JP5405921B2 - Task management system and security management support system - Google Patents

Description

  The present invention relates to a task management technique, and more particularly to a technique that is effective when applied to a task management system that manages tasks for which work is instructed top-down in an organization such as a company.

  In workflow management in which a business flow in a company or the like is controlled and managed by a computer system, a unit of work is assigned to each department / department or person in charge as a task, and its progress is managed. In the business managed by such workflow management, workflows and tasks are generally generated by the lower department / lower department or the actual person who is the origin of the actual business, It is a series of business flows from the lower to the higher in the hierarchical structure of the organization, that is, a business having an upward vector, such as being applied for and approved by the head.

  In workflow management, in general, a person in charge is assigned to each task of a predefined workflow either statically or dynamically according to the execution status of the workflow. At this time, as described in, for example, Japanese Patent Laid-Open No. 8-95877 (Patent Document 1), a certain task can be assigned to a plurality of persons in a broadcast manner, or Japanese Patent Laid-Open No. 2007-179251. As described in Japanese Patent Publication (Patent Document 2), a person in charge who is assigned a task can delegate the task to another person in charge. In general, the progress of the entire workflow is determined by managing the progress of these tasks.

JP-A-8-95877 JP 2007-179251 A

  On the other hand, in a hierarchical organization such as a company, for example, the management layer instructs the immediate subordinate departments to carry out the work in a simultaneous broadcast, and the subordinate departments also instruct the closest subordinate departments the same instructions. The task is delivered to the person in charge at the end of the hierarchical structure, and the tasks are instructed in a one-to-many amplification according to the hierarchical structure of the organization from the top down to the bottom, that is, down Many businesses have a vector of directions.

  The progress management of each task in such a business is often difficult to handle with the workflow management mechanism as described above, and at present, it is still confirmed individually by telephone or e-mail and tabulated manually. There are many cases. In addition, the deeper the organization's hierarchical structure, the more complicated the number of subordinate departments and persons in charge who confirm progress is one-to-many, so it becomes more complicated to manage task progress and results. .

  SUMMARY OF THE INVENTION An object of the present invention is to provide a task management system capable of instructing tasks to be deployed from the top department or the person in charge thereof and managing the implementation status in an organization having a hierarchical structure such as a company. There is. The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

  Of the inventions disclosed in this application, the outline of typical ones will be briefly described as follows.

  In a task management system according to a representative embodiment of the present invention, in an organization composed of a plurality of departments having a hierarchical structure, work from a person in charge of a hierarchy in the department to a person in charge of a subordinate in the hierarchy is performed. A task management system that includes a task management server that holds task information that is an execution instruction and manages the execution status of the task, and a client terminal that is connected to the task management server via a network. It has characteristics.

  That is, in the task management system, the task management server is configured to respond to a request from a user in each department via the client terminal to one or more persons in charge of the user in the hierarchical structure of the department. The task to be instructed is newly created, and a task progress for managing the progress rate and status of the work related to the task is created for each person who has received the task instruction. And the task operation unit that corrects and updates the contents of the task and the task progress registered in the database in response to a request from the user in each department via the client terminal. And the database according to a request from the user via the client terminal. Among the one or more task progresses registered in the task, a task information acquisition unit that acquires and outputs the task progress information related to the user, and a request from the user via the client terminal, An implementation status management unit that calculates and outputs an implementation status for the task instructed by the user, and stores and manages information on the user and the department that uses the task management system and its hierarchical structure in the database. And a management unit.

  Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows.

  According to a typical embodiment of the present invention, in an organization having a hierarchical structure such as a company, a task for instructing work to a person in charge in a hierarchical structure of a department is created, and the task is instructed. Create task progress to manage the progress rate and status of work related to the task in units of the person in charge, and store this information in the database to manage it based on the hierarchical structure of the organization Can be easily performed, and the implementation status including the calculation of the task implementation rate and the limitation of the reference range of the task information can be managed.

It is a figure which shows the outline | summary of the structural example of the task management system which is Embodiment 1 of this invention. It is a figure which shows an example about a part of hierarchy structure of the general organization in the enterprise etc. to which the task management system of one embodiment of this invention is applied. It is a figure explaining the concept of the task managed in the task management system of one embodiment of this invention. It is an example of the state transition diagram of the task (task progress) in the task management system of one embodiment of this invention. It is the figure which showed the structural example of the table of user and department DB in Embodiment 1 of this invention. (A), (b) is the figure which showed the example of the structure of the table of task DB in Embodiment 1 of this invention, and the example of concrete data. (A), (b) is the figure which showed the example of the structure of the table of task progress DB in Embodiment 1 of this invention, and the example of concrete data. It is the figure which showed the example of the top screen which displays the information of the task relevant to the user in Embodiment 1 of this invention. It is the figure which showed the example of the screen which newly creates the task in Embodiment 1 of this invention. It is the figure which showed the example of the screen which updates the progress condition (status) of the task progress in Embodiment 1 of this invention. It is the figure which showed the example of the screen which displays the result which carried out the horizontal comparison of the implementation status of the task progress in Embodiment 1 of this invention. It is the figure which showed the example of the screen which displays the result of having compared the implementation status of the task progress in Embodiment 1 of this invention. It is a flowchart which shows the example of the flow of a process which calculates the implementation rate of the task progress in Embodiment 1 of this invention. It is a flowchart which shows the example of the flow of a process at the time of carrying out the horizontal comparison of the implementation status of the task progress in Embodiment 1 of this invention. It is a flowchart which shows the example of the flow of a process at the time of performing the lower comparison of the implementation status of the task progress in Embodiment 1 of this invention. It is a figure which shows the outline | summary of the structural example of the security management assistance system which is Embodiment 2 of this invention. It is the figure which showed the outline | summary of the flow of the security management operation | work using the security management assistance system which is Embodiment 2 of this invention. It is the figure which showed the structural example of the table of asset DB in Embodiment 2 of this invention. It is the figure which showed the structural example of the table of management policy DB in Embodiment 2 of this invention. It is the figure which showed the structural example of the table of plan formulation DB in Embodiment 2 of this invention. It is the figure which showed the structural example of the table of diagnostic DB in Embodiment 2 of this invention. It is the figure which showed the example of the security diagnostic screen which displays the diagnostic result of the present security level in Embodiment 2 of this invention. It is the figure which showed the example of the department comparison screen which compares and displays the diagnostic result of the present security level in Embodiment 2 of this invention for every department. It is the figure which showed the example of the radar chart screen which compares and displays the diagnostic result of the present security level in Embodiment 2 of this invention for every management policy category. It is the figure which showed the example of the aged prediction actual comparison screen which compares and displays the value of the target security level in Embodiment 2 of this invention, and the value of the security level so far. It is the figure which showed the example of the diagnostic details inquiry screen which displays the diagnostic result of the present security level in Embodiment 2 of this invention in detail for every management policy. It is the figure which showed the example of the diagnostic details inquiry (detail) screen which displays the diagnostic result of the present security level in Embodiment 2 of this invention in detail for every asset. It is the figure which showed the example of the own department target setting screen which sets the target of the security level of the own department in Embodiment 2 of this invention. It is the figure which showed the example of the subordinate department target setting screen which sets the target of the security level of the subordinate department in Embodiment 2 of this invention. It is the figure which showed the example of the plan formulation screen in Embodiment 2 of this invention. It is the figure which showed the example of the diagnostic details input screen which inputs the diagnostic result of the security countermeasure of the own department in Embodiment 2 of this invention. It is the figure which showed the example of the diagnostic details input (details) screen which inputs the diagnostic result of the security countermeasure of the own department in Embodiment 2 of this invention for every asset.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

<Overview>
In the following, first, an overview of tasks and a hierarchical structure of tasks in the task management system according to an embodiment of the present invention will be described. FIG. 2 is a diagram illustrating an example of a part of a hierarchical structure of a general organization such as a company to which the task management system is applied. For example, a sales headquarters, information system headquarters, and business headquarters are organized under the head of the chief information security officer (CISO). Each headquarters has a headquarters as a responsible person.

