination result notified to the user terminal 11 as described above and the data of the location (address in the electronic file) corresponding to the personal information of the electronic file are stored in the storage unit 1110.
stored in a storage means such as b.

  Here, in the database 20b of the management server 20, the same quarantine table 20b-1 as the quarantine table 1110c to be provided to the user terminal 11, the determination result (Pr mark) by the personal information exploration means 1100 of the user terminal 11, and A Pr mark table 20b-2 for holding a determination result (Pr mark) by the second personal information searching unit 204 and an electronic file information storage unit 20b-3 to be described later are provided.

  The file information storage unit 20b-3 stores the latest file information that has been sucked up from the user terminal 11 by the collection unit 203 at the time of the initial search or the periodic search, and finally the period of the personal information file by the second personal information search unit 204. The information is stored as information on the electronic file in the user terminal 11 at the time of the search. Here, as described above, the file information is information on all files in the user terminal 11 (storage unit 1110b), specifically, file creation / update date / time, file size, and file name.

  The difference extraction unit 205 performs the latest search for the electronic file in the user terminal 11 (latest file information) and the information stored in the file information storage unit 20b-3 (finally the personal information file is periodically searched during the regular search. And the electronic file added / changed between the time when the personal information file was last searched and the current time as a difference file, the network, transmission / reception means 410 and collection The information is periodically extracted from the user terminal 11 via the means 203.

  The second control means 206 sends the user to the second personal information exploration means 204 first (when the management system 1 is started up / when the user terminal 11 is newly connected) in the procedure described later with reference to FIG. The personal information search program is started once for all data in the storage unit 1110b of the terminal 11 and then the personal information search program is started whenever necessary, so that the difference extraction unit 205 The second personal information exploration means 204 is caused to execute a periodic exploration for determining whether or not the difference file extracted by the above is a personal information file.

  The management console 207 sets and manages personal information file determination conditions (the quarantine tables 1110c and 20b-1, the predetermined threshold necessary for determining the personal information file and the Pr mark, etc.). In the quarantine tables 1110c and 20b-1, the above-described telephone number determination conditions, e-mail address determination conditions, address determination conditions, character determination conditions (the predetermined range) and inappropriate characters / unsuitable character strings are set.

  The second personal information management means 208 manages personal information files in each user terminal 11 based on the search results collected by the collection means 203 and stored in the database 20b. An electronic file (an electronic file to which a Pr mark is attached; hereinafter referred to as a personal information file) determined as a personal information file by the two personal information searching means 204 is managed.

  This second personal information management means 208 provides the personal information file user (owner) with the personal information file judgment value (or Pr mark) registered in the Pr mark table 20b-2 of the database 20b. Notice information / warning information is notified, personal information file is forcibly captured and collected from the user terminal 11 storing the personal information file, and the personal information file is externally transmitted from the user terminal 11 to the outside. Forcibly prohibiting output, storing the personal information file in a folder (not shown) accessible only to the administrator, or allowing the file access management server 20 'to manage access to the personal information file. To do.

  For example, when the rank of the Pr mark is “Pr1”, the warning information is not recommended, but the presence of the personal information file “Pr1” is recorded as a log. When the rank of the Pr mark is “Pr2”, notice information in a pop-up display is notified in order to call attention to the user of the personal information file. If the rank of the Pr mark is “Pr3”, the system administrator is notified by e-mail as warning information that there is a user storing the personal information file, and the personal information file is returned. To the user. When the rank of the Pr mark is “Pr4”, the personal information file is forcibly captured and collected from the user terminal 11 or the personal information file is forcibly output from the user terminal 11 to the outside. It is prohibited, the personal information file is stored in a folder accessible only to the administrator, or access to the personal information file is managed by the file access management server 20 ′. Even if the Pr mark rank is not “Pr4”, if the personal information file “Pr3” is left for a predetermined number of days, the rank of the Pr mark is “Pr4” for the personal information file. You may make it perform the treatment similar to the case.

  Further, the second personal information management means 208 has a function for searching the personal information file stored in each user terminal 11 or the database 20b with various accuracy, and the search control means 26 displays the search result on the display unit 20c. It has a function to display.

  The display control unit 209 controls the display state of the display unit 20c so that various types of information are displayed on the display unit 20c. The transmission / reception unit 210 exchanges various types of information with each user terminal 11 via the network. Send and receive.

  The digital signature unit 211 gives a digital signature to the personal information file searched by the personal information search unit 1100 or the second personal information search unit 204. Here, the digital signature is encrypted signature information attached to guarantee the authenticity of the digital document, and proves the creator of the digital document (here, the personal information file) by applying public key cryptography. And that the document has not been tampered with. The signer (administrator on the management server 20 side) adds a signature encrypted using his / her private key to the digital document and sends it. The recipient (the user on the user terminal 11 side) decrypts the signature using the signer's public key and confirms whether the content is correct. As a result, it can be used not only to prevent forgery by a third party but also to prove that the signer has created the digital document.

  The personal information file of the user terminal 11 is transmitted from the user terminal 11 to the management server 20 via the network, and after being given a digital signature by the digital signature unit 211, it is returned to the user terminal 11 for digital The original personal information file to which no signature is assigned is deleted. Further, the personal information file of the user terminal 11 is returned to the user terminal 11 after being given a digital signature by the digital signature means 211 after determination on the management server 20 side, and is an original individual not assigned with a digital signature. The information file will be deleted.

In addition, the second personal information management unit 208 of the present embodiment includes a search result by each user terminal 11, an access log collected and recorded by the collection unit 203, and a survey collected and recorded by the client information collection unit 201. Based on the result (information on the presence or absence of a program that causes the user terminal 11 to function as an external storage medium driver), public information on the access status to each personal information file or external storage to manage each user terminal 11 Create public information related to the user terminal 11 in which the medium driver is installed, and display the public information on the display unit 20c, make it public to all user terminals 11 via the network 30, A function for notifying all user terminals 11 by e-mail or the like via 30 A.

  Here, as public information, the file name of the personal information file, information (PC name) that can identify the user terminal 11 that has accessed the personal information file, and the owner of the user terminal 11 Information (owner name), the total number of personal information files (the number of personal information files and the number of personal information held in the user terminal 11), and the total number of accesses to the personal information file (individuals) Information file / access type). Examples of the access type include printing, writing to an external storage medium, deletion, rename (change), overwriting, uploading to an FTP server, and the like.

  Also, as public information, information (PC name) that can identify the user terminal 11 that has a personal information file and that has an external storage medium driver installed, and the owner of the user terminal 11 are specified. There is also information that can be obtained (owner name), the file name of the personal information file held in the user terminal 11, and the number of times of writing the personal information file to the external storage medium 40 executed in the user terminal 11. .

  Furthermore, the second personal information management means 208 of the present embodiment, in addition to the information related to the access status to the personal information file, the number of accesses to the browsing-prohibited site in each user terminal 11 (see, for example, FIG. 21) It also has a function of monitoring / collecting the number of accesses to the personal information file in the other terminal / server of the user terminal 11 and creating / disclosing it as public information.

A specific example of public information created and disclosed by the second personal information management unit 208 will be described later with reference to the drawings.
Furthermore, the second personal information management unit 208 of the present embodiment includes a search result by each user terminal 11, an access log collected and recorded by the collection unit 203, and a survey collected and recorded by the client information collection unit 201. Results (information on the presence / absence of a program that causes the user terminal 11 to function as an external storage medium driver or encryption unit / registration unit), the number of accesses to a browsing-prohibited site, and the number of accesses to a personal information file in another terminal / server In order to manage each user terminal 11, the security level in each user terminal 11 for preventing the leakage of the personal information file from each user terminal 11 is changed and set to the security level. Depending on the restriction of access to the file in each user terminal 11 and each user terminal Change the first operation restriction, which is configured to perform a function of preventing the leakage of information included in the personal information file itself or a personal information file from the user terminal 11 (personal information element).

  The second personal information management means 208 of the present embodiment, for example, according to the criteria of the following items (11) to (15), the security level setting of each user terminal 11 (file access restriction setting and operation restriction setting) ).

    (11) A high security level is set for the user terminal 11 that has executed processing / operation related to the personal information file (some access to the personal information file in the own terminal 10 / other terminal / server), and the file in the user terminal 11 is set. Users who have strictly restricted access restrictions (including not only personal information files but also normal files) and operation restrictions of the user terminal 11, but have not executed any processing / operations related to personal information files for a predetermined period of time. For the terminal 11, the security level is set low, and the access restriction and the operation restriction are released or relaxed.

(12) For the user terminal 11 that has the personal information file in the storage unit 1110b, the security level is set high, and the access restriction on the file in the user terminal 11 and the operation restriction of the user terminal 11 are tightened. On the other hand, for the user terminal 11 that does not have a personal information file in the storage unit 1110b, the security level is set low, and the access restriction and the operation restriction are released or relaxed.

    (13) A high security level is set for the user terminal 11 for which the encryption function for automatically encrypting the file sent to the outside (function as the encryption means / registration means described above) is not set. While restricting access restrictions on files in the user terminal 11 and operation restrictions of the user terminal 11, the user terminal 11 to which the encryption function is set is set to a low security level so that the access restriction and the operation are performed. Remove or relax restrictions.

    (14) While setting a high security level for the user terminal 11 in which the driver for the external storage medium is installed, the access restriction on the file in the user terminal 11 and the operation restriction of the user terminal 11 are tightened. For the user terminal 11 in which the external storage medium driver is not installed, the security level is set low, and the access restriction and the operation restriction are released or relaxed.

    (15) While setting a high security level for the user terminal 11 accessing the browsing-prohibited site, the access restriction on the file in the user terminal 11 and the operation restriction of the user terminal 11 are tightened. For the user terminal 11 that has not accessed the browsing-prohibited site, the security level is set low, and the access restriction and the operation restriction are released or relaxed.

  When the second personal information management unit 208 performs such security level settings (access restriction settings and operation restriction settings for files), personal information files may be inadvertently leaked, leaked, or illegally used. User terminal 11 with low possibility, specifically, no personal information file is accessed for a predetermined period, no personal information file is held, and the externally sent file is encrypted. Access restrictions and operation restrictions on the user terminal 11 that has a function for the above, has not installed an external storage medium driver, and does not access any browsing-prohibited site. An environment in which the user terminal 11 can be used efficiently after being released or relaxed is provided to the user.

  Here, the access restriction states include a state where all types of access such as printing, writing to an external storage medium, deletion, rename (change), overwriting, uploading to an FTP server can be executed, and all types of access. If the security level “Low” is set and the security level “Low” is set, all types of access are switched to the executable state, while the security level “High” is set. For example, all types of access may be switched to an inexecutable state. In addition, as a state of access restriction, multiple levels are set from a state where all types of access can be performed to a state where all types of access cannot be performed, and the security level is set from low to high. You may make it switch in steps corresponding to each level.

Moreover, as the operation | movement restriction | limiting state of the user terminal 11, the state of the following item (21)-(25) is raised, for example.
(21) Restrict or prohibit Internet connection. At this time, the second personal information management means 208 completely prohibits the connection to the external site from the state in which the user terminal 11 can be connected to all external sites according to the security level. The state may be changed step by step. In the stepwise change, for example, the connectable sites are limited stepwise depending on the content and type of the site.

    (22) When displaying the contents of the personal information file (managed file) on the user terminal 11, a mask display of the personal information element (or confidential information element) in the content is performed. When displaying the mask, for example, the personal information element (or confidential information element) in the content is replaced with a state in which the element cannot be specified (for example, “XXX”, “XXX”, etc.). Further, the second personal information managing means 208 may change the portion masked by the mask display step by step according to the security level. In gradual changes in accordance with the security level, for example, name, address details (such as condominium name and address), address city name, phone number, email address, etc. Increase the mask display. Further, the second personal information managing means 208 determines whether or not display of the contents is permitted for the user terminal 11 or the user of the user terminal 11 and if not permitted, the mask is displayed. While displaying, the mask display may not be performed if permitted, or the user terminal 11 or the user himself / herself of the user terminal may be in the department for creating the management target file (personal information file). It may be determined whether or not the user belongs, and the mask display may be performed when the user does not belong, while the mask display may not be performed when the user belongs. In this case, information indicating whether display is permitted for each user terminal 11 or for each user is registered in advance in a table or the like of the storage unit (this information may be registered for each file). The second personal information management means 208 determines display permission by referring to the table or the like. In addition, the department in which each file is created and the department to which each user terminal 11 (or user) belongs is registered in advance in a table or the like in the storage unit, and the second personal information management means 208 refers to the table or the like Judgment is made as to whether it belongs to the creating department. If the management target file is, for example, a personal information file in a hospital, since a medical history is included as a personal information element, a mask display of the medical history is performed. At this time, when the above-described stepwise change is made in accordance with the strictness according to the security level, the mask display is increased at least in the order of name, medical history, and the like. Thus, the user can obtain statistical information such as a medical history without leaking the personal name in a state before the security level is increased. Also, if the management target file is a personal information file for real estate, for example, annual income information or the like is included as a personal information element, so that the annual income information or the like is displayed as a mask. At this time, when the above-described stepwise change is made in accordance with the strictness according to the security level, the mask display is increased at least in the order of name, annual income information, and the like. Thereby, the user can obtain statistical information such as annual income information without leaking the personal name in a state before the security level is increased.

(23) When printing the contents of the personal information file (management target file) at the user terminal 11, the personal information element (or confidential information element) in the contents is mask-printed. When printing a mask, as with the mask display in item (22) above, for example, the personal information element (or confidential information element) in the content cannot be specified (for example, “XX” or “XXX”). Etc.). Further, the second personal information management means 208 may change the portion masked by mask printing step by step according to the security level. In gradual changes in accordance with the security level, for example, name, address details (such as condominium name and address), address city name, phone number, email address, etc. Increase mask printing. Further, the second personal information management means 208 determines whether the user terminal 11 or the user himself / herself of the user terminal 11 is permitted to print the content. While printing is performed, the mask printing may not be performed if permitted, or the user terminal 11 or the user himself / herself of the user terminal may be in the department for creating the management target file (personal information file). It may be determined whether the user belongs, and the mask printing may be performed when the user does not belong, while the mask printing may not be performed when the user belongs. In this case, information indicating whether printing is permitted for each user terminal 11 or for each user is registered in advance in a table or the like of the storage unit (this information may be registered for each file). Second personal information management means 20
8 determines whether to permit printing by referring to the table. In addition, the department in which each file is created and the department to which each user terminal 11 (or user) belongs is registered in advance in a table or the like in the storage unit, and the second personal information management means 208 refers to the table or the like. Judgment is made as to whether it belongs to the creating department. If the management target file is, for example, a personal information file in a hospital, since a medical history is included as a personal information element, mask printing of the medical history is performed. At this time, in the case where the above-described stepwise change is made in accordance with the strictness according to the security level, the mask printing is increased at least in the order of name, medical history, and the like. Thus, the user can obtain statistical information such as a medical history without leaking the personal name in a state before the security level is increased. If the management target file is, for example, a personal information file for real estate, since the annual income information and the like are included as the personal information element, mask printing of the annual income information and the like is performed. At this time, when the above-described stepwise change is made in accordance with the strictness according to the security level, the mask printing is increased at least in the order of name, annual income information, and the like. Thereby, the user can obtain statistical information such as annual income information without leaking the personal name in a state before the security level is increased.

  Note that the second personal information management unit 208 performs the storage unit 1110b by the personal information search unit 1100 in the user terminal 11 when the access restriction on the file or the operation restriction of the user terminal 11 is strictly changed as described above. The search is executed again, and the result of the search is transmitted to the management server 20 by the transmission / reception means 1500.