  In addition, under the sales headquarters, for example, a sales department and two departments are organized, and each has a general manager as a responsible person. In addition, two employees are registered as general employees in the first and second sales departments. Similarly, under the information system headquarters, for example, an information system department and a base system department are organized, and each has a general manager as a responsible person. In addition, the information system department has two employees as general employees.

  Here, the sales headquarters, the information system headquarters, and the business headquarters whose upper organization is common in CISO are organizations in the same hierarchy. Similarly, in the sales part and the second part, the upper organization is common to the sales headquarters and is the organization of the same hierarchy. In addition, the information system unit and the base system unit are organizations of the same hierarchy, with the upper organization being the information system headquarters. In the example of FIG. 2, the business headquarters and the infrastructure system department do not have subordinate departments or employees who belong to them.

  FIG. 3 is a diagram for explaining the concept of tasks managed in the task management system. A task here is an instruction to perform work from a higher-level person in charge in the hierarchical structure of the organization to a lower-level person in charge. FIG. 3 shows an example in which the work of “updating the PC asset management ledger” that needs to be implemented by the entire company as a management measure in security management at the company is instructed as a task by the CISO in the organizational hierarchy of FIG. It is said.

  The CISO is the starting point of the task, and first instructs the task (T1) called “Updating PC Asset Management Ledger” to the head of the sales headquarters, the head of the information system headquarters, and the head of the business headquarters who are in charge of the subordinate organization. doing. That is, in the task (T1), the instructor is CISO, and each of the three heads is an instruction receiver. In this way, tasks can be instructed to a plurality of persons in charge. The task (T1) designated by the person in charge (CISO) that is the starting point of the task is identified as the original task.

  The status of each task is managed in units of task instruction recipients. The head of the sales headquarters who is the recipient of the task (T1) re-instructs the task to the head of the sales department and the head of the department in charge of the organization under the organization (hereinafter referred to as “reassignment”) There is). Therefore, for the task (T1), the status is “instructed” for the portion where the head of the sales headquarters is the instruction recipient. The status management unit for each task instruction recipient in the task is hereinafter referred to as “task progress”.

  Like the head of the sales headquarters, the head of the information system headquarters also reassigns tasks to the head of the information system headquarters and the base system headquarters who are responsible for the subordinate organization. The status of the task progress is “instructed”. On the other hand, the general manager of the business headquarters does not have a subordinate organization or person in charge, so the task (T1) needs to be performed by himself. Since the general manager of the business headquarters has not reassigned the task (T1) and has not yet started work, the task progress status is “uninstructed”. The task progress status will be described later.

  The task (T2) reassigned from the general manager of the sales headquarters to the general manager of the sales department and the general manager of the second department is identified as a child task having the task (T1) as a parent task. For the task (T2), the instructor is the general manager of the sales headquarters, and each of the two general managers is the instruction receiver. The sales department manager who is the recipient of the task (T2) reassigns the task to sales departments # 1 and # 2 who are subordinates in charge. In addition, in the example of FIG. 3, since the sales department manager itself also has PC assets, it is necessary to carry out the work of “updating the PC asset management ledger”. Yes. Accordingly, the recipient of the task (T4) reassigned by the sales department manager includes the sales department manager himself in addition to the sales parts # 1 and # 2.

  The general manager of the sales department 2 who is the recipient of the task (T2) has not yet reassigned the task to the person in charge (sales department 2 # 1, # 2) and has started work on his own. Since there is no task, the status of the task progress is “not instructed”. In this case, as a general rule, the general manager of the Sales Department 2 can reassign the task to the person in charge and can carry out the task itself. If you do it yourself, you can no longer reassign the task. As described above, the hierarchical structure of tasks is configured based on the hierarchical structure of the organization, but is not necessarily the same configuration.

  In the task (T4), the sales part # 1 has not reassigned the task (T4) and has not yet started work, so the task progress status is “undesignated”. In addition, since the sales part # 2 has completed all of the “update of the PC asset management ledger”, the task progress status is “completed”. In addition, since the sales manager has started work on “update of PC asset management ledger”, the task progress status is “incomplete”.

  The other tasks (T3, T5) and task progress are the same as described above, and thus description thereof is omitted. In the figure, the letters (“A” to “L”) in parentheses attached to the names of the instructor / instructor of each task (task progress) represent the user ID of each person in charge. It shall be.

  FIG. 4 is an example of a state transition diagram of a task (task progress). When a task is instructed (or reassigned) from the instructor to the instruction receiver, the initial status of the task progress status in the instruction receiver is not instructed (S1). In this state, the instruction recipient has not reassigned the task and has not yet started to perform the task.

  In the state where the status is not instructed (S1), the instruction recipient can reassign the task to a subordinate person in principle as described above, or can carry out the work by himself / herself. When the task is reassigned, the task progress status of the instruction recipient is changed to instructed (S3). The task progress that has transitioned to instructed (S3) can no longer be changed in status because the instructee can no longer perform work related to the task progress.

  In principle, a task can be reassigned to a subordinate person in charge, but cannot be reassigned in the case of a task instructed by the instructor to be designated as “not reassignable”. That is, it must carry out the work itself. In the case of an instruction recipient at the end where there is no subordinate person in charge, it is virtually impossible to reassign. Regarding the progress of these tasks, it is not possible to transition to the instructed status (S3).

  On the other hand, when the instruction recipient designates “uncompleted” as the task progress status from the state in which the status is not instructed (S1), the task progress status transitions to incomplete (S2). Instead of designating “incomplete” as the task progress status, it is incomplete by specifying a progress rate (for example, “50%”) indicating that a part of the work related to the task progress has been executed (S2). ). In addition, when a newly designated task cannot be reassigned, the instruction recipient himself inevitably performs the task, so the status automatically changes from uninstructed (S1) to incomplete (S2). . The progress rate at this time is 0%.

  When the status is incomplete (S2) and “incomplete” is specified as the task progress status (or when the work progress rate is updated), the task progress status is incomplete (S2) and remains unchanged. is there. Note that if “uninstructed” is designated as the task progress status (or 0% is designated as the work progress rate), it is also possible to return the status to uninstructed (S1).

  In addition, the task can be reassigned to a subordinate person under the circumstances that the status is incomplete (S2) and the work cannot be performed. In this case, the status changes to instructed (S3). Further, when the status is incomplete (S2) and “complete” is designated as the task progress status (or when 100% is designated as the work progress rate), the task progress status is completed (S4). Transition to and end. That is, since the status of the task progress whose status has been completed (S4) is not changed any more, it can be used as trail information that the task progress instructor has certainly worked. it can.

  As described above, in the task management system according to the present embodiment, a task that is expanded from the top department in a top-down manner can be expanded by reassignment based on the structure of the organizational hierarchy, and is managed as a parent task and a child task for each expanded hierarchy. To do. In the tasks of each hierarchy, the status is managed as task progress for each instruction recipient.

<Embodiment 1>
[System configuration]
Below, the task management system which is Embodiment 1 of this invention is demonstrated. FIG. 1 is a diagram showing an outline of a configuration example of a task management system according to the first embodiment of the present invention. The task management system 1 includes, for example, a task management server 100 and a database, and a client terminal 400 connected to the task management server 100 via a network such as the Internet or an in-house LAN.

  The task management server 100 is configured by server equipment including a computer system, and includes, for example, a task execution management unit 110, an execution status management unit 120, a management unit 130, and the like. Each of these units is implemented as a software program. For example, in response to a processing request from the client terminal 400 in cooperation with a Web server program (not shown) on the task management server 100, a predetermined process is performed. Processing such as presenting the screen is performed.

  The task execution management unit 110 includes, for example, a task operation unit 111 and a task information acquisition unit 112. The task operation unit 111 performs processing such as new creation (instruction) and reassignment of a task in response to a request from the user via the client terminal 400, and registers the information of the task together with the hierarchical structure information in the database. Also, task progress for managing the task progress rate and status is registered in the database in units of instruction recipients who have received instructions for the target task. Also, the database is updated by performing operations such as modification of task and task progress contents, update of progress status, and the like.

  The task information acquisition unit 112 receives task progress information related to the target user (a task instructed or reassigned by the user and the user in the task instructed by the user in response to a request from the user via the client terminal 400). Task progress) is obtained from the database and output.

  In response to a request from the user via the client terminal 400, the implementation status management unit 120 calculates an implementation status (execution rate, unexecuted person, etc.) for the task instructed by the user based on the hierarchical structure of the task. Output. In addition, the management unit 130 realizes a function of storing and managing information on users and departments using the task management system 1 and their hierarchical structure, other system information, and the like in a database. In addition, authentication at the time of user login is performed using the user information. Note that the configuration of each of the above-described parts is merely an example, and each part other than the above may further be included, or part or all of the above-described parts may be combined or further divided. Good.

  The task management server 100 further includes, for example, databases of a user / department DB 210, a task DB 260, and a task progress DB 270. The user / department DB 210 holds information such as users and departments and their hierarchical structure in an organization such as a company that uses the task management system 1. The task DB 260 holds information on tasks managed by the task management system 1 and their hierarchical structure.

  The task progress DB 270 holds information such as a status in units of instruction recipients (task progress) for each task held and managed in the task DB 260. These databases may be configured to be held directly by the task management server 100, or may be stored in another database server or the like and accessed via a network. Details of these databases will be described later.

  The client terminal 400 is a device that provides a user interface for using each function of the task management server 100 to a user (a person in charge of each department or the like), and includes a PC, a portable terminal, and the like. For example, a web browser (not shown) is provided, and a web server program (not shown) on the task management server 100 is linked via the network to give an instruction to execute the above function, or a screen of the execution result is presented to the user. To do.

Database configuration
FIG. 5 is a diagram showing a configuration example of a table of the user / department DB 210. The user / department DB 210 is a database that holds users and departments of companies and the like using the task management system 1 and their hierarchical structure. For example, the company table 211, the department table 212, the department table 213, and the responsible role table 214 are stored. , A roll table 215, and a user table 216. Note that the arrows between the tables in the figure indicate that, for example, when A → B, the relationship is A: B = 1: n (A has many Bs).

  The company table 211 includes items relating to company attributes such as a company ID and a company name, for example. The department table 212 includes items relating to the attributes of each department such as a department ID, company ID, upper department ID, department name, and location. By having the item of the upper department ID, the hierarchical structure of each department can be held and grasped. The role table 215 includes items such as a role ID, a company ID, and a role name, for example. The role name is a type of role (role) assigned to the user, such as “CISO”, “each department security administrator”, “general employee”, and the like. You may restrict | limit the function which can be utilized according to a user's role.

  The user table 216 includes items related to the attributes of each user such as a user ID, company ID, password, user name, and mail address. Data used for authentication when the user logs in to the task management system 1 and information such as an authentication result are also held. The department table 213 includes items such as a user ID and a department ID, and holds information on the department to which the user belongs. Since the department has a hierarchical structure, the department to which the user belongs may also cover a plurality of hierarchies (for example, a department to which the user belongs directly and its upper department, such as “XX department XX section”).

  The responsible role table 214 includes items such as a user ID and a role ID, and holds information on the role that the user is responsible for. In some cases, one user is in charge of multiple roles. The information in each table of the user / department DB 210 is registered in advance by the management unit 130 by, for example, a system administrator or a person in charge of personnel, and management such as updating is performed.

  6A and 6B are diagrams showing a configuration example of a table of the task DB 260 and specific data examples. The task DB 260 is a database that holds information on tasks managed by the task management system 1 and information on the hierarchical structure thereof, and includes, for example, a task table 261 and a category table 262.

  The task table 261 includes items relating to task attributes such as task ID, task title, due date, creation date, category ID, parent task ID, original task ID, and instructor user ID. The task here refers to a task (for example, T1 to T5) in each layer in the task hierarchy shown in FIG. 3, and a unique task ID is assigned by the task operation unit 111 for each task. By having the items of the parent task ID and the original task ID, it is possible to hold and grasp the hierarchical structure of the tasks described above. FIG. 6B shows an example of specific data in the task table 261 when the hierarchical structure of tasks shown in FIG. 3 is taken as an example.

  The category table 262 includes items for representing the type of task category, such as a category ID and a category name. The category name is, for example, “security measures” or “monthly report”.

  FIGS. 7A and 7B are diagrams showing a configuration example of the table of the task progress DB 270 and specific data examples. The task progress DB 270 is a database that holds information such as a status in units of instruction receivers (task progress) for each task held and managed in the task DB 260. For example, the task progress ID, task ID, instruction receiving A user progress ID, progress rate, status ID, completion flag, completion date, reassignment flag, and copy flag.

  A unique task progress ID is assigned by the task operation unit 111 for each task progress, and by having items of task ID and instruction receiver user ID, it is possible to grasp the task and the instruction receiver to which the task belongs. For each task progress, the progress rate and status status shown in FIG. 4 are held and managed.

  In the completion flag item, in order to make it easy to determine whether the task progress has been completed or not completed, the status ID indicating completion (S4) is set to “completed”, and other statuses are set to “uncompleted”. To do. The reassign flag item is a flag indicating whether or not “reassignment impossible” is specified by the task progress instructor, and the copy flag item indicates the task contents when reassigning. This is a flag indicating whether or not copying is permitted by the instructor.

  The status table 272 includes items for representing the type of task progress status, such as status ID and status name. The status name holds the name of each status shown in FIG. FIG. 7B shows an example of specific data in the task progress table 271 when the hierarchical structure of tasks shown in FIG. 3 is taken as an example. For the sake of convenience, the item of status ID indicates a value converted by the status name value of the status table 272 instead of the status ID value.

[Task execution management]
In the following, processing when the user accesses the task management server 100 via the client terminal 400 and performs operations for tasks such as new creation (instruction), reassignment, modification of contents, update of progress, etc. The contents will be described.

  When the user logs in to the task management server 100 from the client terminal 400, the task information acquisition unit 112 of the task execution management unit 110 refers to the task DB 260 and the task DB 270 and relates to the user as shown in FIG. A top screen for displaying information on tasks to be generated is generated and displayed on the client terminal 400.