  In this embodiment, the security level is set (access restriction setting and operation restriction setting) for each of the criteria of the items (11) to (15). Based on the total value of the numerical values, or the values obtained by substituting the numerical values into a predetermined function (for example, values obtained by weighting and adding), the criteria for the above items (11) to (15) are determined. The security level may be set by comprehensively judging whether the level is satisfied.

[3-3-2] Functional configuration of file access management server 20 ′:
FIG. 14 is a block diagram showing the functional configuration of the file access management server 20 ′ of this embodiment. As shown in FIG. 13, the file access management server 20 ′ of this embodiment is, for example, the management server 20 (second A personal information file (a personal information file whose Pr mark rank is “Pr4”) instructed by the personal information management means 208) is to be managed, a CPU 30a that executes various processes, and an encryption key and decryption as will be described later. A storage unit 30b for storing a key or the like is provided. Here, the personal information file whose Pr mark rank is “Pr4” is a management target, but the personal information file is managed by the first personal information search means 1100 and the second personal information search means 204 regardless of the rank of the Pr mark. All the electronic files determined to be may be managed by the file access management server 20 ′.

  The CPU 30a functions as a transmission / reception unit 31, a conversion unit 32, an encryption unit 33, and a determination unit 34, which will be described later. These functions are realized by the CPU 30a executing a program for a file access management server. Is done. Further, as will be described later, the storage unit 30b has an encryption key for encrypting the personal information file, a decryption key for decrypting the encrypted personal information file, and an access to the encrypted personal information file. Stores authority (to be described later) and user ID / password of a pre-registered user [registrant (employee) who is permitted to view encrypted files], and is configured by a hard disk or RAM, for example. .

The transmission / reception means 31 is realized by a communication function originally possessed by the file access management server 20 ′. It functions as the decryption key transmission means 31d.

The personal information file receiving means 31 a receives a personal information file to be managed from the management server 20 via the network 30.
The conversion unit 32 converts the personal information file to be managed received by the personal information file receiving unit 31a into a completed document file such as a PDF (Portable Document Format) file that is difficult to falsify. The conversion means 32 is realized by, for example, a PDF driver. By starting the PDF driver, the personal information file is converted to PDF, and a PDF file as a completed document file is generated.

The encryption unit 33 encrypts the PDF file obtained by the conversion unit 32 using a predetermined encryption key.
The encrypted file transmission unit 31b transmits the file encrypted (keyed) by the encryption unit 33 (hereinafter referred to as an encrypted file) to the management server 20 via the network.

  In the management by the file access management server 20 ′, various access authorities (permissions such as viewing, transmission, copying, etc.) for each encrypted file are used depending on the policy setting at the time of encryption by the encryption means 33 as described above. Set for each person or encrypted file. At that time, one type of policy is set in order to simplify the system operation, and by the policy setting, the access authority at each user terminal 11 for all the encrypted files [for example, in-house where the system 1 is installed As the access authority of all employees / all users (all registered users registered in the file access management server 20 ′), only browsing authority is automatically set (granted), and access other than browsing, for example, Access such as sending, copying, saving as another name, and screen capture (screen shot) may not be performed.

  The authentication information receiving unit 31c receives the authentication information transmitted from the user terminal 11 or the management server 20 via the network when accessing the encrypted file at the user terminal 11 or the management server 20. Here, the authentication information is file access management that the user terminal 11 or the management server 20 who is trying to open the encrypted file is a valid transmission destination (user / registrant) of the encrypted file. This is information necessary for determination / authentication by the server 20 ′, and a user ID and a password registered in advance in the file access management server 20 ′ (storage unit 30b) for the user of the service by the file access management server 20 ′. Contains. These user ID and password are input by the user operating the keyboard and mouse when opening the encrypted file.

  Based on the authentication information received by the authentication information receiving unit 31c, the determining unit 34 determines whether the user terminal 11 / management server 20 that has transmitted the authentication information is a valid transmission destination of the encrypted file. In practice, it is determined whether or not the user ID and password input by the user match the user ID and password registered and stored in advance in the storage unit 30b of the file access management server 20 ′. Thus, it is determined and authenticated whether or not the user is a valid registrant.

  The decryption key transmission unit 31d reads out the decryption key for decrypting the encrypted file from the storage unit 30b when the determination unit 34 authenticates that the user is a valid registrant, and the user terminal 11 Alternatively, it is transmitted to the management server 20 via the network.

When the user terminal 11 or the management server 20 receives the decryption key from the file access management server 20 ′, the decryption of the encrypted file is performed using the decryption key, and the original personal information file is restored. Access (for example, browsing) corresponding to the given access authority is performed on the personal information file that has been given.

[3-4] Personal / confidential information management operation of this embodiment:
Next, the operation of the information management system 1 according to the present embodiment configured as described above will be described with reference to FIGS.

[3-4-1] Operation of user terminal 11:
In the system 1, the management server 20 recognizes whether or not the user terminal program is installed in the user terminal 11 connected to the network 30. If the user terminal 11 is not installed, the user terminal 11 The above-mentioned user terminal program is installed.

  In the user terminal 11 in which the user terminal program is installed, the following processing is performed by executing the user terminal program. The operation of the user terminal 11 of the present embodiment will be described according to the flowchart (steps S11 to S17) shown in FIG.

  In the user terminal 11, it is determined whether or not the personal information file search timing by the personal information searching means 1100 has come (step S11), and whether or not the personal information file has been accessed (from the NO route in step S11 to step S14). Whether or not the access log transmission timing has come (from the NO route in step S14 to step S16) is constantly monitored.

  Searching the personal information file by the personal information search means 1100 indicates that the user terminal program program has been installed from the management server 20, the user terminal 11 is started, or a predetermined search cycle has elapsed. When the timing is detected (YES route in step S11), the function as the personal information searching unit 1100 is activated, and the personal information searching unit 1100 identifies and searches the personal information file from the data in the storage unit 1110b ( Step S12: The detailed search procedure will be described later with reference to FIG.

  Then, for each personal information file searched by the personal information searching unit 1100, the determination result (determination value / system value) and the Pr mark together with information (for example, a file name) for specifying the file are included in the transmission / reception unit 1500. And it is transmitted as a search result to the management server 20 through the network 30 (step S13).

  In the user terminal 11, when the access to the personal information file searched by the personal information searching unit 1100 is detected by the detecting unit 1200 (YES route in step S14), the access content is stored as an access log for each file. For example, it is recorded / saved in the storage unit 1110b (step S15). It is assumed that the personal information file to be detected by the detection unit 1200 includes not only those stored in the storage unit 1110b of the terminal itself but also those stored in other terminals / servers.

Furthermore, when the access is detected by the detection unit 1200, or when a predetermined access log transmission cycle or an access log transmission request from the management server 20 (collection unit 203) is detected as the access log transmission timing (step S3). S16 YES route), the access log immediately after being detected by the detection means 1200, or the access log recorded / accumulated in the storage unit 1110b until then is transmitted / notified to the management server 20 through the transmission / reception means 1500 and the network 30. (Step S17).

  If the function as the encryption unit 15 is set in the user terminal 11, the file attached to the mail or written to the external storage medium 40 and sent to the outside is stored as the encryption unit 15. The PDF file is converted into a PDF file having a container function by the function, the original file of the file is stored in the PDF file using the container function, and then the PDF file is stored in a predetermined file managed by the file access management server 20. It is encrypted with the encryption key and an encrypted file is created. At this time, for the user who accesses the encrypted file, the access authority (for example, viewing authority) for the encrypted file is automatically set from the encryption unit 15 to the file access management server 20.

  Further, when the function as a registration unit is set in the user terminal 11, the file attached to the mail or written to the external storage medium 40 and sent to the outside is managed by the function as the registration unit. The server 20 is registered in the server 20 to be managed under the function of the file access management server. At the time of registration, the file is transmitted from the registration unit to the server 20 via the transmission / reception unit 1500 and the network 30, and an encrypted file created by a procedure described later with reference to FIG. Received from the server 20.

[3-4-2] Operation of personal information exploration means:
In the personal information searching means 1100 and 204 of this embodiment, the appearance frequency of the telephone number, e-mail address, address, and name is digitized as follows, and the personal information file is specified and searched. At this time, if the character section cut out by the cutting means 1120 includes an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the personal information, the character section is As a character / character string that cannot appear in the personal information in advance in the character section cut out by the cutting means 1120, it is excluded because it is regarded as not corresponding to the personal information element (name in this embodiment). If the set inappropriate character / unsuitable character string is not included, the character section is regarded as corresponding to the personal information element constituting personal information, that is, the personal information element appears. , Count up the number of appearances.

  A series of procedures for the first personal information file search operation executed by the personal information search means 1100 and 204 (personal information search program) described above in the user terminal 11 or the management server 20 of the present embodiment are shown in FIG. It demonstrates according to the flowchart (steps S1802-S1818) shown.

When constructing the management system 1 of the present embodiment, first, the personal / confidential information management server program is installed in the computer that should function as the management server 20, and the computer executes the personal / confidential information management server program. By doing so, the function as the management server 20 is achieved. When starting the search / management of the personal information file, the management server 20 installs the personal information search program via the network to the user terminal 11 that wants to reside in the personal information search program. By executing the personal information search program installed in this way by the processing unit (CPU) 110 of the user terminal 11, the processing unit (CPU) 110 allows the personal information search unit 1100, the detection unit 1200, and the first control unit 1300. , Access monitoring means 1400, transmission / reception means 1500, and transmission request monitoring means 1600. When the personal information search program is installed, the quarantine table 1110c is also transmitted. The personal information search program is included in advance in the personal / confidential information management server program. The personal information search program is installed in the user terminal 11 and the personal information search program is executed by the management server 20. As a result, the CPU 20a of the management server 20 functions as a second personal information search means.

  FIG. 16 shows the first time executed by the personal information search unit 1100 in the user terminal 11 when the management system 1 is started up / when the personal information search program is installed / when the user terminal 11 is newly connected. The first personal information file executed by the second personal information searching means in the management server 20 at the time of starting the personal information file or when the management system 1 is started up or when the user terminal 11 is newly connected. The procedure of the exploration operation is shown.

  An electronic file that is not yet a determination target is selected and read out from all the data of the user terminal 11 as a determination target file (step S1802) and extracted from the determination target file (text extraction engine). ) 111 extracts text data (step S1803).

  From the extracted text, the character section delimited by the delimiter described above is extracted by the extraction means 1120, and sequentially written in a buffer (not shown) as a determination target / collation target (step S1804). When cutting out a character section, as described above, the cutting means 1120 removes symbols other than alphanumeric characters, katakana, hiragana, kanji characters, such as hyphens, underbars, and parenthesis symbols, from the character section. .

  Whether or not the character string (hereinafter simply referred to as character string) in the character section from which the symbol character has been removed by the cutting means 1120 corresponds to any one of a telephone number, an e-mail address, and an address. Are sequentially determined by the telephone number determination unit 1130a, the e-mail address determination unit 1130b, and the address determination unit 1130c (steps S1805, S1807, S1809).

  First, the telephone number determination unit 1130a determines whether or not the character string corresponds to a telephone number (step S1805). At this time, if the character string satisfies the telephone number determination condition set in the quarantine table 1110c, that is, if the character string includes 9 to 15-digit numbers, the character string is converted into a telephone number. (YES route of step S1805), the fact is notified to the second determination means 1160, and the second determination means 1160 counts up the count value corresponding to the number of appearances of the telephone number by one. Then (step S1806), the process proceeds to step S1814.

  If it is determined that the character string does not correspond to a telephone number (NO route in step S1805), the e-mail address determination unit 1130b determines whether the character string corresponds to a telephone mail address (step S1807). ). At this time, if the character string satisfies the e-mail address determination condition set in the quarantine table 1110c, that is, “one or more ASCII” + “@” + “one or more ASCII” + If the character string “.” + “ASCII of one or more characters” is included, it is determined that the character string corresponds to the e-mail address (YES route of step S1807), and that is the second determination means. 1160 is notified, and in the second determination means 1160, the count value corresponding to the number of appearances of the e-mail address is incremented by 1 (step S1808), and the process proceeds to step S1814.

If it is determined that the character string does not correspond to an e-mail address (NO route of step S1807), the address determination unit 1130c determines whether the character string corresponds to an address (location) (step S1809). ). At this time, if the character string satisfies the address determination condition set in the quarantine table 1110c, that is, “one or more double-byte characters” + “city” or “city” or “county” + If a character string that is “one or more double-byte characters” is included, it is determined that the character string corresponds to an address (YES route of step S1809), and that is notified to the second determination means 1160, In the second determination means 1160, the count value corresponding to the number of appearances of the address (residence) is incremented by 1 (step S1810), and the process proceeds to step S1814.

  When it is determined that the character string does not correspond to an address (NO route in step S1809), that is, the first determination unit 1130 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. If it is determined, whether or not the character string satisfies the character determination condition (the number of characters is 1 or more and 6 or less and all characters are kanji) set in the quarantine table 1110c by the character determination unit 1140. It is determined (step S1811). When this character determination condition is not satisfied (NO route in step S1811), the process proceeds to step S1814.

  On the other hand, if this character determination condition is satisfied (YES route in step S1811), the collation means 1150 determines whether the character / character string included in the character section (character string) and the name set in the quarantine table 1110c are incorrect. The appropriate character / unsuitable character string is collated, and it is determined whether or not the character section includes the inappropriate character / unsuitable character string (step S1812). If at least one character / character string that matches the inappropriate character / inappropriate character string exists in the character section (YES route in step S1812), matching with the inappropriate character / inappropriate character string at that time The process ends immediately, and the process proceeds to step S1814.

  If the character section does not include inappropriate characters / unsuitable character strings (NO route in step S1812), the collation determination result is notified to the second determination unit 1160. In the second determination unit 1160, The character section is considered to correspond to the name, and the count value corresponding to the number of appearances of the name is incremented by 1 (step S18130), and the process proceeds to step S1814.

  In step S1814, it is determined whether or not there is a character section that has not yet been extracted from the text data extracted from the determination target file. If there is a character section (YES route), the process returns to step S1804, and the same processing as described above (steps S1804 to S1804). S18130) is repeatedly executed. When all the character sections are cut out from the text data in this way and the determination processing, collation processing, counting processing, etc. for all the character sections are finished (NO route in step S1814), the second determination means 1160 uses the telephone number, electronic Based on the count values for each of the mail address, address, and name, the above-described determination value is calculated (step S1815).

  Then, in the second determination means 1160, based on the determination value calculated in step S1815, as described above, it is determined whether or not the determination target file is a personal information file, and the Pr mark is ranked. (In the present embodiment, four of "Pr1" to "Pr4") are performed (step S1816).

Thereafter, it is determined whether or not the personal information has been searched for all the electronic files in the user terminal 11 (step S1817). If there are still unsearched electronic files (NO route of step S1817), step S1802 is performed. Returning to FIG. 6, the same processing as described above is executed. On the other hand, when the search is completed for all the electronic files (YES route in step S1817), the personal information file determination result and the Pr mark ranking result in step S1816 are: It is registered in the Pr mark table 1110d or 20b-2, transmitted to the management server 20 via the transmission / reception unit 1500 and the network, and registered and stored in the database 20b by the collection unit 203 in the management server 20 (step S181).
8). Further, the determination result of the user terminal 11 is registered and stored in the database 20b from the second personal information searching means on the management server 20 side (step S1818). After completing the processing in step S1818, the personal information file search operation is terminated.

[3-4-3] Operation of user terminal 11:
Next, the operation of the user terminal 11 will be described. More specifically, here, a real-time search operation and an access monitoring operation executed by the user terminal 11 after the first search for the personal information file described above will be described with reference to FIG.