  FIG. 8 shows a screen example when the general manager of the sales headquarters in FIGS. 2 and 3 logs in. In this screen, the “unprocessed task list” is displayed with a list of tasks progressing for the task for which the user is an instruction recipient and the status is not instructed (S1) or incomplete (S3). Yes. The task (task progress) displayed in the unprocessed task list requires execution or reassignment processing by the user. In addition, when the “instruction receiving list” button is pressed, all the task progresses including completion (S4) and instructed (S2) that the user is the instruction receiver are not shown. It is possible to display a list of

  Similarly, a list of tasks that are included in the task for which the user is the instructor and whose status is not instructed (S1) or incomplete (S3) is displayed as the “processing waiting task list”. Yes. The task (task progress) displayed in the list of tasks waiting to be processed is one that is instructed by the user and needs to be executed or reassigned by the instruction recipient (subordinate person in charge). In addition, when the “instruction list” button is pressed, it is a task progress included in the task for which the user is an instructor (not shown), and completion (S4) and instructed (S2) are also performed. It is possible to display a list of all included task progress.

  In this way, the range of tasks (task progress) that can be referenced by the logged-in user is limited, but the range (department, user, or organization) that can be referenced by the user's authority (department, role, etc.) It is also possible to control so that the hierarchy can be expanded.

  By pressing the “New” button on the screen of FIG. 8, the user can create and instruct a new task starting from the user. FIG. 9 is a diagram showing an example of a screen for creating a new task.

  In the screen of FIG. 9, the user can create a new task by setting information such as task name, category, content, person in charge (instructee). When specifying the person in charge, information on the hierarchical structure of the organization held in the user / department DB 210 can be provided by a pull-down menu, a list, etc., and task instructions along the hierarchical structure of the organization can be easily given. It can be carried out. At this time, for example, the task instruction range can be limited by controlling so that only the person in charge belonging to the department to which the user belongs and the person in charge in the department under his / her is displayed in the pull-down menu.

  In addition, when creating a task, whether or not to allow the person in charge of the task (instruction recipient) to reassign the task to a subordinate person in charge, and if so, the instruction recipient re-initiates the task. When assigning, it is possible to specify whether or not to permit copying and reassigning the contents of the task specified on the screen. The task operation unit 111 newly creates a task and a task progress in the task DB 260 and the task progress DB 270 according to these settings.

  Also, by pressing the “progress update” button for the task progress displayed in the “unprocessed task list” on the screen of FIG. 8, the status of the task progress can be updated. FIG. 10 is a diagram showing an example of a screen for updating the progress (status) of the task progress. In the screen of FIG. 10, the user can input a progress rate and a status according to the progress status of the actual work related to the task progress. The task operation unit 111 updates the contents of the task progress DB 270 according to the input contents.

  In addition, if the instructor has not specified that the task progress cannot be reassigned, the “Reassign” button can be pressed, and by pressing this button, the user is responsible for executing the task. Can be reassigned. At this time, a screen similar to the screen at the time of creating a new task shown in FIG. 9 is displayed, and the contents of the task and the person to be reassigned can be set.

  Note that if the instructor has not specified that the task content cannot be copied in the task progress, information such as the due date and content will be carried over to the reassigned task as it is on the task reassignment screen. Is done. The task operation unit 111 creates a newly reassigned task and task progress in the task DB 260 and the task progress DB 270 according to the setting contents.

  When the task progress rate is 100% and the status is completed (S4) on the screen of FIG. 10, the task progress disappears from the “unprocessed task list” of FIG. If the task is reassigned and the task progress status is indicated (S2), the task progress disappears from the “unprocessed task list” in FIG. 8 and is newly displayed in the “waiting task list”. The

  Further, by pressing the “correct” button for the task progress displayed in the “processing waiting task list” on the screen of FIG. 8, the reassigned task progress can be corrected. At this time, a screen similar to the screen at the time of newly creating a task shown in FIG. 9 is displayed, and information such as contents and due date can be corrected. In addition, when the person in charge changes due to personnel changes in the organization, it is possible to change the person in charge who is the instruction recipient. The task operation unit 111 updates the contents of the task progress DB 270 according to the correction contents.

  Further, by pressing the “deletion” button of the task progress displayed in the “processing waiting task list” on the screen of FIG. 8, the reassigned task progress can be deleted (instructions canceled). The task operation unit 111 deletes the designated task progress from the task progress DB 270.

  At this time, when there is no other task progress having the same task ID as the deleted task progress, that is, when all the task progresses included in the child task to which the task progress belongs are deleted, the task operation unit 111 The task progress of the parent task instructing the child task is identified with reference to the task DB 260 and the task progress DB 270, and the status is updated from instructed (S2) to not instructed (S3), and reassignment has not been performed. Shall.

[Task implementation status management]
Hereinafter, processing contents when the user accesses the task management server 100 via the client terminal 400 and refers to the information of the implementation status (execution rate, unexecuted person, etc.) based on the hierarchical structure of the task will be described.

  By pressing the “execution status” button for the task progress displayed in the “unprocessed task list” on the screen of FIG. 8 described above, the user can change the task progress execution status from the same instructor to the target task. Comparison (horizontal comparison) can be made with the task progress of other persons in charge who have received instructions / reassignments. FIG. 11 is a diagram illustrating an example of a screen that displays a result of a horizontal comparison of task progress implementation statuses.

  In the screen of FIG. 11, regarding the task instructed by the headquarters of the sales headquarters, the execution rate of the task progress between the head of the information system headquarters and the headquarters of the business headquarters is similarly received from the CISO. Comparison (horizontal comparison) is displayed. As a result, the progress status of the task (task progress) instructed by itself can be determined by comparing the progress status of the task progress related to other persons in charge in the hierarchically horizontal department.

The implementation rate (% and the number of cases) here is as follows. For example, the implementation status management unit 120 may, for all task progresses belonging to the lower level including itself in the task hierarchy,
Implementation rate = (number of completed (S4)) /
(Number of uninstructed (S1) or incomplete (S2) or (completed S4)) Expression (1)
It is calculated by the following formula. Details of the execution rate calculation process in the implementation status management unit 120 will be described later.

  In addition, by pressing the “Implementation Status” button for the task progress displayed in the “List of Tasks Awaiting Processing” on the screen of FIG. 8 described above, the user instructs the implementation status of the task progress by reassignment. It is possible to make a comparison (downward comparison) among the task progresses related to the subordinate personnel who have been subordinate. FIG. 12 is a diagram illustrating an example of a screen that displays a result of a lower comparison of task progress implementation statuses. In the screen of FIG. 12, the task progress rate calculated by the formula (1) is compared between the sales department manager and the sales department manager who are the instruction recipients for the task indicated by the head of sales headquarters (lower comparison). ) Is displayed.

  In the case of the lower comparison shown in FIG. 12, unlike the case of the horizontal comparison shown in FIG. 11, since the implementation status related to the department under its control is confirmed, for example, “incomplete / unexecuted” of FIG. The reference authority may be strengthened so that more detailed information such as incomplete items such as items and specific information of unimplemented persons can be referred to. In addition, if the person in charge instructs the subordinate person in charge by reassignment, the execution rate of those tasks is also calculated by equation (1) and displayed for each task hierarchy. Also good.

[Task implementation status management (processing flow)]
FIG. 13 is a flowchart illustrating an example of a flow of processing for calculating an execution rate for each task progress. As described above, the execution rate of a certain task progress can be obtained, for example, by calculating Formula (1) for all task progresses belonging to a lower level including itself in the task hierarchy. it can. This task progress execution rate calculation process is used in both the horizontal comparison and the lower comparison of the task execution statuses described above.

  In FIG. 13, the implementation status management unit 120 initializes the numerator and denominator values of the implementation rate in advance. Thereafter, when the task progress execution rate calculation process is started using the task progress (task progress ID) as an execution rate calculation target as an input parameter, it is first determined whether or not the status of the target task progress is instructed (S2). Confirm (S101).

  If the status is not instructed (S2) in step S101, it indicates that the target task progress has not been reassigned and is currently at the end of the task hierarchy. Therefore, 1 is added to the denominator of the implementation rate (S102). Next, it is confirmed whether or not the status of the target task progress is complete (S4) (S103). If the status is not complete (S4) (that is, if it is not instructed (S1) or incomplete (S3)), the target task progress instruction recipient is added to the list of incomplete users (S104), and the status is If it is completed (S4), 1 is added to the numerator of the implementation rate (S105), and the process ends.

  On the other hand, if the status is instructed (S2) in step S101, the target task progress has been reassigned, so the execution rate of the reassigned task is calculated from the target task progress. Therefore, first, the task progress DB 270 is referenced to determine the task (task ID) to which the target task progress belongs (S106).

  Next, referring to the task DB 260, it determines the child task (its task ID) in which the determined task is a parent task and the target task progress instructor is the instructor (S107). ). Specifically, in the task table 261, the values of the parent task ID and the instructor user ID are respectively the task ID of the target task progress and the value of the instruction receiver user ID acquired in step S106. A task satisfying the condition of matching is acquired, and this is set as a child task to be determined, and its task ID is acquired.

  Further, the task progress DB 270 is referred to, and the task progress (task progress ID) belonging to the determined child task is determined (S108). Note that the series of processing in steps S106 to S108 is described in chronological order for convenience, but it is also possible to perform batch processing in database access for the task DB 260 and task progress DB 270.

  Finally, for each task progress determined in step S108, the task progress execution rate calculation process is recursively called to calculate the execution rate for each task progress (S109), and the process ends. With the above processing, when a certain task progress is designated, the numerator and denominator values of the implementation rate for all the task progresses belonging to the lower level including itself can be calculated for the task progress.

  FIG. 14 is a flowchart illustrating an example of the flow of processing when performing a horizontal comparison of the task progress implementation status illustrated in FIG. 11. When the process is started, the implementation status management unit 120 first refers to the task progress DB 270 to determine the task progress (the task progress ID) belonging to the same task (having the same task ID) as the target task progress ( S201). This includes the target task progress itself. Next, for each determined task progress, the task progress execution rate calculation process shown in FIG. 13 is called to calculate the execution rate for each task progress (S202), and this is output in a format such as shown in FIG. (S203), and the process ends.

  FIG. 15 is a flowchart illustrating an example of a processing flow when the task progress implementation status illustrated in FIG. 12 is compared downward. When the process is started, the execution status management unit 120 calls the task progress execution rate calculation process shown in FIG. 13 for the target task progress, and calculates the execution rate of the target task progress (S301). Thereafter, for the target task progress and the reassigned lower-level task progress, the execution rate calculated in step S302 and the information on the incomplete person are output in a format as shown in FIG. 12, for example (S302). finish.

  In the lower comparison process shown in FIGS. 12 and 15, as described above, unlike the case of the horizontal comparison shown in FIGS. 11 and 14, it is a confirmation of the implementation status related to the department under its control. Information on incomplete persons recorded in the process of S301 is also output so that direct inquiries and the like can be made to the person in charge. In the case of horizontal comparison, the horizontal comparison with the target user is made hierarchically. It is limited to displaying only the summary of the implementation status of the person in charge (instructor) of the department.

  As described above, according to the task management system according to the first embodiment of the present invention, in an organization having a hierarchical structure such as a company, an operation is instructed to a person in charge in the hierarchical structure of a department. Create a task and create a task progress that manages the progress rate and status of the work related to the task for each person (instructor) who has received the instruction for the task. Can be held and managed. Further, by reassigning the designated task, the instruction can be expanded to a lower department, and these tasks can be managed as a hierarchical structure of tasks.

  This makes it easy to instruct and expand tasks based on the hierarchical structure of the organization, and manage the implementation status including calculation of the implementation rate and restriction of the scope of reference in a form according to the hierarchical structure of the organization (task). Can be performed. Furthermore, since the status is managed in units of task progress, it is possible to easily obtain a trail of work execution by each person in charge, and it is possible to easily deal with audits and the like. In addition, by keeping task hierarchy information separately from organization hierarchy information, it is possible to flexibly change the person in charge of tasks in the event of personnel changes or organizational changes. .

<Embodiment 2>
Below, the security management support system which is Embodiment 2 of this invention is demonstrated.

  In recent years, the importance of IT technology has increased with the rapid development of IT technology, and the degree of influence in the event of a failure or information leakage has increased, and it is an important issue for companies to take appropriate information security measures. It has become. However, it is difficult to recognize the effects of information security measures in a company, and it is difficult to judge what measures should be implemented to what extent because the goals are not visible. In some cases, excessive investment occurs, and so-called “measure fatigue” occurs.

  To date, solutions have been proposed in which the status of security measures (security level) and risks are visualized by quantifying them. These solutions can be broadly classified into administrative (human) approaches and technical approaches.

  As an administrative approach, for example, ISMS (Information Security Management System) (ISO (International Organization for Standardization)) / IEC (International Electrotechnical Commission), which is a certification standard for information security management systems of companies. : International Electrotechnical Commission) Acquiring various certifications for security standards such as 27001) and conducting risk assessment of companies using various risk analysis methods. Further, as a technical approach, for example, there is implementation of security management using tools such as SIM (Security Information Management) and log analysis tools.

  Further, for example, Japanese Patent Application Laid-Open No. 2003-150748 discloses that a security policy and information on an information system are converted into a data format for risk evaluation based on a predetermined application programming interface. A technology that performs risk assessment based on information on the security policy and information system of the system, selects control measures as appropriate based on the results of risk assessment, and modifies the security policy etc. according to the selected control measures to create control measure data. It is disclosed. At this time, by executing a security simulation using the control data, the result of risk evaluation can be reflected in the construction of the security policy.

  As described above, there are several methods and tools for quantifying the security level and risk, but none of them has reached a level at which security management can be performed from the management viewpoint of a company. For example, risk analysis tools, SIMs, etc. provide only partial functions, and the security level can be understood only by quantifying the current state, and future target setting based on the current security level It is not enough to support the decision of measures to be implemented to achieve the goal. Moreover, it is not possible to grasp and manage the security level for each of a plurality of bases and departments (hierarchies) in a company.

  In particular, large-scale organizations have many assets to be managed such as PCs and servers, and there are a wide variety of organizations to be managed such as bases, departments, and group companies, making security management operations complicated and extremely difficult to operate. is there. In addition, it is difficult to grasp the current state of the countermeasure level for each department, and since the difference in the countermeasure level for each department is large, it is also difficult to realize overall optimization. For example, it is very difficult to acquire ISMS authentication in a large-scale organization, and in fact, in most cases, it is acquired in units of departments / bases.

  In addition, since conventional techniques and tools for quantifying security levels require advanced specialized knowledge when used, in organizations such as corporations, evaluations based on quantification of security levels are limited to security management departments, etc. The fact is that specific departments with skills take over the evaluation of all departments at once. As a result, for each department (user department) at the site, security management becomes another person, making it difficult to spread security awareness widely to the user department.

  In order to effectively solve these problems, it is necessary to systematize security management "business". The “business” here includes various types such as identification and classification of information assets, grasping the current security countermeasure status, risk analysis, security countermeasure (risk response) target setting and management of the countermeasure status. Among these, for example, there are many tasks that should be carried out in the user department, such as identification of information assets and classification by importance setting, or cooperation with the user department, and the actual security measures themselves are also in the user department There are many countermeasures to be implemented in Japan.

  Therefore, especially in a large-scale organization, it is important for companies to be able to participate in the operation of security management operations by grasping the current state of security measures and security risks, and setting and managing targets. It is very important to realize efficient and effective security management.