  In the user terminal 11, the detection unit 1200 monitors changes to an electronic file already stored in the storage unit 1110b and addition of a new electronic file to the storage unit 1110b, and detects addition / change of the file. Each time, the personal information search program is immediately started by the first control unit 1300, and the personal information search unit 1100 determines the added / changed electronic file as a determination target file in steps S1803 to S1816 in FIG. Execute the process. Thereby, a real-time search for determining whether the added / changed electronic file is a personal information file is executed, and the determination result is notified to the management server 20.

  In the user terminal 11, the access monitoring unit 1400 monitors the personal information file (that is, the electronic file assigned with the Pr mark / the electronic file determined to be a personal information file by the personal information searching unit 1100). When access to the personal information file (for example, data change by renaming, copying, erasing, moving, etc.) occurs, the fact is written as log information, and the management server 20 via the transmission / reception means 1500 and the network. Is registered and stored in the database 20b by the collection means 203 in the management server 20.

  In the user terminal 11, if there is a management condition violation, the transmission request monitoring unit 1600 uses the personal information file (that is, the electronic file / principal information search unit 1100 to which the Pr mark has been added) If the access to the personal information file is a transmission request, the presence or absence of the Pr mark is checked.

  If the Pr mark is attached to the electronic file, the operation restriction control unit 1800 that has received an instruction from the transmission request monitoring unit 1600 transmits the electronic file in a predetermined restriction state defined in the operation restriction control agent file or the like. Etc.

  That is, if the personal information file exists at the time of electronic file transmission, etc., the transmission destination is changed to the management server at the time of transmission stop, transmission, etc. if encrypted, all electronic files not corresponding to Pr Control is performed so as to execute a predetermined restriction such as prohibition of transmission including, and deletion of the corresponding electronic file from the user terminal.

  If the Pr mark is not attached to the electronic file, the operation restriction control unit 1800 that has received an instruction from the transmission request monitoring unit 1600 executes transmission of the electronic file without restriction.

If the access to the personal information file is a display request (view request) to the display unit 1110e, the presence or absence of the Pr mark is similarly examined by the display control means.
Here, if the Pr mark is not given to the electronic file, the display control unit displays the electronic file on the display unit 1110e without restriction.

  If the Pr mark is given to the electronic file, the display control means determines whether or not the position of the user terminal 11 acquired by the processing unit (CPU) 110 is a predetermined position (for example, in-house). judge. The location information of the user terminal 11 is obtained from GPS information from a GPS device (not shown), base station information obtained from a mobile phone device or the like, IP information at the time of network connection obtained through the transmission / reception means 1500, and the like.

  Here, if the position of the user terminal 11 exists at a predetermined position (in-house or the like), the display control unit displays the electronic file on the display unit 1110e in an unrestricted state.

  If the position of the user terminal 11 does not exist at a predetermined position (in-house or the like), the display control unit displays the electronic file on the display unit 1110e in a restricted state.

  That is, when the personal information file is sent from the display control means to the display unit 1110e, the portion corresponding to the personal information in the personal information file is controlled to be invisible by the mask and displayed on the display unit 1110e.

  Here, the invisible state by the mask means that the character color is the same as the background color, or the character surroundings are painted with the same color as the character color, a hard-to-see watermark is added, and it is replaced with a fixed meaningless character. Execute processing such as

  For example, if the background color is transparent or white and the text color is black, the text color will be white, or the area around the text will be filled with black, or the text will be constant, such as a black circle Replace with the character.

  As a result, the personal information portion of the personal information file is not displayed on the display, and personal information is prevented from being leaked through the display medium. It is also possible to display the personal information part in a light color. Further, according to the rank of the Pr mark, the high-level personal information file may be prohibited from being displayed as a whole or may be displayed in an invisible state using a mask.

  In addition, when the above electronic file transmission or the like is restricted in display, it is not only simply canceled, but a message file indicating that it cannot be transmitted or displayed because it is a personal information file may be transmitted or displayed. Good.

[3-4-4] Operation of management server for personal / confidential information:
Next, the operation of the management server 20 of this embodiment will be described with reference to FIGS.

First, the main operation of the management server 20 of this embodiment will be described with reference to the flowchart shown in FIG. 17 (steps S201 to S215).
In the management server 20, it is determined whether or not the collection timing by the client information collecting unit 201 has come (step S201), and whether or not the search result by the personal information searching unit 1100 has been received from each user terminal 11 (NO route of step S201) To step S206), whether or not the access log collection timing has come (from the NO route of step S206 to step S210) is constantly monitored.

When the client information collection unit 201 detects that the system 1 has been started up, or that the user terminal 11 has been connected to the network 30, or that a predetermined collection period has elapsed. (YES route of step S201), the user information (host information) of each user terminal 11 is collected by the client information collecting means 201, and a program (for example, the above-mentioned program for the user terminal) in each user terminal 11 is collected. In addition, the client information collection unit 201 collects the installation status of the program that causes the user terminal 11 to function as an external storage medium driver or encryption unit / registration unit (step S202). The collected installation status (presence / absence of each program) is registered / saved in the database 20b in association with each user terminal 11.

  When there is a user terminal 11 in which the user terminal program is not installed (YES route in step S203), the installation unit 202 causes the user terminal 11 to connect to the user terminal 11 via the transmission / reception unit 210 and the network 30. The terminal program is installed, and the user terminal 11 is made to execute the user terminal program to search for a management target file in the storage unit 1110b of the user terminal 11 (step S204).

  After installing the user terminal program in the user terminal 11 as described above, or when there is no user terminal 11 in which the user terminal program is not installed (NO route in step S203), each use According to the installation status of the external storage medium driver in the user terminal 11 and the setting status of the encryption means / registration means, that is, the presence or absence of a program that causes the user terminal 11 to function as the external storage medium driver or encryption means / registration means. Thus, the security level for each user terminal 11 is set by the second personal information management means 208 (step S205).

  At this time, the second personal information management means 208 performs the security level for the user terminal 11 that is not set to function as the encryption means / registration means in accordance with the security level setting criteria described in the item (13) described above. Is set high to tighten access restrictions on the file and operation restrictions of the user terminal 11, while the user terminal 11 set with the encryption function is set to a low security level to restrict access to the file. The restriction on the operation of the user terminal 11 is canceled or relaxed, and the security level is set for the user terminal 11 in which the driver for the external storage medium is installed in accordance with the security level setting standard described in the item (14) described above. Is set to a high value to restrict access to files and the user terminal 11 While tightening the operation limit, the user terminal 11 is not installed the driver for the external storage medium releases or relax the operation restriction of access restriction and the user terminal 11 to the file by setting lower security level.

  Further, when a search result by the personal information search means 1100 is received from each user terminal 11 (YES route in step S206), the search result (file name of the personal information file, link destination information, determination value, Pr mark, etc.) Are registered and stored in the database 20b in association with each user terminal 11 by the collection means 203 (step S207). Further, the collecting unit 203 grasps the personal information file in each user terminal 11 based on the search result, and the grasped personal information file is registered as an access log collection target by the collecting unit 203 (step S208). .

Thereafter, the security level for each user terminal 11 is set by the second personal information management means 208 according to the search result of the personal information file from each user terminal 11 (step S209). At this time, the second personal information management means 208 increases the security level for the user terminal 11 that holds the personal information file in the storage unit 1110b in accordance with the security level setting criteria described in the item (12) described above. The storage unit 1110 is set to tighten access restrictions on files and operation restrictions of the user terminal 11
For the user terminal 11 that does not have a personal information file in b, the security level is set low, and the access restriction on the file and the operation restriction of the user terminal 11 are released or relaxed.

  Furthermore, when an active access log notification of each user terminal 11 or an access log transmission request from the management server 20 (collection means 203) is detected as an access log collection timing (YES route in step S210) ) The access log (the access log for the personal information file recorded by the detection unit 1200 and the access log for the browsing prohibited site) is collected from each user terminal 11 by the collection unit 203 (step S211), and the collected access log (The file name of personal information file, PC name, owner name, access type, number of accesses, number of accesses to browsing-prohibited site) is associated with each user terminal 11 / personal information file by the collecting means 203 in a database. 20b is registered and saved (step S 12).

  Then, the second personal information management means 208, the search result by each user terminal 11, the access log collected and recorded by the collection means 203, and the investigation result collected and recorded by the client information collection means 201 (user Based on the presence / absence of a program that causes the terminal 11 to function as an external storage medium driver), in order to manage each user terminal 11, public information regarding the access status to each personal information file and external storage medium driver Public information about the installed user terminal 11 is created (step S213), and the created public information is displayed on the display unit 20c via the display control unit 26 or all user terminals via the network 30. 11 or via the network 30 by e-mail etc. Or it is notified to the terminal 11 (step S214).

  Further, the security level for each user terminal 11 is set by the second personal information managing means 208 in accordance with the access logs collected and recorded by the collecting means 203 (including the access logs for the browsing prohibition log) ( Step S215). At this time, the second personal information management unit 208 performs processing / operation related to the personal information file according to the security level setting standard described in the item (11) described above (for the personal information file in the own terminal 10 / other terminals / servers). While the security level is set high for the user terminal 11 that has executed (some access), access restrictions on files (including not only personal information files but also ordinary files) and operational restrictions on the user terminals 11 are tightened. For the user terminal 11 that has not executed any processing / operation related to the personal information file for a predetermined period of time, the security level is set low to cancel or relax the access restriction on the file and the operation restriction of the user terminal 11, In addition, the security level described in item (15) above. For the user terminal 11 that is accessing the browsing prohibited site in accordance with the network setting standards, the security level is set high to tighten the access restriction on the file and the operation restriction of the user terminal 11, while the browsing prohibited site For the user terminal 11 that has not accessed the file, the security level is set low to cancel or relax the access restriction on the file and the operation restriction of the user terminal 11.

  In the present embodiment, when the second personal information management unit 208 makes a strict change in the access restriction on the file or the operation restriction of the user terminal 11 in steps S205, S209, and S215, the user terminal 11 Then, the personal information search unit 1100 searches the storage unit 1110b again, and the transmission / reception unit 1500 transmits the search result to the management server 20. As a result, the personal information file is searched again at the user terminal that is likely to cause an inadvertent outflow / leakage or unauthorized use of the personal information file (managed file), and the processes of steps S207 to S209 are performed. I'm doing it again.

[3--4-4-1] Specific Example of Public Information A specific example of public information created in step S213 and disclosed in step S214 will be described with reference to FIGS. 21 to 28 show specific examples of public information (screens and lists displayed on the display of the user terminal 11 and the management server 20) created and released by the second personal information management unit 208. FIG.

  FIG. 21 shows a screen 101 for displaying the number of personal information files and the number of personal information held on a display as a bar graph on the display, and “number” (here, “1000 to 100,000”) from this screen 101. A list 102 drilled down and displayed on the display, a screen (bar graph display for each department) 103 drilled down from the screen 101 with “Month” and displayed on the display, and a “department name” from this screen 103 A list 104 that is drilled down (here “Sales Department”) and displayed on the display is shown. In the lists 102 and 104, for each personal information file, the file name, the number of personal information items included in the personal information file (for example, the number of personal information elements), and the possession of the user terminal 11 that owns the personal information file. The user name, the PC name of the user terminal 11, and the department name and job to which the user terminal 11 belongs are displayed.

  FIG. 22 shows a screen 105 that displays the number of accesses to the personal information file (personal information access records) aggregated for each department / access type on the display as a bar graph, and from this screen 105, “Department name” and “Access Lists 106 and 107 drilled down by “type” and displayed on the display are shown. The list 106 is drilled down for “sales department” and “file save”, and the list 107 is drilled down for “sales department” and “USB”. In these lists 106 and 107, For each owner name of the accessed user terminal 11, the PC name of the user terminal 11, the access date and time, the file name of the accessed personal information file, the document path / document operation / printer name / FTP server / FTP command and the like are displayed. In the figure, the access type “FTP” is upload / download to / from the FTP server, “USB” is access to the external storage medium (USB memory), “change” is rename, and “save” is file overwriting save. That is. With such lists 106 and 107, it is possible to record and grasp access to personal information files that may lead to personal information leakage.

  FIG. 23 shows a simplified example of the screen 105 shown in FIG. 22. In FIG. 23, the number of accesses to the personal information file (personal information access records) aggregated for each department is displayed on a display as a bar graph. A screen 108 to be displayed and a list 109 that is drilled down from this screen 108 with a “department name” (here “sales department”) and displayed on the display are shown. In the list 109, for each owner name of the user terminal 11 in the selected department, the PC name of the user terminal 11, the access date and time, the file name of the accessed personal information file, the document path, and the operation The contents are displayed. With such a list 109, it is possible to grasp user operations that may cause personal information leakage.

  FIG. 24 shows a screen 110 that displays the number of target PCs, which are aggregated for each department, that have a personal information file and have a mass storage device (external storage medium driver) installed, as a bar graph on the display. A list 111 that is drilled down from 110 to “department name” (here “sales department”) and displayed on the display is shown. In the list 111, for each owner name of the accessing user terminal 11, the PC name of the user terminal 11, the file name of the personal information file held by the user terminal 11, the document path, and the operation content are displayed. Is displayed. With such a list 111, it is possible to grasp user operations that may leak personal information.

  FIG. 25 shows a screen 112 for displaying the number of times of writing personal information files to an external medium (external storage medium 40), which is aggregated for each department, on the display as a bar graph. A list 113 that is drilled down by "Sales Department") and displayed on the display is shown. In the list 113, for each owner name of the user terminal 11 in the selected department, the PC name of the user terminal 11, the date and time of writing, the file name of the personal information file to be written, the document path, and Operation details are displayed. With such a list 113, it is possible to grasp user operations that may cause personal information leakage.

  In FIG. 26, a screen 114 that displays the number of FTP transfers of the personal information file that is aggregated for each department on the display as a bar graph, and the screen 114 is drilled down by “Department name” (here “Sales Department”). A list 115 displayed on the display is shown. In the list 115, for each owner name of the user terminal 11 in the selected department, the PC name of the user terminal 11, the FTP transfer date and time, the file name of the personal information file to be transferred, the FTP server Name and FTP command are displayed. Such a list 115 makes it possible to grasp user operations that may cause personal information leakage.

  In FIG. 27, a screen 116 for displaying the number of renames of the personal information file as a bar graph on the display, which is totaled for each department, is drilled down from this screen 116 with “Department name” (here “Sales Department”). A list 117 displayed on the display is shown. In the list 117, for each owner name of the user terminal 11 in the selected department, the PC name of the user terminal 11, the renaming date and time, the file name and document path of the personal information file to be renamed, Is displayed. With such a list 117, it is possible to grasp user operations that may leak personal information.

  In FIG. 28, a screen 118 for displaying the number of accesses counted for each prohibited browsing site as a bar graph on the display, and drilling down from this screen 118 with “site name” (here “file service”) is displayed on the display. A list 119 to be played is shown. In the list 119, for each owner name of the user terminal 11 that has accessed the selected site, the PC name of the user terminal 11 and the access time are displayed. With such a list 119, access to a browsing-prohibited site can be monitored.

[3--4-4-2] Management Operation of Personal / Confidential Information Management Server Based on Pr Mark Next, the management server 20 (second personal information management based on the Pr mark obtained as a search result by the personal information search means 1100 The management operation of the means 208) will be described according to the flowchart (steps S20 to S29) shown in FIG.

  The second personal information management means 208 refers to the determination result (Pr mark table) of the personal information file in the database 20b and determines whether or not there is a personal information file (file to which the Pr mark is given) (step S20). If there is a personal information file (YES route in step S21), the personal information file is managed by the second personal information management means 208 in accordance with the search result of the personal information file [here, the Pr mark level (rank)]. The operation is performed as follows (steps S21 to S29).

  First, the presence / absence of a personal information file of Pr mark level “P1” is determined (step S21). If there is a personal information file of Pr mark level “P1” (YES route of step S21), access monitoring of the personal information file is performed. It is set and registered as a target (access log recording target) (step S22). In addition, since the process of step S22 overlaps with the process same as step S208 of FIG. 17, you may abbreviate | omit step S21 and S22.

  When there is no personal information file of Pr mark level “P1” (NO route of step S21), or after registration in step S22, it is determined whether or not there is a personal information file of Pr mark level “P2” (step S23). When there is a personal information file of Pr mark level “P2” (YES route in step S23), the personal information file is set and registered as an access monitoring target, and the user of the personal information file is urged to be alerted. Attention information by pop-up display is notified (step S24).

  When there is no personal information file of Pr mark level “P2” (NO route of step S23), or after the notice information is notified in step S24, it is determined whether or not there is a personal information file of Pr mark level “P3” (step S25). ), If there is a personal information file of Pr mark level “P3” (YES route of step S25), the personal information file is set and registered as an access monitoring target, and the user who stores the personal information file is The fact that it exists is notified to the system administrator by e-mail or the like as warning information, and the user is instructed to return the personal information file (step S26).

  If there is no personal information file of Pr mark level “P3” (NO route of step S25), or after issuing the alarm information notification and return instruction in step S26, whether or not there is a personal information file of Pr mark level “P4”. If there is a personal information file of Pr mark level “P4” (YES route of step S27), the personal information file is forcibly captured and collected from the client terminal 10 (step S28). The personal information file is placed under the management of the file access management server 20, and the file access management server 20 manages the access to the personal information file (step S29). When there is no personal information file with the Pr mark level “P4” (NO route in step S27), or after the processing in step S29 is completed, the management operation is terminated.

  As described above, for the personal information file of the Pr mark level “P4”, the personal information file is forcibly prohibited from being output from the user terminal 11 to the outside, or the personal information file is only for the administrator. May be stored in an accessible folder. When the personal information file with the Pr mark level “P3” is left for a predetermined number of days, the same processing as that for the personal information file with the Pr mark level “P4” may be executed. Furthermore, all of the personal information files of the Pr mark levels “P1” to “P4” may be placed under the management of the file access management server 20.

[3-4-5] Operation of file access management server:
Next, the operation of the file access management server 20 will be described with reference to FIGS. 19 and 20.

First, the file conversion operation by the file access management server 20 of this embodiment will be described with reference to the flowchart shown in FIG. 19 (steps S31 to S34).
In the file access management server 20, when a file to be managed is received by the personal information file receiving means 27a from each user terminal 11 via the network 30 so as to be registered as a management target by the file access management server 20 (step S31). The YES route) is converted into a PDF file by the encryption means 28 (step S32), and further, encryption processing (keying processing) is performed using a predetermined encryption key (step S33). Then, the encrypted file is transmitted to the user terminal 11 via the network 30 by the encrypted file transmitting unit 27b (step S34).

Next, an authentication operation performed by the file access management server 20 according to the present embodiment will be described with reference to the flowchart shown in FIG. 20 (steps S41 to S45).
When the user of the user terminal 11 wants to view the contents of the encrypted file, authentication information is input by the user and transmitted to the file access management server 20. When the authentication information is received by the authentication information receiving unit 27c via the network 30 (YES route in step S41), the determination unit 29 searches the database 20b with the user ID included in the authentication information, and the user ID Is read from the database 20b, the password included in the authentication information is compared with the registered password read from the database 20b, and it is determined whether these passwords match (user authentication; step S42) is performed.

  If these passwords match and it is authenticated that the user of the user terminal 11 is a legitimate registrant (legitimate transmission destination) (YES route in step S43), the decryption key transmission means 27d performs encryption. A decryption key for decrypting the file is read from the database 20b and transmitted to the user terminal 11 via the network 30 (step S44).

  Then, when the decryption key is received at the user terminal 11, the encrypted file is decrypted using the decryption key, the original file is restored, and the file is subjected to access authority given in advance. Access is performed. For example, when only the viewing authority is given as the access authority as described above, the user can browse the contents of the restored file, but access other than browsing, for example, print output by a printer or other Access to the recording medium, copy of the screen (screen capture), and saving as another name cannot be performed at all.

  On the other hand, if the determination unit 29 of the file access management server 20 determines that the passwords do not match, or if the registered password corresponding to the user ID is not registered in the database 20b, the user is valid. It is determined that the user is not a registrant (authorized transmission destination) (NO route in step S43), and an error notification is sent from the file access management server 20 to the user terminal 11 via the network 30 (step S45).

[4] Effects of this embodiment:
Thus, according to the management system 1 as an embodiment of the present invention, each user terminal 11 has at least one management condition (for example, the above items (1) to (5) or (1) to (5)). After executing electronic education about security including matters relating to (at least one of (a) to (g)) (for example, electronic education about security in general when using the internal system 10 of a company, etc.) Environmental information in each user terminal 11 is collected from each user terminal to the management server 20, and each user terminal 11 sets management conditions based on the collected environmental information in this management server 20 (determination means 26). A warning is issued to the user (administrator who violated the management condition) or the administrator of the user terminal 11 that has been determined whether or not the management condition is satisfied by the warning means 27, and With respect to the user terminal 11, detailed electronic education on matters related to violation management conditions is executed. In other words, if there is a violation of management conditions after e-education of security in general, the violation is likely to be intentional by the user, and a warning about the violation is given to the user and administrator, Electronic education about violations will be implemented for users who are violators.

Accordingly, the warning raises the security awareness of the administrator, and the administrator can reliably grasp the system status and ensure and maintain a safe environment in the internal system 10 of the company or the like. In addition, a warning is given to the user (violator), and electronic education for ensuring security for the user (violator) can be performed in accordance with the actual condition of each user terminal 11, It is possible to raise the security awareness of the user (violator) and further contribute to securing and maintaining a safe environment in the internal system 10 of a company or the like. In other words, since it is possible to conduct electronic education for violations that are likely to have been deliberately performed by users after electronic education about security in general, thorough user education (employee education) As a result, the internal system 10 contributes to securing and maintaining a safe environment.

  Also, environmental information in each of the plurality of user terminals 11 (for example, environmental information in each of the plurality of user terminals 11 belonging to the internal system 10 such as a company) is collected from each user terminal 11 to the management server 20, In this management server 20, based on the collected environment information in each user terminal 11, the evaluation level for a plurality of user terminals 11, that is, the security status of the internal system 11 in a company or the like is evaluated, and the evaluation result Is notified to users and administrators.

  As a result, a service for evaluating the security status of the internal system 10 in a company or the like can be provided to the company or the like, and even if no system administrator is placed, the manager or administrator can take security measures. Even without care, the security status of the internal system 10 and each terminal 11 can be grasped extremely accurately and easily, and the security awareness of managers, managers, and users is raised, and the internal system 10 of companies and the like is safe. The environment can be secured and maintained. In particular, the service provided by the management server 20 in this way is effective for small and medium-sized businesses that are not as conscious of security as large companies. By using this service, The manager can grasp the security status of his / her system 10 and conduct electronic education very easily and thoroughly.

  At this time, in the management server 20, as shown in FIG. 5, at least one management condition among the plurality of user terminals 11 (for example, the items (1) to (5) or (1) to (5) and (a ) To (g) based on the ratio P of the user terminals 11 satisfying, or based on the important management conditions set as in the second example shown in FIG. 7, the ratios P1 to P5 of the user terminals 11 that satisfy the management conditions (1) to (5) or (1) to (5) and (a) to (g) and the management conditions (1 ) To (5) or (1) to (5) and (a) to (g) based on the importance M1 to M5, the degree of safety of the plurality of user terminals 11 (in-company system 10) is quantified. Can be evaluated.

  According to the first method shown in FIG. 5, for example, at least one of the management conditions of the items (1) to (5) or (1) to (5) and (a) to (g) is satisfied. If the ratio of user terminals is 100%, the highest evaluation is given, and a stepwise evaluation level corresponding to the ratio can be given to the evaluation target system 10 below. That is, the higher the number of user terminals 11 that satisfy the management conditions (1) to (5) or (1) to (5) and (a) to (g), the higher the numerical value obtained and the higher the evaluation level. It is possible to make an evaluation on the in-company system 10 according to the level of safety.

In addition, as in the second method shown in FIG. 6, the management condition of item (4) “having no dangerous software installed on the user terminal” is important for ensuring the safety of the internal system. Since there is at least one user terminal 11 that does not satisfy the item (4) by setting it as an important management condition, that is, one user terminal 11 that installs dangerous software. However, by giving a low evaluation level to the in-company system 10 regardless of the ratio of other items, the safety level (security status, evaluation level) of the in-company system 10 can be easily and reliably evaluated. be able to.

Further, as in the third method shown in FIG. 7, the evaluation value V that increases as the number (ratio) of user terminals 11 that do not satisfy the management condition having a high importance Mi (i = 1 to 5) increases. By determining the evaluation level, a low evaluation level can be given to the system 10 in which the user terminal 11 that does not satisfy the management condition with high importance exists, and an evaluation in accordance with the high safety is performed in the company system 10 can be lowered.

In this case, it is possible to change the contents of restrictions such as transmission according to the evaluation level.
For example,
Evaluation level 5: Sending electronic files without restrictions, etc.
Evaluation level 4: When an electronic file is encrypted and transmitted, the password necessary for decryption is transmitted from the management server side when the above management conditions are satisfied.
Evaluation level 3: Transmission of an electronic file or the like is stopped.
Evaluation level 2: The transmission destination is changed to the management server when an electronic file is transmitted.
Evaluation level 1: Electronic file transmission is prohibited, and the corresponding electronic file is deleted from the user terminal.
It is possible to limit the transmission of electronic files in stages.

Here, in this case, it is possible to impose restrictions on operations such as transmission for the personal information file. In addition, it is possible to change the content of restrictions such as transmission according to the sum or product of the evaluation level and the rank of the personal information Pr.

  When the electronic file is encrypted and transmitted, and the management conditions described above are satisfied, the operation restriction control agent file accesses the management server, and the password required for decryption from the management server side is the user terminal. Alternatively, it is transmitted to the electronic file transmission destination.

  At this time, the environment information collection agent file is transmitted from the management server 20 to the plurality of user terminals 11, and the environment information collection agent file is executed on each user terminal 11, whereby the environment information in the user terminal 11 is managed by the management server. 20 can be collected. Therefore, the management server 20 creates an environment information collection agent file and transmits the environment information collection agent file to the plurality of user terminals 11 belonging to the in-company system 10 all at once. 11 can be collected very easily.

  Further, the first and second electronic education agent files and the electronic education agent file corresponding to the evaluation result are transmitted from the management server 20 to each user terminal 11, and these electronic education agent files are executed in each user terminal 11. Thus, in addition to the electronic education about security in general and the electronic education about violations, it is possible to cause the user of the user terminal 11 to execute electronic education according to the evaluation result. Therefore, the management server 20 simply transmits the first electronic education agent file and the electronic education agent file corresponding to the evaluation result to the plurality of user terminals 11 belonging to the evaluation target network 10, thereby simultaneously In addition to being able to execute electronic education on the security of the terminal 11 in general and electronic education according to the evaluation result, the second electronic education agent file can be transmitted to the violator's user terminal 11 by simply sending it. Detailed electronic education on violations for violators can be carried out very easily. This makes it possible to thoroughly perform security user education (employee education) in the in-company system 10.

  In addition, based on the environmental information collected regularly, the evaluation level (degree of safety) about a plurality of user terminals 11 (in-company system 10) is periodically evaluated, and the periodic evaluation results are obtained from a plurality of evaluation results. By notifying the user or administrator of the user terminal 11, the user or administrator can periodically grasp the security status of the in-company system 10, and the in-company system 10 is safe. It will contribute to securing and maintaining the environment.

In addition, in the user terminal determined by the management server that the management conditions are not satisfied,
By restricting transmission of electronic files, etc., diffusion of information due to transmission from the violator's terminal is effectively prevented. In this case, the user terminal that satisfies the management condition does not have a restriction on transmission or the like, so that there is no problem with the use of the user terminal.

  Also, by changing restrictions on electronic file transmission, etc., depending on the degree of management conditions determined by the management server, it is possible to appropriately and effectively prevent the spread of information due to transmission from the offender's terminal. Is done. In addition, since there is no restriction on transmission or the like in a user terminal that satisfies the management conditions, there is no problem with the use of the user terminal.

  And by restricting the transmission etc. to the user terminal that executes the second electronic education (e.g., stop writing, stop sending, or send without the personal information) Spreading of information due to transmission from the terminal or the like is effectively prevented. Moreover, since there is no restriction on transmission or the like in a user terminal that has only received the first electronic education without receiving the second electronic education, there is no problem with the use of the user terminal.

  In other words, when a command such as sending an electronic file occurs in a user terminal receiving second electronic education, the operation restriction control means restricts sending the electronic file, etc. (writing stop or sending stop, or personal (Transmission without information, etc.). Thereby, the personal information file is not transmitted to the external storage medium or the network, and the leakage of the personal information via the external storage medium or the network is prevented. Similarly, if it is determined that the electronic file is a personal information file, the operation restriction control means restricts the transmission of the electronic file, etc. (when the writing is stopped or stopped, or the personal information is excluded) Control to transmit). Thereby, the personal information file is not transmitted to the external storage medium or the network, and the leakage of the personal information via the external storage medium or the network is prevented.

  In addition, a management server is further provided, and the management server manages transmission requests for the searched personal information files, so that inadvertent leakage / leakage or unauthorized use of personal information due to the transmission of personal information, etc. can be ensured. It becomes possible to prevent.

  As described above, according to the management system 1 and the management server 20 as one embodiment of the present invention, the personal information file is searched for in each user terminal 11, and the search is performed by the management server 20 (second personal information management means 208). The user terminal 11 is managed on the basis of the result and the access log for the management target file. More specifically, the security level in each user terminal 11 is changed / set based on the search result and the access log. According to the security level, the access restriction on the file in each user terminal 11 and the user terminal 11 are changed. The personal information file itself and the information contained in the personal information file are prevented from leaking from the user terminal 11. As a result, even if personal information and confidential information are distributed and stored in a plurality of user terminals, each user terminal 11 can be connected without obtaining human cooperation and applying a special load on the person in charge. It is possible to manage the state of the personal information file by managing it, and it is possible to surely prevent the personal information and confidential information from being inadvertently leaked or leaked or illegally used.

In addition, the user terminal 11 (for example, the user terminal 11 that has executed the processing / operation related to the personal information file, the storage unit 1110b, which has a high possibility of inadvertent leakage / leakage or unauthorized use of the personal information file) For a user terminal 11 that has a personal information file, a user terminal 11 that is not set as an encryption / registration function, a user terminal 11 that has an external storage medium driver installed, etc.) Set a high security level to restrict access restrictions (for example, restriction / prohibition of Internet connection of user terminals, mask display of personal information elements / confidential information elements, mask printing, etc.) and operation restrictions on user terminals. On the other hand, for user terminals with a low possibility, the security level is set to a low level to restrict access and By releasing or relaxing the restriction, an environment in which the user terminal 11 can be used efficiently when the possibility is low is provided. Therefore, the user voluntarily uses his / her terminal 10 as described above. It becomes possible to shift to a state where the possibility is low, and it is possible to more surely prevent personal information and confidential information from being inadvertently leaked or leaked or illegally used.

  In particular, in this embodiment, the second personal information management means 208 performs security level setting (setting of file access restriction) in accordance with the criteria described in the items (11) to (15) above. A user terminal 11 that is unlikely to cause an inadvertent leakage / leakage or unauthorized use of an information file. Specifically, the personal information file has not been accessed for a predetermined period of time, and the personal information file Has no function, has a function to encrypt externally sent files, does not have an external storage medium driver installed, and does not access any browsing-prohibited sites. For user terminals 11 that do not exist, an environment where the user terminal 11 can be used efficiently is provided to the user by releasing or relaxing access restrictions and operation restrictions. It is.