  Therefore, the security management support system according to the present embodiment makes it possible for each organization to manage information related to information assets subject to security management in an organization such as a company. The purpose is to quantify the risk for each department and to grasp the current situation and set / manage the target in each department.

  That is, the security management support system according to the present embodiment systemizes security management “operations” in an organization such as a company. As this function, for example, information on information assets to be protected for each department Asset management function that manages the data in a distributed manner by inputting and updating information by the person in charge (user department) instead of the security management department etc., and quantifying the current security level and risk level It has a current state analysis function for grasping from various viewpoints such as different and countermeasure genres.

  In addition, it has a goal management function that supports the determination of future target levels based on the current security level and risk level, and the measures to be implemented to achieve the target levels. It has a business processing function that manages various instructions such as implementation of management measures, which are specific measures, and a series of work such as approval by a superior as a workflow or task.

  Here, due to the characteristics of security management operations in organizations such as corporations, security measures are implemented by ensuring that security measures are implemented throughout the entire company hierarchy or in the entire organizational hierarchy and tracking the implementation status. Analyzing and managing the level and security risk is the main.

  Therefore, the security management support system according to the present embodiment manages the implementation of the management measures that are instructed and deployed from the upper-level departments as a task as a task. The function of the task management system shown in is applied. As a result, tasks are managed in a hierarchical structure, and management of the implementation status such as the instruction and development of tasks (control measures) based on the hierarchical structure of the organization and the calculation of the implementation rate in a form according to the hierarchical structure of the organization. Can be performed, and can contribute to the quantification of the security level and the risk level.

[System configuration]
FIG. 16 is a diagram showing an outline of a configuration example of the security management support system according to the second embodiment of the present invention. The security management support system 5 includes, for example, a security management support server 500 and a client terminal 400 connected to the security management support server 500 via a network. Moreover, you may cooperate with the security management tool server 300 mentioned later via a network.

  The security management support server 500 is configured by server equipment including a computer system, and includes, for example, a current state analysis unit 510, a target management unit 520, a business processing unit 530, an asset management unit 540, a management unit 550, and the like. Each of these units is implemented as a software program. For example, in cooperation with a Web server program (not shown) on the security management support server 500, a processing request is received from the client terminal 400, and predetermined processing is performed. A processing result screen is presented, or predetermined processing is performed by batch processing such as daily.

  The current state analysis unit 510 registers a diagnosis result on the implementation status of the management policy (specific measures for security measures) for the assets held for each department in a database to be described later, and the diagnosis result registered in the database Based on this, the current security level or risk level in each department is scored based on the security standards to be managed, and the results of aggregation from various perspectives (counting methods) such as by department and countermeasure genre (control category) The present condition analysis function displayed on the terminal 400 is realized.

  The current status analysis unit 510 includes, for example, a security level diagnosis unit 511, a risk analysis unit 512, and a detailed analysis unit 513. The security level diagnosis unit 511 has a function of quantifying the security countermeasure status (security level) by a so-called baseline approach. The risk analysis unit 512 has a function of quantifying the security risk (risk level) by a so-called risk-based approach. The detailed analysis unit 513 has a function of analyzing the current state by aggregating security levels and risk levels from various viewpoints such as departments, management policy categories, and security standards, and presenting the analysis results to the user.

  The target management unit 520 supports the determination of the future target level based on the current security level and risk level for each department and the determination of measures to be implemented to achieve the target level. A target management function for registering or updating a target level of security level or risk level, a timing for achieving the target, and a measure to be implemented in a database to be described later is realized.

  The target management unit 520 includes, for example, each unit of a target setting unit 521, a plan formulation unit 522, and a pre-actual management unit 523. The target setting unit 521 has a function for a user to specify a target value of a security level or a risk level, and to set and register it as a target level together with the achievement deadline. The plan formulation unit 522 has a function for the user to specify a management policy necessary to achieve the target level set by the target setting unit 521. The predictive management unit 523 provides a function for the user to confirm the target level set by the target setting unit 521 and the degree of achievement thereof.

  The business processing unit 530 realizes a business processing function that manages various instructions such as implementation of management measures for employees and a series of business operations such as approval by a superior as workflows and tasks. Further, based on the information stored and managed by the security management support system 5, for example, it has functions such as extracting items necessary for internal audits and managing the results of internal audits. Good.

  In the security management support system 5 according to the present embodiment, the task management system 1 according to the first embodiment is provided in the task processing unit 530 in order to manage tasks that are instructed / deployed from the top department, such as implementation of management measures, as tasks. The functions of the task execution management unit 110 and the execution status management unit 120 are applied. Here, the management policy is a specific policy (work) for the asset held for each department as described above, and in order to manage this as the task described in the first embodiment, for example, the target asset The manager is instructed to perform a task of implementing a management measure for each manager (each owner in the case of a PC, server administrator in the case of a server device, etc.).

  The asset management unit 540 manages information on information assets to be protected (confidential information and file servers that hold the information, devices such as PCs, etc.) in a database, and manages them in the field (user department) instead of the security management department. Realizes asset management function that manages and distributes information by the person in charge entering and updating information.

  In addition, the management unit 550 realizes a function of managing users and departments using the security management support system 5 and other system information. In addition, authentication at the time of user login is performed. That is, it includes the function of the management unit 130 in the task management system of the first embodiment. Note that the configuration of each of the above-described parts is merely an example, and each part other than the above may further be included, or part or all of the above-described parts may be combined or further divided. Good.

  The security management support server 500 further includes a task DB 260 and a task progress DB 270 in the task management system 1 of the first embodiment, in addition to the user / department DB 210, the asset DB 220, the management policy DB 230, the plan formulation DB 240, and the diagnosis DB 250. Each database.

  The user / department DB 210 stores information such as users and departments of companies that use the security management support system 5 and their hierarchies, which are registered by the management unit 550. This database is equivalent to the user / department DB 210 in the task management system 1 of the first embodiment. The asset DB 220 holds information related to information assets (including importance and managers) registered by the asset management unit 540.

  The management policy DB 230 retains information on management policies for security measures and corresponding security standards, which are registered in advance by the management unit 550. The plan development DB 240 holds the target level for each department registered by the target management unit 520 and information on management measures for achieving the target level. The diagnosis DB 250 stores the diagnosis results on the implementation status of the management measures for each asset registered by the current status analysis unit 510 and the like, and summaries for the current status analysis of various aspects created by the current status analysis unit 510 based on the diagnosis results. Hold.

  Each database may be held directly by the security management support server 500, or may be held in another database server or the like and accessed via a network. Details of these databases will be described later.

  The security management tool server 300 is a server for general security management products, tools, etc., or existing in-house systems (hereinafter sometimes collectively referred to as “security management tools”). In particular, it is a server that holds security-related setting information (that is, the implementation status of management measures) for each PC. In general, these security management tools automatically determine and acquire security-related setting information by a program installed in a PC that is an asset management target, and send the security-related setting information to the security management tool server 300 via a network. This is centrally managed on the security management tool server 300.

  The current status analysis unit 510 of the security management support server 500 extracts the setting information of the asset management target PC collected and centrally managed by the security management tool server 300 in cooperation with the security management tool server 300, and converts the format. It is possible to import into the diagnosis DB 250 by, for example. Thereby, the work concerning registration of information assets can be greatly reduced. It should be noted that the security management tool server 300 may have a plurality of types according to the security management tool to be linked, or may not have when all information assets are manually registered. Further, instead of the independent server device as shown in FIG. 16, for example, the function may be provided on the security management support server 500.