  In addition, when the security level is gradually changed or set by changing the access restriction on the file or the operation restriction on the user terminal 11 step by step according to the security level, The operation restriction on the user terminal 11 does not suddenly change from a possible state (access or operation permitted state) to an impossible state (access or operation prohibited state), but gradually changes. The usage environment of the user terminal 11 does not become an inconvenient situation, but the user can gradually feel the inconvenience due to the access restriction and the operation restriction, and voluntarily attach his / her terminal 10 to the personal information file. It is now possible to shift to a state where there is a low possibility of inadvertent leakage / leakage or unauthorized use. They are possible to more reliably prevent a mind outflow, loss or unauthorized use.

  Further, when the second personal information management unit 208 makes a strict change in the access restriction on the file or the operation restriction of the user terminal 11, the user terminal 11 searches the storage unit 1110b, and the search result is displayed. By transmitting to the management server 20, the personal information file is searched again in the user terminal 11 that is likely to cause an inadvertent outflow / leakage or unauthorized use of the personal information file as described above. Become. As a result, the personal information file in the user terminal 11 having the high possibility can be surely placed under the management of the management server 20, and personal information and confidential information are inadvertently leaked or leaked. It is possible to more reliably prevent unauthorized use of.

  At this time, for example, as shown in FIG. 21 to FIG. 28, the access status to the personal information file (for example, the personal information file name, PC name, owner name, total number of personal information files, personal information (Such as the results of counting the number of accesses to the file) will be open to provide an environment in which the user will not voluntarily access the personal information file. Outflow / leakage and unauthorized use can be more reliably prevented.

Information on the user terminal 11 in which the external storage medium driver is installed (for example, the PC name of the user terminal, the owner name of the user terminal, the file name of the personal information file, and the writing of the personal information file) And the like, the user voluntarily stops installing the driver for the external storage medium, or writes the personal information file using the driver 14 even if the driver is installed. An environment in which personal information is lost can be provided, and inadvertent leakage / leakage or unauthorized use of personal information can be prevented more reliably.

  When the user terminal 11 having no function as the personal information search unit 1100 and the detection unit 1200 for searching the personal information file is connected to the network, the management server 20 uses the user terminal 11 to realize the function. The user terminal program is installed, its functions are automatically introduced into the user terminal 11, and the personal information search means 1100 determines whether or not there is a personal information file in the user terminal 11. Even when the user terminal 11 is connected to the network 30, the personal information file in the user terminal 11 can be surely searched, identified, and put into a manageable state. Leakage and unauthorized use of personal information can be reliably prevented.

  In the present embodiment, a personal information file having a predetermined number or more of personal information elements that can identify a specific individual is set as a management target file, and the personal information search unit 1100 stores a telephone number, an e-mail address, and an address. Character sections that do not fall under any of these categories and contain inappropriate characters / unsuitable character strings are considered not related to personal information, but do not fall under any of phone numbers, email addresses, or addresses, and are inappropriate Character sections that do not contain characters / inappropriate character strings are considered to be related to names.

  Therefore, for the character section determined to correspond to any one of the telephone number, the e-mail address, and the address in the first determination means 1130, the determination process is terminated when the determination is made, and the telephone number, the e-mail Only a character section determined not to correspond to either an address or an address is subjected to a matching process with an inappropriate character / unsuitable character string, and the matching unit 1150 has one inappropriate character / unsuitable character string. However, when it is determined that it is included in the character section, the collation process can be terminated, so the name collation process is faster than the conventional method that collates with all name strings in the name list. In other words, the personal information file search process can be performed at high speed.

  At this time, in the first determination means 1130, the determination processing is performed at a higher speed by performing the determination processing of the character string in the character section in order from the lighter determination processing load, that is, in the order of the telephone number, the e-mail address, and the address. Can be executed efficiently.

  In addition, since the second determination unit 1160 regards all character sections that do not include inappropriate characters / unsuitable character strings as corresponding to names, electronic files that do not include inappropriate characters / unsuitable character strings for names, It is possible to reliably search for an electronic file that is highly likely to contain name information and is likely to be a personal information file. That is, the number of electronic files that are determined to be personal information files according to the present embodiment is larger than that of the conventional method, and an electronic file that is highly likely to be a personal information file (suspicious electronic file) can be reliably identified. it can.

  Furthermore, in this embodiment, the character determination means 1140 determines whether the number of characters in the character section is 1 or more and 6 or less and all the characters in the character section are kanji characters, and the characters satisfying this character determination condition. Since only the section is set as a collation target by the collation means 1150, the character section to be collated by the collation means 1150 is narrowed down to a character section having a higher possibility of name, and the name collation accuracy can be improved. At the same time, name verification processing can be performed at high speed. In addition, since a long character section having more than 6 characters is excluded from the collation target by the collating means 1150, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process. Become.

In particular, according to the personal information search program of the present embodiment, when the cutting unit 1120 cuts out text data as a determination target character section, elements in the text data are not separated by clear delimiters. Also, the boundary position between 1-byte code character and 2-byte code character, that is, the boundary position between a half-width character and a full-width character (a portion where a half-width character is followed by a full-width character or a portion where a half-width character is followed by a half-width character), The text data is divided and cut out as character sections at the boundary position between the full-width arithmetic numbers and the characters excluding the full-width arithmetic numbers and hyphens.

  This makes it possible to mix addresses and names written in double-byte characters and strings such as phone numbers and e-mail addresses written in single-byte characters without being separated by delimiters in text data. Address, name, phone number, and e-mail address even if the address, name, etc. written in and the numeric string such as a phone number written in full-width characters are mixed in the text data without being separated by a delimiter A character section can be cut out for each personal information element. Accordingly, it is possible to reliably determine personal information elements such as address, name, telephone number, and e-mail address, and to search the personal information file efficiently and reliably in a short time.

Further, as an e-mail address determination condition by the e-mail address determination means 1130b, the character string in the character section to be determined includes “one or more ASCII characters” + “@ (at sign)” + “one or more ASCII characters” + “ . (Dot) ”+“ A with one or more characters
“@ (At sign)” is used to display the unit price and unit by setting that the character string “SCII character” is included and the last character of the character string is a half-width alphabetic character. A string of numbers that is “@ (at sign)” followed by “one or more half-width numbers” + “. (Dot)” + “one or more half-width numbers” (for example, “123@45.67 ") Can be reliably prevented from being erroneously determined as an e-mail address. Therefore, it is possible to reliably determine personal information elements such as an e-mail address, and it is possible to search for a personal information file efficiently and reliably in a short time.

In the electronic mail address, the character string after the last “. (Dot)” after “@” is always an alphabetic character string such as “com”, “net”, and “jp” at present. In general, “@” is often used to display a unit price or a unit. For example, one of an article
When displaying the price and weight per piece, “@” may be used, such as “@ 100.00” or “@ 10.55”. For this reason, the e-mail address determination condition is simply that “one or more ASCII characters” + “@ (at mark)” + “one or more ASCII characters” + “. (Dot)” in the character string in the character section to be determined. + If a character string that is “one or more ASCII characters” is included, the above character strings containing “@ 100.00” or “@ 10.55” may be mistakenly recognized as e-mail addresses. However, by adding that the last character of the character string is a single-byte alphabetic character to the e-mail address judgment condition, the character string including the numeric character strings “@ 100.00” and “@ 10.55” as described above It is possible to reliably prevent erroneous recognition as an e-mail address.

  Further, as an address determination condition by the address determination unit 1130c, “one or more full-width characters” + “city” or “ku” or “gun” + “one or more full-width characters or half-width characters are included in the character string in the character section to be determined. ”And the first character of the character section to be judged and the initials of the 47 prefectures or city names. , When a character string that includes "county" in the middle but is not related to the address at all is mistakenly determined as an address, and when 47 prefecture names or city names are determined to match completely Compared with an extremely short time, it is possible to efficiently and reliably search for a character section with high accuracy as an address.

Furthermore, the first character of the character string to be determined matches the initial character of the last name belonging to the upper predetermined number (for example, the top 3000 types) common to Japanese in the character determination condition (name determination condition) by the character determination means 1140. By adding this, it is possible to efficiently and reliably search for a character section having a high degree of accuracy as a name in a very short time compared with the case of determining complete match of the last name.

  Then, the second personal information management unit 208 of the management server 20 manages the electronic file determined to be a personal information file according to the counting result (determination value level) obtained by the second determination unit 1160. Therefore, it is possible to select and execute a management method according to the judgment value level (high possibility of being a personal information file / the number of personal information elements) for each personal information file. Even if a large number of terminals exist and personal information files are distributed and stored, these personal information files can be managed centrally, and a system for centrally managing personal information files can be easily constructed. It becomes possible to introduce.

  On the other hand, by converting a file sent from the user terminal 11 to the outside in the user terminal 11 or the file access management server 20, the file to be externally sent is converted into an encrypted file. So that the file can be prevented from being taken out from each terminal 10 in a state where everyone can refer to it, and personal information and confidential information can be prevented from being inadvertently leaked or leaked or illegally used. Can be prevented.

  At this time, if the authorized user of the encrypted file is authenticated by the file access management server 20 as being authorized, the encrypted file is decrypted with the decryption key received from the file access management server 20. The content of the encrypted file can be accessed, but other users cannot decrypt the encrypted file and cannot access the content. In other words, the file is sent to the outside after being converted into an encrypted file that can be accessed only by legitimate users. As described above, inadvertent leakage / leakage of personal information or confidential information, unauthorized use, etc. Access to a legitimate user is possible while ensuring prevention, so the convenience of the legitimate user is not impaired.

  At this time, since the original of the file is stored in the complete document file and is encrypted, the original of the file remains as it is, that is, in a state where everyone can refer to the user terminal 11. Therefore, it is possible to more reliably prevent inadvertent leakage / leakage and unauthorized use of personal information and confidential information.

[5] Other:
[5-1] Others (1):
The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.

  For example, in the above-described embodiment, the case where the management target file is a personal information file has been described. However, the present invention is not limited to this, and a confidential information file including confidential information other than personal information is managed. It may be a file.

  In this case, the predetermined condition for determining the confidential information file is that a predetermined number or more of records (sensitive information elements) including the confidential information are held, and the confidential information element includes, for example, a new product before the announcement, It is a character string used in technology and management strategy before patent application. Such a confidential information file can also be searched by the personal information searching means 1100 in the same manner as the personal information file, and the same operational effects as those of the above-described embodiment can be obtained.

In the above-described embodiment, the case where the function as the personal information searching unit 1100 is provided in the user terminal 11 has been described. A personal / confidential information management server (management server) 20 connected to be communicable may be provided.

  However, in this case, a file in the storage unit 1110b of the user terminal 11 is temporarily downloaded to the management server 20, and a search process is performed on the file by a function as the personal information search unit 1100 on the management server 20 side. It will be. Thereby, when a user requests non-resident of a program for realizing personal information exploration means 1100 for reasons such as memory capacity in user terminal 11 and compatibility with other programs, the request It is possible to cope with it, and convenience is enhanced.

  Furthermore, in the above-described embodiment, it is assumed that the management target file (personal information file) is stored in the storage unit 1110b of each user terminal 11, but the present invention is not limited to this. The management target file (personal information file, confidential information file, etc.) may be stored in a server other than the user terminal 11 belonging to the management system 1, the management server 20, other servers, or a PC.

  In such a case, the collecting means (log collecting means) 23 of the management server 20 collects and records the access log of each user terminal 11 for the management target file in the management system 1. Two personal information management means 208 manages the user terminal 11 based on the access log collected and recorded by the collecting means 203.

  At this time, the second personal information management unit 208 determines whether or not the user terminal 11 is to perform the search by the personal information search unit 1100 based on the access log collected and recorded by the collection unit 203. It is possible to make a search by the personal information search means 1100 in the user terminal 11 that is determined every time and is determined to execute the search. For example, the user terminal 11 accesses the management target file more than a predetermined number of times (for example, 10 times) based on the access log. Suppose that

Then, the second personal information management means 208 performs the search transmitted from the user terminal 11 in the same manner as in the above-described embodiments (see items (11) to (15) and (21) to (23)). And / or
Alternatively, the security level of the user terminal 11 may be changed / set based on the access log for the management target file, and the operation restriction of the user terminal 11 may be changed according to the security level.

  In each of the above embodiments, the necessary program may be resident in advance in each user terminal 11, may be sent from the server, may be resident, or is sent from the server and executed when necessary. The format is acceptable.

  The user terminal 11 that frequently accesses the management target file in the management system 1 can be regarded as a user terminal that has a high possibility of inadvertent outflow / leakage or unauthorized use of the management target file. As described above, when the second personal information managing unit 208 finds the user terminal 11 that has accessed the management target file more than a predetermined number of times based on the access log, in the user terminal 11, The management target file (file containing personal information, confidential information, etc.) is searched immediately. As a result, the management target file in the user terminal with the high possibility can be surely put under the management of the management server, personal information or confidential information is inadvertently leaked or leaked, or personal information or confidential information is illegal. Use and the like can be prevented more reliably.

[5-2] Others (2):
The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.

  For example, in the above-described embodiment, the management server 20 is provided outside the company, and the external management server 20 provides the company system 10 with a service (security management service) for performing security evaluation and electronic education of the company system 10. However, the present invention is not limited to this, and the above-described management server 20 is provided with the function as the management server 20 described above. In order to manage the in-company system 10 instead of as a service for the above, the above-described security evaluation and electronic education of the in-company system 10 may be performed.

  The above-described environment information collection agent file transmission means 21, environment information reception means 22, evaluation means 23, evaluation result notification means 24, first electronic education control means 25, determination means 26, warning means 27, and second electronic education control means 28 Functions (all or part of the functions of each means) are realized by a computer (including a CPU, an information processing device, and various terminals) executing a predetermined application program (management program / security management service providing program) Is done.

  The program is, for example, a computer such as a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.). It is provided in a form recorded on a readable recording medium. In this case, the computer reads the management program / security management service providing program from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a program recorded on a recording medium. The application program as the management program / security management service providing program is stored in the computer as described above in the environment information collection agent file transmission means 21, environment information reception means 22, evaluation means 23, evaluation result notification means 24, first electronic Program codes for realizing the functions of the education control means 25, the determination means 26, the warning means 27, and the second electronic education control means 28 are included. Also, some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the present embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, ROM cartridge, magnetic tape, punch card, computer internal storage device (RAM) In addition, various computer-readable media such as an external storage device, a transmission such as a transmission in which a code such as a barcode is transmitted, and the like can also be used.