  The client terminal 400 is a device that provides a user interface for using each function of the security management support server 500 to a user (a person in charge of the security management department, a person in charge of each department, etc.). Etc. For example, it has a web browser (not shown) and cooperates with a web server program (not shown) on the security management support server 500 via the network to give an instruction to execute the above function or present a screen of the execution result to the user. Or

[Process flow]
FIG. 17 is a diagram showing an outline of the flow of security management work using the security management support system 5. First, using the function of the current status analysis unit 510 of the security management support server 500, the security countermeasure status and the current level of security risk are analyzed for its own department and lower departments (S401).

  Next, using the function of the target management unit 520, the person in charge of each department sets the target level of the own department and the lower department (when there is a lower department) (S402). At this time, generally, for example, the target level is set to a numerical value with the goal of achieving a predetermined security standard (for example, ISMS certification standard or so-called Japanese version SOX method (Financial Instruments and Exchange Law)) by a predetermined time limit. Set. When setting the target level of the own department, if the target level is set by a higher-level department, the target setting is set so as not to fall below (can achieve the target). In addition, for the target level that has been set, control measures to be implemented and implementation deadlines are set so that this can be achieved.

  Next, the management policy set in each department is specifically implemented (S403). After that, each department conducts self-inspection of the implementation status of management measures in its own department, or an independent security audit department performs internal audits on the implementation status of management measures in each department, and uses the functions of the current status analysis section 510. The diagnosis result is registered / updated in the security management support system 5 (S404). The execution of step S403 and the self-inspection / internal audit of step S404 are repeated as needed, and the process returns to the current state analysis of step S401. Such a so-called PDCA (Plan-Do-Check-Act) cycle is repeated every quarter, for example, to manage the security management business. A processing example in each of the above steps will be described later.

Database configuration
FIG. 18 is a diagram illustrating a configuration example of a table of the asset DB 220. The asset DB 220 is a database that holds information about information assets that are security management targets. For example, an asset type table 221, an asset table 222, an asset type storage information table 223, an information table 224, and a system storage information 225 table. Consists of

  The asset type table 221 includes items relating to asset types such as asset type ID, asset type name, and asset category. The asset types are, for example, “desktop PC”, “notebook PC”, “portable terminal”, “recording medium”, “desk / cabinet”, “business system”, “OA system”, “network”, “organization” "Is a sub-category of managed assets. The asset classification is a broad classification classification of assets to be managed such as “PC”, “portable terminal”, “recording medium”, “desk / cabinet”, “system”, “network”, “organization”, and the like. .

  The asset table 222 includes, for example, each asset (such as asset ID, management department ID, asset type ID, asset name, administrator ID, user ID, storage location, amount, product name, serial number, security management tool key number). It has items related to attributes of (real assets). The item of the security management tool key number is an item that holds key information for identifying the target asset when the security management tool server 300 can automatically collect setting information and the like. .

  The information table 224 includes, for example, information ID, management department ID, information name, information classification, administrator ID, asset value classification (confidentiality, integrity, availability), asset value amount (confidentiality, integrity, availability), It has items related to personal information attributes and attributes of each information held by companies such as current users. The information category includes, for example, information such as “in-house personal information”, “customer personal information”, “in-house important information (strategy information, financial information, etc.)” and “in-house non-important information (other documents, records, etc.)”. Classification category.

  The asset value classification is, for example, 1 to 3 from the viewpoints of confidentiality (C: Confidentiality), integrity (I: Integrity), and availability (A: Availability), which are general risk evaluation viewpoints for information assets. The asset value (importance of the information) is evaluated by numerical values such as The asset value amount is obtained by evaluating the above asset value from the viewpoint of confidentiality, integrity, and availability. In the present embodiment, the level of risk of information can be evaluated by the asset value category, or can be evaluated by the asset value amount. Information on these asset values is input by, for example, each department security administrator.

  The asset type storage information table 223 has items such as an information ID and an asset type ID, for example, and holds information on the asset type to which each information belongs (stored). One piece of information may belong to multiple asset types. Further, the system storage information table 225 has items such as an information ID and an asset ID, and holds correspondence with the system (assets) when each information belongs to (stores) the system.

  That is, in order to evaluate the risk of each information asset, the security management support system 5 of the present embodiment basically does not directly link information and assets (actual items) but links information and asset types. The risk is evaluated based on the asset value (importance) of the information associated with the asset type unit. Although it is possible to perform a more precise risk assessment by evaluating the risk based on the asset value of the information linked in the asset (actual) unit, it is a great effort to manage in the asset (actual) unit in a large-scale organization. Cost. On the other hand, when the risk is evaluated based on the asset value of the information associated with the asset type unit, it is possible to easily perform the risk evaluation and obtain a result with an accuracy that is practically satisfactory.

  For assets with the asset classification “System”, the number of assets is smaller than that of ordinary PCs, etc., and the retained information has characteristics depending on the type of system, and the amount of data is large. In exceptional cases, assets (actual systems) are linked to information, and risk is evaluated on an asset basis. In addition, regarding assets whose asset classification (asset type) is “network” or “organization”, information is not held and information is not linked. That is, risk assessment based on the asset value of information is not performed. In addition, even if the asset category (asset type) falls under “desk / cabinet”, the office, data center, warehouse, etc. are not linked to information, but highly important information is always Treat as included.

  Information of each table of these asset DBs 220 is registered by the asset management unit 540 and managed, for example, by each department security administrator or the like.

  FIG. 19 is a diagram illustrating a configuration example of a table of the management policy DB 230. The management measure DB 230 is a database that holds management measures and security standard information including the management measures. For example, the security measure table 231, the control measure security reference table 232, the control measure table 233, the risk content table 234, the management The measure risk content table 235, the control measure execution department table 236, and the control measure execution pattern table 237 are configured.

  The security standard table 231 includes items such as a security standard ID and a security standard name, and holds security standard information that can be used as a management target as a base for quantifying (scoring) the security level. . The security standards include, for example, ISMS certification (ISO / IEC27001), FISC (The Center for Financial Industry Information Systems) safety measures standard, Japanese version SOX method, in-house security policy, and the like.

  The management policy table 233 includes items such as management policy ID, management policy name, management policy content, management policy category, determination means, question text, correspondence (confidentiality, integrity, availability), and the like, and security management The contents of individual measures in are retained. The control category categorizes the content of the control, for example, “secure setting”, “access management”, “e-commerce management”, “password management”, “outsourced party management”, “monitoring”, etc. Each management measure is classified.

  Judgment means is whether the user decides whether or not the control measure is implemented and inputs the result manually ("manual"), or is judged by external / internal audit even if it is manual input (“Manual (audit)”) or information indicating whether it is automatic determination by a security management tool (“automatic”). As a result, either the execution (determination) of diagnosis regarding the implementation status of the management measure or the registration of the diagnosis result is performed by a person other than the user and the case where the determination result is not, ie, the determination result is determined by a third party (“ It is possible to identify whether it is “manual (audit)” or “automatic”) or by self-determination (“manual”).

  The question text corresponds to the specific contents of the control measure, and is a question text for the user for determining whether or not the control measure has been implemented (for example, “Is the password more than xx characters? Etc.)). Further, the item of presence / absence of correspondence is a flag indicating whether or not the management measure corresponds to each viewpoint of confidentiality, integrity, and availability.

  The risk content table 234 has items such as risk content ID, risk content, and priority, for example, and holds the priority for each assumed risk content. The management policy security standard table 232 includes items such as management policy ID, security standard ID, standard weighting, document name, and clause number, and holds management policy information included in the contents of the security standard. One control may be commonly included in multiple security standards. The item of reference weighting is a weighting value due to different security standards included in the management policy. In addition, the items of document name and clause number are information for specifying to which part of the security standard the control measures correspond.