[6] Note:
(Appendix 1)
A management server connected to a plurality of user terminals so as to communicate with each other and managing the plurality of user terminals,
Environment information collection agent file transmission for transmitting an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals Means,
Environmental information receiving means for receiving the environmental information transmitted from each user terminal;
First electronic education control means for causing the plurality of user terminals to execute electronic education on security including matters relating to at least one management condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one management condition;
Warning means for issuing a warning to the user and / or the administrator of the user terminal that is determined not to satisfy the management conditions by the determination means;
Second electronic education control means for causing the user terminal determined not to satisfy the management conditions by the determination means to execute electronic education on matters relating to the management conditions;
An operation restriction control means for restricting transmission of an electronic file or the like even when a command such as transmission of an electronic file is issued to a user terminal determined not to satisfy the management condition by the determination means;
A management server characterized by comprising

(Appendix 2)
A management server connected to a plurality of user terminals so as to communicate with each other and managing the plurality of user terminals,
Environment information collection agent file transmission for transmitting an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals Means,
Environmental information receiving means for receiving the environmental information transmitted from each user terminal;
Based on the environment information in each user terminal received by the environment information receiving means, it is determined whether each user terminal satisfies at least one management condition, and an evaluation level for the plurality of user terminals An evaluation means for evaluating
Notification means for notifying the users and / or managers of the plurality of user terminals of the evaluation results obtained by the evaluation means;
First electronic education control means for causing the plurality of user terminals to execute electronic education about security including matters relating to the at least one management condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one management condition;
Warning means for issuing a warning to the user and / or the administrator of the user terminal that is determined not to satisfy the management conditions by the determination means;
Second electronic education control means for causing the user terminal determined not to satisfy the management conditions by the determination means to execute electronic education on matters relating to the management conditions;
An operation restriction control means for restricting transmission of an electronic file or the like even when a command such as transmission of an electronic file is issued to a user terminal determined not to satisfy the management condition by the determination means;
A management server characterized by comprising

(Appendix 3)
The evaluation means evaluates the evaluation levels of the plurality of user terminals by quantifying them based on a ratio of user terminals satisfying the at least one management condition among the plurality of user terminals. The management server according to appendix 2, characterized by:

(Appendix 4)
The evaluation means determines the number of user terminals that satisfy the at least one management condition out of the plurality of user terminals and the importance of the management condition. The management server according to appendix 2, characterized in that the evaluation level is digitized and evaluated.

(Appendix 5)
A plurality of management conditions for evaluating the evaluation level are set in advance, and among the plurality of management conditions, those having higher importance than other management conditions are set in advance as important management conditions,
The evaluation means first determines whether or not each of the plurality of user terminals satisfies the important management condition, and even one of the plurality of user terminals does not satisfy the important management condition. In this case, when the evaluation level for the plurality of user terminals is determined as the lowest level, and there is no user terminal that does not satisfy the important management conditions, the management conditions other than the important management conditions The management server according to claim 2, wherein the evaluation level of the plurality of user terminals is quantified and evaluated based on a ratio of user terminals satisfying at least one management condition.

(Appendix 6)
The evaluation means periodically evaluates the evaluation level for the plurality of user terminals based on the environment information periodically received by the environment information receiving means;
6. The management server according to any one of appendix 2 to appendix 5, wherein the notifying means notifies the users and / or managers of the plurality of user terminals of periodic evaluation results.

(Appendix 7)
The management condition is
(1) The security software is installed on the user terminal and turned on.
(2) The security patch update information of the security patch update software as security countermeasure software on the user terminal is the latest.
(3) The update information of the virus definition file of the antivirus software as the security software on the user terminal is the latest.
(4) Dangerous software is not installed on the user terminal,
(5) User terminal does not have unauthorized copy,
The management server according to any one of supplementary notes 1 to 6, wherein at least one of the above is included.

(Appendix 8)
The first electronic education control means is
First electronic education agent file creation / holding means for creating or holding a first electronic education agent file for causing each of the plurality of user terminals to execute electronic education on security including matters relating to the at least one management condition; ,
A first electronic education agent file transmitting means for transmitting the first electronic education agent file created / held by the first electronic education agent file creating / holding means to the plurality of user terminals; The management server according to any one of Supplementary Note 1 to Supplementary Note 7, which is characterized in that.

(Appendix 9)
The second electronic education control means is
A second electronic education agent file that causes a user terminal that is determined not to satisfy the management condition by the determination means to execute electronic education on a matter related to the management condition determined not to be satisfied by the determination means; A second electronic education agent file creation / holding means to create or hold;
A second electronic education agent file transmitting means for transmitting the second electronic education agent file created / held by the second electronic education agent file creating / holding means to the user terminal;
The management server according to any one of Supplementary Note 1 to Supplementary Note 8, which is characterized in that.

(Appendix 10)
The operation restriction control means changes the content of restriction such as transmission according to the management condition or the evaluation level.
The management server according to any one of Supplementary Note 1 to Supplementary Note 9, which is characterized in that.

(Appendix 11)
A management program connected to a plurality of user terminals so as to communicate with each other, and causing a computer to function as a management server for managing the plurality of user terminals,
Environment information collection agent file transmission for transmitting an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals means,
Environment information receiving means for receiving the environment information transmitted from each user terminal;
First electronic education control means for causing the plurality of user terminals to execute electronic education on security including matters relating to at least one management condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one management condition;
Warning means for issuing a warning to the user and / or the administrator of the user terminal that is determined not to satisfy the management conditions by the determination means;
Second electronic education control means for causing the user terminal determined not to satisfy the management conditions by the determination means to execute electronic education on matters relating to the management conditions; and
An operation restriction control means for restricting transmission of an electronic file or the like even when a command such as transmission of an electronic file is issued to a user terminal that is judged not to satisfy the management condition by the judgment means;
A management program for causing the computer to function as

(Appendix 12)
A management program connected to a plurality of user terminals so as to communicate with each other, and causing a computer to function as a management server for managing the plurality of user terminals,
Environment information collection agent file transmission for transmitting an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals means,
Environment information receiving means for receiving the environment information transmitted from each user terminal;
Based on the environment information in each user terminal received by the environment information receiving means, it is determined whether each user terminal satisfies at least one management condition, and an evaluation level for the plurality of user terminals Evaluation means to evaluate,
Notification means for notifying the users and / or managers of the plurality of user terminals of the evaluation results obtained by the evaluation means;
First electronic education control means for causing the plurality of user terminals to perform electronic education on security including matters relating to the at least one management condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one management condition;
Warning means for issuing a warning to the user and / or the administrator of the user terminal that is determined not to satisfy the management conditions by the determination means;
Second electronic education control means for causing the user terminal determined not to satisfy the management conditions by the determination means to execute electronic education on matters relating to the management conditions; and
An operation restriction control means for restricting transmission of an electronic file or the like even when a command such as transmission of an electronic file is issued to a user terminal that is judged not to satisfy the management condition by the judgment means;
A management program for causing the computer to function as

(Appendix 13)
The evaluation means quantifies and evaluates the evaluation level for the plurality of user terminals based on a ratio of the user terminals satisfying the at least one management condition among the plurality of user terminals. The management program according to appendix 11, wherein the computer is caused to function.

(Appendix 14)
The evaluation means determines the number of user terminals that satisfy the at least one management condition out of the plurality of user terminals and the importance of the management condition. 12. The management program according to appendix 11, wherein the computer is caused to function so as to evaluate the evaluation level numerically.

(Appendix 15)
A plurality of management conditions for evaluating the evaluation level are set in advance, and among the plurality of management conditions, those having higher importance than other management conditions are set in advance as important management conditions,
The evaluation means first determines whether or not each of the plurality of user terminals satisfies the important management condition, and even one of the plurality of user terminals does not satisfy the important management condition. In this case, when the evaluation level for the plurality of user terminals is determined as the lowest level, and there is no user terminal that does not satisfy the important management conditions, the management conditions other than the important management conditions Wherein the computer is caused to function so as to evaluate and evaluate the evaluation level for the plurality of user terminals based on a ratio of user terminals satisfying at least one of the management conditions. The management program according to appendix 11.

(Appendix 16)
The evaluation unit periodically evaluates the degree of safety of the plurality of user terminals based on the environment information periodically received by the environment information receiving unit, and the notification unit performs the periodic evaluation. The management program according to any one of appendices 11 to 14, wherein the computer is caused to function so as to notify a user and / or manager of the plurality of user terminals of the result.

(Appendix 17)
The management condition is
(1) The security software is installed on the user terminal and turned on.
(2) The security patch update information of the security patch update software as security countermeasure software on the user terminal is the latest.
(3) The update information of the virus definition file of the antivirus software as the security software on the user terminal is the latest.
(4) Dangerous software is not installed on the user terminal,
(5) User terminal does not have unauthorized copy,
The management program according to any one of Supplementary Note 10 to Supplementary Note 15, which includes at least one of the above.

(Appendix 18)
When the computer functions as the first electronic education control means,
First electronic education agent file creation / holding means for creating or holding a first electronic education agent file for causing each of the plurality of user terminals to perform electronic education on security including matters relating to the at least one management condition; and,
The computer functions as first electronic education agent file transmission means for transmitting the first electronic education agent file created / held by the first electronic education agent file creation / holding means to the plurality of user terminals. The management program according to any one of appendix 11 to appendix 16, wherein the management program is executed.

(Appendix 19)
When the computer functions as the second electronic education control means,
A second electronic education agent file that causes a user terminal that is determined not to satisfy the management condition by the determination means to execute electronic education on the matter related to the management condition determined not to be satisfied by the determination means; Second electronic education agent file creation / retention means to be created or retained, and
Causing the computer to function as second electronic education agent file transmission means for transmitting the second electronic education agent file created / held by the second electronic education agent file creation / holding means to the user terminal. The management program according to any one of appendix 10 to appendix 17, characterized by:

(Appendix 20)
When the computer functions as the operation restriction control unit,
Depending on the management condition or the evaluation level, the contents of restrictions such as transmission are changed.
The management program according to any one of Supplementary Note 11 to Supplementary Note 19, wherein

(Appendix A1)
Personal information search means for searching a personal information file by executing a personal information search program, and starting the personal information search program, and determining whether or not the electronic file to be held is a personal information file A control unit to be executed by a search unit; a storage unit that stores the determination result by the personal information search unit when the electronic file is determined to be a personal information file by the personal information search unit; A function of transmitting the contents of the electronic file to a recording medium or another computer in response to an instruction such as transmission, and when the electronic file is determined to be a personal information file by the personal information exploration means, Personal / confidential information characterized by comprising an operation restriction control means for canceling transmission, etc. The management terminal.

(Appendix A2)
Personal information search means for searching a personal information file by executing a personal information search program, and starting the personal information search program, and determining whether or not the electronic file to be held is a personal information file Corresponding to the determination result by the personal information searching means and the personal information of the electronic file when the electronic information file is determined to be a personal information file by the control means to be executed by the searching means and the personal information searching means And a function for transmitting the contents of the electronic file to an external recording medium or another computer in response to a command such as transmission of the electronic file, and the electronic file is If it is determined that the file is a personal information file, the personal information file It is constructed to include the operation restriction control means for transmitting of an electronic file corresponding to the broadcast, the personal-confidential information management terminal, characterized in that.

(Appendix A3)
A user terminal that does not have a personal information exploration program resident on it, and a personal / confidential information management server that is connected to the user terminal via a network so as to be able to communicate with each other and manages personal information files in the user terminal The personal / confidential information management server executes a personal information search program to search a personal information file in the user terminal via the network, and the personal information search means. Electronic file information storage means for storing information about the electronic file in the user terminal at the time of searching for the personal information file, and searching for determining whether the electronic file is a personal information file Control means to be executed by the search means, and the user terminal is the personal information search means When it is determined that the electronic file is a personal information file, the storage means for storing the determination result by the personal information searching means, and the contents of the electronic file are transferred to an external recording medium or the like according to a command such as transmission of the electronic file. And an operation restriction control means for stopping the transmission of the electronic file when the personal information search means determines that the electronic file is a personal information file. Management system characterized by

(Appendix A4)
A user terminal that does not have a personal information exploration program resident on it, and a personal / confidential information management server that is connected to the user terminal via a network so as to be able to communicate with each other and manages personal information files in the user terminal. The personal / confidential information management server executes a personal information search program to search a personal information file in the user terminal via the network, and the personal information search means. Electronic file information storage means for storing information about the electronic file in the user terminal at the time of searching for the personal information file, and searching for determining whether the electronic file is a personal information file Control means to be executed by the exploration means, and the user terminal is the personal information exploration operator. When it is determined that the electronic file is a personal information file, a storage unit that stores the determination result by the personal information search unit and a portion corresponding to the personal information of the electronic file, and transmission of the electronic file A function of transmitting the contents of the electronic file to an external recording medium or another computer in response to an instruction such as, and when the personal information search means determines that the electronic file is a personal information file, A management system, comprising: an operation restriction control means for transmitting an electronic file corresponding to the personal information of the personal information file at the time of transmission or the like.

(Appendix A5)
A plurality of user terminals and a personal / confidential information management server that is connected to the plurality of user terminals so as to communicate with each other via a network and manage personal information files in the plurality of user terminals, The plurality of user terminals include a user terminal in which a personal information search program for executing a search for a personal information file is resident, and a user terminal in which the personal information search program is not resident, A first personal information search means for searching for a personal information file by a user terminal executing the personal information search program; a detection means for detecting addition / change of an electronic file in the user terminal; and the detection means When the addition / change of an electronic file is detected by the above, the personal information search program is started and the added / changed electronic file is A first control means for causing the first personal information search means to execute a real-time search for determining whether or not the file is a personal information file, and the electronic file is determined to be a personal information file by the first personal information search means In this case, it is determined that the electronic file is a personal information file by the transmitting means for transmitting the determination result by the first personal information searching means to the personal / confidential information management server via the network and the first personal information searching means. A storage means for storing the determination result by the first personal information exploration means, and a function of transmitting the contents of the electronic file to an external recording medium or another computer according to a command such as transmission of the electronic file, If the first personal information exploration means determines that the electronic file is a personal information file, send the electronic file The personal / confidential information management server searches the personal information file in the user terminal via the network by executing the personal information search program. Second personal information search means for performing electronic file information storage means for storing information relating to the electronic file in the user terminal at the time when the personal information file was last searched by the second personal information search means; The latest information about the electronic file in the user terminal is compared with the information stored in the file information storage means, and the personal information file is added / changed from the time when the periodic search of the personal information file was last performed until the present time. A differential extraction that periodically extracts the electronic file as a difference file from the user terminal via the network. And a second control means for causing the second personal information search means to execute a periodic search for determining whether or not the difference file extracted by the difference extraction means is a personal information file. When the user terminal determines that the electronic file is a personal information file by the second personal information searching means, a storage means for storing the determination result by the second personal information searching means, When it is determined that the electronic file is a personal information file by the second personal information exploration means, with the function of transmitting the contents of the electronic file to an external recording medium or another computer according to a command such as transmission, A management system comprising: an operation restriction control means for stopping transmission of an electronic file.

(Appendix A6)
A plurality of user terminals and a personal / confidential information management server that is connected to the plurality of user terminals so as to communicate with each other via a network and manage personal information files in the plurality of user terminals, The plurality of user terminals include a user terminal in which a personal information search program for executing a search for a personal information file is resident, and a user terminal in which the personal information search program is not resident, A first personal information search means for searching for a personal information file by a user terminal executing the personal information search program; a detection means for detecting addition / change of an electronic file in the user terminal; and the detection means When the addition / change of an electronic file is detected by the above, the personal information search program is started and the added / changed electronic file is A first control means for causing the first personal information search means to execute a real-time search for determining whether or not the file is a personal information file, and the electronic file is determined to be a personal information file by the first personal information search means In this case, it is determined that the electronic file is a personal information file by the transmission means for transmitting the determination result by the first personal information search means to the personal / confidential information management server via the network and the first personal information search means. The storage means for storing the location corresponding to the personal information of the electronic file based on the determination result by the first personal information search means, and the content of the electronic file according to the instruction such as transmission of the electronic file The electronic file has a function of transmitting to a recording medium or another computer and the first personal information searching means When it is determined that the file is a personal information file, it is configured to include an operation restriction control means for transmitting the electronic file corresponding to the personal information of the personal information file when transmitting the electronic file. The information management server executes the personal information search program to search the personal information file in the user terminal via the network, and finally the second personal information search means uses the second personal information search means. Electronic file information storage means for storing information related to the electronic file in the user terminal at the time of periodic search of the personal information file, latest information regarding the electronic file in the user terminal, and storage in the file information storage means Compared to the current information, the last time the personal information file was regularly searched The difference extraction means for periodically extracting the electronic file added / changed as a difference file from the user terminal via the network, and the difference file extracted by the difference extraction means And a second control means for causing the second personal information search means to execute a periodic search for determining whether or not the file is an information file, and the user terminal uses the second personal information search means to When it is determined that the file is a personal information file, it is configured to include operation restriction control means for transmitting the electronic file corresponding to the personal information of the personal information file when transmitting the electronic file, etc. Management system characterized by that.

(Appendix A7)
The user terminal further includes display means for displaying characters or images, and display control means for controlling display on the display means. The display control means is determined to be the personal information file. The management system according to any one of Supplementary Note A3 to Supplementary Note A6, wherein the electronic file is controlled to be displayed without limitation.

(Appendix A8)
The user terminal further includes display means for displaying characters or images, display control means for controlling display on the display means, and position detection means for detecting the position of the user terminal, and the display Any one of appendix A3 to appendix A6, wherein the control means limits the display of the electronic file determined to be the personal information file according to the position detected by the position detection means. The management system according to item 1.

(Appendix A9)
Personal information search means for searching for a personal information file in a user terminal that is communicably connected to a personal / confidential information management server that manages the personal information file in the user terminal via a network, in the user terminal Detection means for detecting addition / change of an electronic file, and real-time search for determining whether the added / changed electronic file is a personal information file when the detection means detects addition / change of the electronic file When the electronic information is determined to be a personal information file by the control means for causing the personal information search means to execute the personal information search means, based on the determination result by the personal information search means, Storage means for storing locations corresponding to personal information, electronic file transmission according to instructions such as electronic file transmission If the electronic file is determined to be a personal information file by the personal information exploration means, the personal information may be transmitted when the electronic file is transmitted. A personal / confidential information management program for causing a user terminal to function as an operation restriction control means for transmitting an electronic file corresponding to personal information of a file.

(Appendix A10)
The personal / confidential information management server determines that the electronic file is a personal information file in a user terminal that is communicably connected to the personal / confidential information management server that manages the personal information file via the network. In this case, based on the determination result, storage means for storing a portion corresponding to the personal information of the electronic file, transmission of the contents of the electronic file to an external recording medium or other computer according to a command such as transmission of the electronic file, etc. And an operation restriction control means for transmitting an electronic file corresponding to the personal information of the personal information file when the electronic file is determined to be a personal information file. A personal / confidential information management program characterized by causing the user terminal to function.

(Appendix A11)
First, the personal information file is searched for all data in the personal / confidential information management terminal or user terminal, and then the real-time search is executed (management described in Appendix A1 to Appendix A8). system.

(Appendix A11)
The management system according to appendix A3 to appendix A8, wherein the search for the personal information file is first executed for all data in the user terminal, and then the periodic search is executed.

(Appendix A12)
Appendices A3 to A3, wherein the personal / confidential information management server forcibly prohibits the personal information file from being output to the outside from the user terminal storing the searched personal information file. The management system according to appendix A8.

(Appendix A13)
Each of the plurality of user terminals monitors the searched personal information file, and when a transmission request for the personal information file is generated, a transmission request monitoring means for notifying the personal / confidential information management server to that effect The management system according to appendix A3 to appendix A8, characterized by further comprising:

  The personal / confidential information management server is further connected to the personal / confidential information management server so as to be communicable with each other, and further comprises an electronic file access management server for managing access to the electronic file. The management system according to appendix A3 to appendix A8, wherein the file access management server manages the transmission request.

(Appendix A14)
The personal information exploration program is for causing a computer to realize a function for determining whether or not a determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual. Extraction means for extracting the text data included in the determination target file, extraction means for extracting the character section delimited by the delimiter from the text data extracted by the extraction means, and the extraction means It is a personal information element other than the name by determining whether or not the character string in the character section satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition The first judgment to judge whether it corresponds to any one of telephone number, e-mail address and address Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character A character determination unit that determines whether the character is within the predetermined range and is determined to be a kanji by the character determination unit, a character or a character string included in the character segment and a name that cannot appear in a name Collating means for judging whether or not the character section includes the inappropriate character or the inappropriate character string by collating the inappropriate character or the inappropriate character string preset as a sequence; and The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by one judging means and the matching means And counting the number of character sections determined not to include the inappropriate character or the inappropriate character string, and based on the count result, whether or not the determination target file is a personal information file. A personal / confidential information management program that causes the computer to function as second determination means for determining.

(Appendix A15)
In the first determination means, it is determined whether or not the character string in the character section cut out by the cutting means corresponds to a telephone number, and if it does not correspond to a telephone number, whether or not it corresponds to an e-mail address. If it does not correspond to an e-mail address, it is determined whether or not it corresponds to an address, and when it is determined that it corresponds to any one of a telephone number, an e-mail address, and an address, the character string The personal information exploration program described in appendix A14, which ends the determination process for.

(Appendix A16)
The second determination means regards the character string in the character section determined not to include the inappropriate character or the inappropriate character string by the matching means as a personal information element corresponding to the name, and the determination target file is A personal information search program described in appendix A14 for determining whether the file is a personal information file.

(Appendix A17)
Further, the second determination means determines the number of character sections determined by the first determination means to correspond to any one of a telephone number, an e-mail address, and an address based on the counting result and the collation A determination value that increases as the number of character sections determined not to include the inappropriate character or inappropriate character string by the means increases, and the determination is made when the calculated determination value exceeds a predetermined threshold The personal information search program described in appendix A14, which determines that the target file is a personal information file.

(Appendix A18)
The personal / confidential information management server manages the determination target file according to the determination value calculated by the second determination unit, or the first personal information search unit or the second personal information search unit. The personal information search program according to appendix A14, which manages the personal information file searched by the second determination means and manages the personal information file according to the determination value calculated by the second determination means.

(Appendix B1)
Multiple user terminals,
The plurality of user terminals are connected to each other via a network so as to be communicable with each other, and have a personal / confidential information management server for managing personal information files in the plurality of user terminals,
The plurality of user terminals include a user terminal in which a personal information search program for executing a search for a personal information file is resident, and a user terminal in which the personal information search program is not resident,
The user terminal is
First personal information exploration means for exploring a personal information file by executing the personal information exploration program;
Detecting means for detecting addition / change of a file in the user terminal;
When the addition / change of a file is detected by the detection means, the personal information search program is started, and the real-time search is performed to determine whether the added / changed file is a personal information file. First control means to be executed by the information search means;
A transmission means for transmitting a determination result by the first personal information search means to the personal / confidential information management server via the network when the first personal information search means determines that the file is a personal information file; Composed,
The personal / confidential information management server
A second personal information exploration means for exploring a personal information file in the user terminal via the network by executing the personal information exploration program;
File information storage means for storing information about the file in the user terminal at the time when the personal information file was last searched by the second personal information search means;
A file added / changed between the time when the latest information about the file in the user terminal and the information stored in the file information storage means are compared and the personal information file is last searched and until the present time. A difference extracting means for periodically extracting from the user terminal via the network as a difference file;
And a second control means for causing the second personal information search means to execute a periodic search for determining whether or not the difference file extracted by the difference extraction means is a personal information file. A characteristic management system.

(Appendix B2)
The first control means causes the first personal information search means to first search the personal information file for all data in the user terminal and then execute the real-time search. The management system according to Appendix B1.

(Appendix B3)
The second control means causes the second personal information search means to first search the personal information file for all data in the user terminal and then execute the periodic search. The management system according to Supplementary Note B1 or Supplementary Note B2.

(Appendix B4)
The management system according to any one of Appendix B1 to Appendix B3, wherein the file information storage unit stores at least a file creation / update date, file size, and file name as information about the file. .

(Appendix B5)
The personal / confidential information management server
The apparatus further includes an installation unit that installs the personal information search program in response to a request from the user of the user terminal for the user terminal connected to the network. The management system according to any one of B1 to Appendix B4.

(Appendix B6)
The personal / confidential information management server
Appendices B1 to B1, further comprising digital signature means for giving a digital signature to the personal information file searched by the first personal information search means or the second personal information search means The management system according to any one of B5.

(Appendix B7)
The personal / confidential information management server forcibly collects the personal information file from the user terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. The management system according to any one of Supplementary Notes B1 to B6, characterized by:

(Appendix B8)
The management system according to appendix B7, wherein the personal / confidential information management server stores the collected personal information file in a folder accessible only to the administrator.

(Appendix B9)
The personal / confidential information management server outputs the personal information file to the outside from the user terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. Is forcibly prohibited. The management system according to any one of Supplementary Notes B1 to B6.

(Appendix B10)
The personal / confidential information management server notifies warning information to a user terminal storing a personal information file searched by the first personal information searching means or the second personal information searching means. The management system according to any one of Appendix B1 to Appendix B6.

(Appendix B11)
Each of the plurality of user terminals
The personal information file searched by the first personal information searching means or the second personal information searching means is monitored, and when access to the personal information file occurs, the personal / confidential information management server is notified of the fact. The management system according to any one of Appendix B1 to Appendix B6, further comprising an access monitoring unit 1400.

(Appendix B12)
A file access management server connected to the personal / confidential information management server so as to be able to communicate with each other and managing access to the electronic file;
Supplementary notes B1 to B1, wherein the personal / confidential information management server causes the file access management server to manage access to the personal information file searched by the first personal information search means or the second personal information search means The management system according to any one of Appendix B11.

(Appendix B13)
The personal information exploration program is
In order for a computer to realize a function of determining whether a determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual,
Extraction means for extracting text data included in the determination target file;
Cutting means for cutting out character sections delimited by delimiters from the text data extracted by the extracting means;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, A first judging means for judging whether or not any one of a telephone number, an e-mail address and an address which is a personal information element other than the name;
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, e-mail address, and address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character judging means for judging,
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for determining whether or not the character section includes the inappropriate character or the inappropriate character string by verifying the appropriate character or the inappropriate character string, and
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or the inappropriate character string is not included by the matching means The number of character sections determined is counted, and the computer is caused to function as second determination means for determining whether the determination target file is a personal information file based on the count result. The management system according to any one of Appendix B1 to Appendix B12.

(Appendix B14)
In the first determination means, it is determined whether or not the character string in the character section cut out by the cutting means corresponds to a telephone number, and if it does not correspond to a telephone number, whether or not it corresponds to an e-mail address. If it does not correspond to an e-mail address, it is determined whether or not it corresponds to an address, and when it is determined that it corresponds to any one of a telephone number, an e-mail address, and an address, the character string The management system according to Supplementary Note B13, characterized in that the determination process is terminated.

(Appendix B15)
The second determination means regards the character string in the character section determined not to include the inappropriate character or the inappropriate character string by the matching means as a personal information element corresponding to the name, and the determination target file is The management system according to appendix B13 or appendix B14, wherein it is determined whether the file is a personal information file.

(Appendix B16)
The second determining means determines the number of character sections determined by the first determining means to correspond to any one of a telephone number, an e-mail address, and an address based on the counting result and the matching means. A determination value that increases as the number of character sections determined not to include the inappropriate character or inappropriate character string increases, and when the calculated determination value exceeds a predetermined threshold, the determination target file The management system according to any one of Supplementary Note B13 to Supplementary Note B15, wherein it is determined that is a personal information file.

(Appendix B17)
The management system according to appendix B16, wherein the personal / confidential information management server manages the determination target file in accordance with the determination value calculated by the second determination unit.

(Appendix B18)
The personal / confidential information management server manages the personal information file searched by the first personal information search means or the second personal information search means, and according to the determination value calculated by the second determination means. The management system according to appendix B16 or appendix B17, wherein the personal information file is managed.

(Appendix B19)
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A function of transmitting the contents of the electronic file to an external recording medium or another computer in response to a command such as transmission of the electronic file, and when the electronic file is determined to be a personal information file, transmission of the electronic file, etc. And an operation restriction control means for stopping the operation,
The management system according to appendix B1 to appendix B18, wherein

(Appendix B20)
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A function of transmitting the contents of the electronic file to an external recording medium or another computer in response to a command such as transmission of the electronic file, and when the electronic file is determined to be a personal information file, transmission of the electronic file, etc. An operation restriction control means for restricting,
The management system according to appendix B1 to appendix B19, which is characterized by that.

(Appendix B21)
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A function of displaying the contents of the electronic file on the display unit according to the display instruction of the electronic file is provided, and when it is determined that the electronic file is a personal information file, the display of the display unit of the personal information file is stopped. Display control means, and
The management system according to appendix B1 to appendix B20, wherein

(Appendix B22)
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A function to display the contents of the electronic file on the display unit in response to the display instruction of the electronic file, and restricting the display of the personal information file on the display unit when it is determined that the electronic file is a personal information file Display control means to be configured,
The management system according to appendix B1 to appendix B20, wherein

(Appendix C1)
A management server that is connected to a user terminal so as to be able to communicate with each other via a network, and that manages a management target file having a predetermined number or more of personal information elements or confidential information elements in the user terminal,
Based on the result of the search for the management target file searched by the search means from the data in the storage unit of the user terminal, the management target file in the user terminal is grasped, and the management target file is accessed. Log collecting means for collecting and recording logs from the user terminal;
Management means for managing the user terminal based on the result of the search by the search means and / or the access log for the management target file collected and recorded by the log collection means. ,
Security in the user terminal for the management means to prevent outflow of the management target file from the user terminal based on the search result and / or the access log for the management target file A management server, wherein a level is changed and set, and the operation restriction of the user terminal is changed according to the security level.

(Appendix C2)
A management server that manages files to be managed that have a predetermined number of personal information elements or confidential information elements,
Log collection means for collecting and recording access logs of user terminals for the managed files;
Based on the access log collected and recorded by the log collecting means, the managing means for managing the user terminal,
When the management means determines whether or not to execute a search for specifying the management target file from the data in the storage unit of the user terminal based on the access log, and determines that the search is to be executed The security level of the user terminal is set based on the search result transmitted from the user terminal and / or the access log for the management target file. A management server characterized by changing / setting and changing the operation restriction of the user terminal according to the security level.

(Appendix C3)
The management means creates and creates public information on the access status of the management target file based on the result of the search and the access log for the management target file collected and recorded by the log collection means. The management server according to appendix 1 or appendix 2, characterized in that the published information is published.

(Appendix C4)
The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. The management server according to supplementary note 3, wherein

(Appendix C5)
The management server according to any one of appendix 2 to appendix 4, wherein the public information includes a count result of the number of the management target files.

(Appendix C6)
The management server according to any one of appendix 2 to appendix 5, wherein the public information includes a total result of the number of accesses to the management target file.

(Appendix C7)
The user terminal is further provided with an investigation means for investigating whether or not a driver for an external storage medium is installed;
The management means manages the user terminal based on the access log for the management target file collected and recorded by the log collection means as a result of the search, and the result of the investigation by the investigation means. The management server according to any one of Supplementary Note 1 to Supplementary Note 6, wherein:

(Appendix C8)
The management means is a driver for the external storage medium based on the access log for the management target file collected and recorded by the log collection means as a result of the search, and the investigation result by the investigation means The management server according to appendix 7, characterized in that public information relating to a user terminal in which is installed is created and the created public information is made public.

(Appendix C9)
As the public information, information that can identify the user terminal that holds the management target file and installs the driver for the external storage medium, information that can identify the owner of the user terminal, 9. The management server according to appendix 8, characterized in that the file name of the management target file held in the user terminal is included.

(Appendix C10)
The management server according to appendix 9, wherein the public information includes the number of times the management target file has been written to the external storage medium executed by the user terminal.

(Appendix C11)
The management means changes / sets the security level in the user terminal based on the search result and the access log for the management target file collected / recorded by the log collection means, The access restriction on the file in the user terminal is changed according to the level, and the outflow of the management target file from the user terminal is prevented. The management server described in.

(Appendix C12)
For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on the access to the file, while the processing / operation related to the management target file. 12. The management server according to appendix 11, wherein for a user terminal that has not been executed for a predetermined period of time, the security level is set low to release or relax restrictions on file access.

(Appendix C13)
The management means sets a high security level for a user terminal that holds the management target file in the storage unit to tighten access restrictions on the file, while the management unit stores the management target file in the storage unit. 13. The management server according to appendix 11 or appendix 12, wherein the security level is set low for a user terminal that does not have a password to cancel or relax access restrictions on files.

(Appendix C14)
For the user terminal that is not set to an encryption function for automatically encrypting a file to be sent to the outside, the management means sets the security level to be high and tightens restrictions on access to the file, 14. The user terminal having the encryption function set according to any one of appendix 11 to appendix 13, characterized in that the security level is set low to release or relax access restrictions on files. Management server.

(Appendix C15)
For the user terminals that are accessing the browsing-prohibited sites, the management means sets the security level high to tighten the access restrictions on the files, while the users who do not access the browsing-prohibited sites 15. The management server according to any one of appendix 11 to appendix 14, wherein the security level of the terminal is set low to release or relax access restrictions on files.

(Appendix C16)
The management server according to any one of appendices 1 to 15, further comprising an installation unit that installs a program that causes a computer to function as the exploration unit in the user terminal.

(Appendix C17)
When the installation means detects that a user terminal not installed with the program is connected to the network, the program is installed on the user terminal, and the program is executed on the user terminal for management. 18. The management server according to appendix 16, wherein the presence / absence of a target file is determined.

(Appendix C18)
For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the operation restriction of the user terminal, while the processing related to the management target file / For user terminals that have not been operated for a predetermined period of time, the security level is set low, and the operation restrictions on the user terminals are released or relaxed, Management server described in the section.

(Appendix C19)
The management means sets a high security level for the user terminal that holds the management target file in the storage unit to tighten the restriction on the operation of the user terminal, while the management unit stores the management terminal in the storage unit. The user terminal that does not have the target file is set to a low security level to release or relax the operation restriction of the user terminal, according to any one of appendix 1 to appendix 18, Management server.

(Appendix C20)
For a user terminal that is not set with an encryption function for automatically encrypting a file sent to the outside, the management means sets the security level to be high so that the operation restriction of the user terminal is tightened. On the other hand, any one of appendix 1 to appendix 19, wherein the user terminal set with the encryption function is set to a low security level to release or relax the operation restriction of the user terminal. The management server according to one item.

(Appendix C21)
For the user terminal that is accessing the browsing-prohibited site, the management means sets the security level high to tighten the operational restrictions on the user terminal, while accessing the browsing-prohibited site. The management server according to any one of Supplementary Note 1 to Supplementary Note 20, wherein the security level is set low for a user terminal that does not exist, and the operation restriction of the user terminal is canceled or relaxed.

(Appendix C22)
The management server according to any one of Supplementary Note 1 to Supplementary Note 21, wherein the management unit restricts or prohibits Internet connection of the user terminal as an operation restriction of the user terminal.

(Appendix C23)
23. The management server according to appendix 22, wherein the management means changes the Internet connection status of the user terminal stepwise from a connectable status to a prohibited status according to the security level.

(Appendix C24)
The management means performs the mask display of the personal information element or the confidential information element in the contents when displaying the contents of the management target file on the user terminal as the operation restriction of the user terminal. The management server according to any one of 1 to 23.

(Appendix C25)
The management means determines whether or not display of the contents is permitted for the user terminal or the user of the user terminal, and performs the mask display if not permitted. 25. The management server according to appendix 24, wherein the mask display is not performed when the

(Appendix C26)
The management means determines whether the user terminal or the user of the user terminal belongs to the creation department of the management target file, and performs the mask display when not belonging, 25. The management server according to appendix 24, wherein the mask display is not performed when the user belongs.

(Appendix C27)
27. The management server according to any one of appendices 24 to 26, wherein the management unit changes a portion masked by the mask display stepwise according to the security level.

(Appendix C28)
The management means, as an operation restriction of the user terminal, performs mask printing of personal information elements or confidential information elements in the contents when the contents of the management target file are printed in the user terminal. The management server according to any one of 1 to 27.

(Appendix C29)
The management means determines whether or not printing of the content is permitted for the user terminal or the user of the user terminal, and if not permitted, performs the mask printing while being permitted. 25. The management server according to appendix 24, wherein the mask printing is not performed if the

(Appendix C30)
The management means determines whether the user terminal or the user himself / herself of the user terminal belongs to the creation department of the management target file, and performs the mask printing when the user terminal does not belong, 25. The management server according to appendix 24, wherein the mask printing is not performed when the user belongs.

(Appendix C31)
27. The management server according to any one of appendices 24 to 26, wherein the management unit changes a portion masked by the mask printing step by step according to the security level.

(Appendix C32)
When the management means restricts the operation of the user terminal, the management terminal causes the search means to search the storage unit by the user terminal, and transmits the search result to the management server. The management server according to any one of supplementary notes 1 to 31.

It is a block diagram which shows schematic structure of the management system (a management server and a user terminal) as one Embodiment of this invention. It is a flowchart for demonstrating the whole operation | movement of this embodiment. It is a block diagram which shows the structure of the management system (a management server and a user terminal) as one Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the management server of this embodiment. It is a flowchart for demonstrating operation | movement (the 1st example of a security evaluation method) of the evaluation means in the management server of this embodiment. It is a flowchart for demonstrating operation | movement (2nd example of a security evaluation method) of the evaluation means in the management server of this embodiment. It is a flowchart for demonstrating operation | movement (3rd example of a security evaluation method) of the evaluation means in the management server of this embodiment. It is a flowchart for demonstrating the environmental information collection operation | movement of each user terminal in the in-company system of this embodiment. It is a flowchart for demonstrating the electronic education operation | movement of each user terminal in the company system of this embodiment. It is a flowchart for demonstrating restriction | limiting operations, such as transmission of each user terminal in the in-company system of this embodiment. It is a block diagram which shows the detailed functional structure of the 1st personal information search means in the user terminal of this embodiment. It is a block diagram which shows the detailed functional structure of the 1st personal information search means in the user terminal of this embodiment. It is a block diagram which shows the function structure of the personal and confidential information management server of this embodiment. It is a block diagram which shows the function structure of the file access management server of this embodiment. It is a flowchart for demonstrating operation | movement of the user terminal of this embodiment. It is a flowchart for demonstrating operation | movement of the search means of this embodiment. It is a flowchart for demonstrating operation | movement of the personal and confidential information management server (management server) of this embodiment. It is a flowchart for demonstrating operation | movement of the personal and confidential information management server (management server) of this embodiment. It is a flowchart for demonstrating the authentication operation | movement by the function as a file access management server in the personal and confidential information management server (management server) of this embodiment. It is a flowchart for demonstrating the file conversion operation | movement by the function as a file access management server in the personal and confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the personal / confidential information management server (management server) of this embodiment.

Explanation of symbols

1 management system (security management service provision system)
10 Corporate system (internal system, corporate system)
11 User terminal 110 Processing unit 111 Environment information collection agent file execution means (environment information collection means)
112 First Electronic Education Agent File Execution Unit 113 Second Electronic Education Agent File Execution Unit 119 Operation Restriction Control Agent File Execution Unit 12 Local Communication Network (LAN)
13 Proxy Server 19 Printer 20 Management Server (Security Management Service Providing Server)
21 Environment information collection agent file transmission means (environment information collection means)
22 Environmental information receiving means (environmental information collecting means)
23 Evaluation means 24 Evaluation result notification means (notification means)
25 First electronic education control means 251 First electronic education agent file creation / holding means 252 First electronic education agent file transmission means 26 Judgment means 27 Warning means 28 Second electronic education control means 29 Operation restriction control means 281 Second electronic education Agent file creation / retention means 282 Second electronic education agent file transmission means 291 Operation restriction control agent file creation / retention means 292 Operation restriction control agent file transmission means 30 External communication network (network)

Claims (14)

Multiple user terminals,
A management server connected to the plurality of user terminals so as to communicate with each other, and managing the plurality of user terminals according to a management condition predetermined as a usage state of the user terminal;
Environmental information collecting means for collecting environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server;
Each of the plurality of user terminals
A storage unit for holding data including electronic files;
Exploration means for identifying and exploring a management target file having a personal information element or a confidential information element from data in the storage unit;
A transmission unit configured to transmit a result of the search by the search unit to the management server via the network;
The management server
Based on the collected environmental information from each user terminal, and determining means for determining whether each user terminal meets the management condition,
An electronic education control means for executing on the user terminal an electronic education including matters related to the management conditions depending on the determination result satisfies the control conditions,
Log collection means for collecting and recording an access log for the management target file from the user terminal based on the search result for the user terminal that has not completed the electronic education;
Management means for limiting the operation of the user terminal according to the security level of the user terminal determined based on the access log for the management target file ,
Management system characterized by that. Multiple user terminals,
A management server connected to the plurality of user terminals so as to communicate with each other, and managing the plurality of user terminals according to a management condition predetermined as a usage state of the user terminal;
Environmental information collecting means for collecting environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server;
Each of the plurality of user terminals
A storage unit for holding data including electronic files;
Exploration means for identifying and exploring a management target file having a predetermined number or more of personal information elements or confidential information elements from the data in the storage unit;
A transmission unit configured to transmit a result of the search by the search unit to the management server via the network;
The management server
Electronic education control means for causing the plurality of user terminals to execute electronic education including matters relating to the management condition ;
A determination unit based on the environment information at each user terminal that has been collected by the environment report collection means after the electronic education, to determine whether each user terminal meets the management conditions of the electronic education control means,
Log collection means for collecting and recording an access log for the management target file from the user terminal based on the search result for the user terminal determined not to satisfy the management condition;
Based on the access log for the management object file, the security level of the user terminal to change and set, it is configured to include a management means for changing the operation restriction of the user terminal in accordance with the security level Yes,
Management system characterized by that. Multiple user terminals,
A management server connected to the plurality of user terminals so as to communicate with each other, and managing the plurality of user terminals according to a management condition predetermined as a usage state of the user terminal;
Environmental information collecting means for collecting environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server;
Each of the plurality of user terminals
A storage unit for holding data including electronic files;
Exploration means for identifying and exploring a management target file having a predetermined number or more of personal information elements or confidential information elements from the data in the storage unit;
A transmission unit configured to transmit a result of the search by the search unit to the management server via the network;
The management server
First electronic education control means for causing the plurality of user terminals to execute electronic education about security in general;
Judgment means for judging whether or not each user terminal satisfies a management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means. When,
A second electronic education control means for causing the user terminal determined not to satisfy the management conditions by the determination means to execute a detailed electronic education on matters relating to the management conditions;
The management condition satisfied though not with the determined user terminal or for the user terminals that do not complete the second electronic education, based on the result of the search, the use of access logs for the managed files Log collection means for collecting and recording from a user terminal,
Based on the access log for the management object file, the security level of the user terminal to change and set, it is configured to include a management means for changing the operation restriction of the user terminal in accordance with the security level Yes,
Management system characterized by that. The management means is
For the user terminal that has executed the process / operation related to the managed file,
While the security level is set high to tighten the operational restrictions of the user terminal, the security level is set low for user terminals that have not executed the process / operation related to the management target file for a predetermined period. Cancel or relax the restrictions on the operation of the user terminal,
The management system according to claim 2 or claim 3, wherein The management means is
For user terminals that have the managed file in the storage unit,
While setting the security level high to tighten the operational restrictions of the user terminal, for the user terminal that does not have the management target file in the storage unit, the security level is set low and the user terminal Remove or relax device restrictions,
The management system as described in any one of Claims 2-4 characterized by the above-mentioned. The management means is
For user terminals that do not have an encryption function that automatically encrypts files sent to the outside,
While setting the security level high to tighten the operation restriction of the user terminal, for the user terminal set with the encryption function, setting the security level low to restrict the operation of the user terminal Cancel or relax
The management system according to any one of claims 2 to 5, wherein: The management means is
For user terminals that access prohibited sites,
While setting the security level high to tighten the operational restrictions of the user terminal, the user terminal that does not access the browsing-prohibited site is set low and the operation of the user terminal Remove or relax restrictions,
The management system according to any one of Claims 2 to 6, wherein: The management means
As an operation restriction of the user terminal, the internet connection of the user terminal is restricted or prohibited.
The management system according to any one of claims 2 to 7, wherein The management means is
As the operation restriction of the user terminal, when displaying the contents of the management target file on the user terminal, a mask display of the personal information element or the confidential information element in the content is performed.
The management system according to any one of claims 2 to 8, wherein the management system is characterized. The management means is
As the operation restriction of the user terminal, when printing the contents of the management target file in the user terminal, mask printing of personal information elements or confidential information elements in the contents is performed.
The management system according to any one of claims 2 to 9, wherein the management system is characterized. The management means is
When restricting the operation of the user terminal, the user terminal searches the storage unit by the exploration means, and transmits the exploration result to the management server by the transmission means.
The management system according to any one of claims 2 to 10, wherein A management server that is connected to a user terminal so as to be able to communicate with each other via a network, and that manages a management target file having a predetermined number or more of personal information elements or confidential information elements in the user terminal,
Environmental information collecting means for collecting environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server;
Electronic education control means for causing the plurality of user terminals to execute electronic education including matters relating to the management condition ;
A determination unit based on the environment information at each user terminal that has been collected by the environment report collection means after the electronic education, to determine whether each user terminal meets the management conditions of the electronic education control means,
For the user terminal determined not to satisfy the management condition, the management target is searched based on the search result of the management target file searched by the searching means from the data in the storage unit of the user terminal. Log collection means for collecting and recording access logs for files from the user terminal;
Based on the access log for the management object file, and a management unit configured to change and set the security level in the user terminal changes the operating limit of the user terminal in accordance with the security level,
A management server characterized by comprising: A management program that allows a computer to function as a management server that is connected to a plurality of user terminals in a mutually communicable manner and manages the plurality of user terminals in accordance with management conditions that are predetermined as user terminal use states. There,
Environmental information collecting means for collecting environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server;
Based on the environment information collected from each user terminal, determining means for determining whether each user terminal meets the management condition,
Electronic educational control means for executing an electronic education including matters related to the management conditions depending on the determination result satisfies the condition file to the plurality of user terminals,
For the user terminal that has not completed the electronic education, access to the management target file based on the search result of the management target file searched by the searching means from the data in the storage unit of the user terminal Log collection means for collecting and recording logs from the user terminal;
Management means for changing the operation restriction of the user terminal according to the security level in the user terminal determined based on the access log for the management target file ;
A management program for causing the computer to function as A management program that allows a computer to function as a management server that is connected to a plurality of user terminals in a mutually communicable manner and manages the plurality of user terminals in accordance with management conditions that are predetermined as user terminal use states. There,
Environmental information collecting means for collecting environmental information related to management conditions in each of the plurality of user terminals from each user terminal to the management server;
Electronic education control means for causing the plurality of user terminals to execute electronic education including matters relating to the management conditions ;
Determination means based on the environmental information in each user terminal that has been collected by the environment report collection means after the electronic education by electronic education control means determines whether each user terminal meets the management condition,
For the user terminal determined not to satisfy the management condition, the management target is searched based on the search result of the management target file searched by the searching means from the data in the storage unit of the user terminal. Log collection means for collecting and recording access logs for files from the user terminal;
Based on the access log to said management object file, the security level of the user terminal to change and set, to change the operation restriction of the user terminal in accordance with the security level management means,
A management program for causing the computer to function as

Images