  The management policy risk content table 235 includes items such as a management policy ID and a risk content ID, and holds risk content information corresponding to the management policy. The management measure execution department table 236 has items such as a management measure ID and an execution department ID, for example, and holds information on the department that executes the management measure. Further, the management measure execution pattern table 237 has items such as a control measure ID, asset type ID, asset type weighting, control measure execution unit price, and to which asset type the control measure is applied. Holds information about the impact of the case. The asset type weighting item is a weighting value for different asset types to which the management policy is applied. Further, the item of the management measure execution unit price is an approximate cost when the management measure is executed for the target asset type, and is used for a simulation when a plan is described later.

  Information of each table in the management policy DB 230 is registered in advance by the management unit 550 by, for example, a system administrator or the like, and management such as updating is performed.

  FIG. 20 is a diagram illustrating a configuration example of a table of the plan development DB 240. The plan development DB 240 is a database that holds information on the target level for each department and the management measures for achieving the target level. For example, the target setting table 241, the risk target setting table 242, the plan formulation details table 243, the system plan It is composed of a table of formulation details table 244.

  The target setting table 241 includes items such as a department ID, creation reference date, target achievement date, own department setting target security level, and upper department setting target security level, and is set from the own department and the upper department. Maintain information on target security level (baseline approach) and deadline. Similarly, the risk target setting table 242 has items such as a department ID, creation reference date, target achievement date, own department set target risk level, higher department set target risk level, and the like. The target risk level (risk-based approach) and deadline information set from

  The plan development details table 243 has items such as a department ID, an asset type ID, a control policy ID, a creation reference date, a target achievement date, a plan setting category, and the like. The contents of the control measures to be implemented and the deadline information are retained. The system plan formulation details table 244 includes items such as a department ID, asset ID, control ID, creation reference date, target achievement date, plan setting classification, and the like. The information on the contents of the control measures to be implemented and the deadline for achievement are held.

  That is, in the security management support system 5 of the present embodiment, the setting unit of the management policy to be implemented is basically an asset type, not an asset (actual item). It is possible to evaluate the security level more precisely by setting and managing the management measures to be implemented in units of assets (actual items). However, management in units of assets in a large-scale organization requires a great deal of labor. As for the asset classification “system”, as described above, the management policy to be implemented is set not in the asset type unit but in the asset (system) unit. The item of the plan setting category in the plan formulation details table 243 and the system plan formulation details table 244 is a flag indicating whether or not the management measure is selected as an implementation target.

  The information in each table in the plan formulation DB 240 is used for the past / real comparison by the pre / real management unit 523 of the target management unit 520 and the simulation by the plan development unit 522, which will be described later. As a history record. The information in each table is registered by the target management unit 520 by, for example, a person in charge in each department, and management such as updating is performed.

  FIG. 21 is a diagram illustrating a configuration example of a table of the diagnosis DB 250. The diagnosis DB 250 is a database that holds security measure statuses and security risks for each asset, and a summary for analyzing the current status of various cut points created based on the security countermeasure status, and includes, for example, a diagnosis details table 251.

  The diagnostic details table 251 includes items such as asset ID, management policy ID, department ID, judgment result, judgment means, judgment result update date and time, and judgment of the implementation status of the management policy in each asset unit for each department. Input and hold the result information. The item of the determination result is represented by, for example, ◯ (performed), × (not performed), N / A (not applicable), and the like. Information in the diagnostic details table 251 is registered / updated by the current state analysis unit 510 by, for example, a person in charge of each department, for an asset whose determination means item is “manual” or “manual (audit)”. For assets whose determination means item is “automatic”, the determination result is automatically registered / updated based on the information acquired from the security management tool server 300.

  In the security management support system 5 of the present embodiment, the determination result of the implementation status of the management measures is input and managed in units of assets (actual items), but it is a great effort to input and manage in units of assets in a large-scale organization. Therefore, the workload is reduced by acquiring information from the security management tool server 300 and automatically registering it as described above, or by making it possible to input information in units of asset types as will be described later. . Note that the information in the diagnostic details table 251 is used for a comparison of aged and actual results by the pre- and actual management unit 523 of the target management unit 520, which will be described later. Therefore, when updated, the previous record is held as a history record.

  Although details will be described later, scoring of the security level in the baseline approach is performed by weighting the ratio of the number of implementations to the total number of management measures, for example. In addition, for scoring the risk level in the risk-based approach, for example, the scoring result of the security level in the baseline approach is further considered in consideration of a risk coefficient based on the asset value. In addition, the structure of each DB shown above is an example, and may have another DB, a table, and an item.

[Current situation analysis]
Hereinafter, processing contents in the security measure and security risk present level analysis (S401) in FIG. 17 will be described. When the user requests the client terminal 400 to perform a security level current state analysis via a main screen (not shown), the current state analysis unit 510 of the security management support server 500 refers to the contents of each DB, for example, as shown in FIG. As shown, a security diagnosis screen that displays the diagnosis result of the current security level is generated and displayed on the client terminal 400.

  In the example of FIG. 22, the security level and the risk level are scored for each designated security standard based on the implementation status of each management measure belonging to the designated control measure category for the designated department, and the result is it's shown.

The security level is scored by the security level diagnosis unit 511 of the current state analysis unit 510 by a baseline approach. Regarding the asset type of the asset (asset table 222) held by each department, the execution status determination result (diagnostic specification table 251) for each control measure (control measure execution pattern table 237) assigned according to the target security standard is displayed. Based on the asset level, the security level is
Security level =
Σ (weighting value x judgment result ○ (implemented) control measure) x 100
÷ Σ (weighting value x control result that is not the judgment result N / A) (2)
It is calculated by the following formula.

  Here, the weight value is, for example, the product of the reference weight value of the control policy security reference table 232 and the asset type weight value of the control measure execution pattern table 237, and the determination result is the determination result of the diagnostic details table 251. It is. In addition, here, the determination result ○ (completed) means that the task related to the execution instruction of the target management measure is the target department (instructor of the task) shown in FIGS. 12 and 15 of the first embodiment. It represents that the implementation rate in comparison is 100%.

  Further, Σ indicates that all the control measures assigned to the target asset are summed up. That is, it is calculated by weighting the ratio between the total number of management measures assigned to the target asset and the number of management measures that have been implemented (judgment result ○). Note that the higher the security level here, the better.

  In the example of FIG. 22, the security level is scored (aggregated) in units of departments, and the calculation according to the formula (2) is performed on the management policy assigned to all the assets held by the target department. Is. If the target department is not the department at the end of the hierarchy (site), an average of the security levels of the subordinate departments nearest to the department may be used.

Further, the risk level is scored by the risk analysis unit 512 of the current state analysis unit 510 by a risk-based approach. For example, based on the risk factor obtained from the information held in the asset type of the asset held by each department (information table 224), and the security level calculated by equation (2),
Risk level = Risk coefficient × (100−Security level) Equation (3)
It is calculated by the following formula.

  Here, the risk coefficient is a coefficient indicating the level of risk of information calculated based on the asset value of the information held in the asset held by the department. For example, the risk coefficient is held in the asset held by the department. The maximum value of each asset value category (confidentiality, integrity, availability) in the information table 224 of information is used. Thus, the risk level is calculated for each classification of confidentiality, integrity, and availability. The risk level here indicates that the lower the value, the better.

  In the security management support system 5 of the present embodiment, the risk coefficient is calculated based on the asset value category of the information table 224. As described above, the asset value amount (confidentiality, integrity, availability) of the information table 224 is used. ) Or other indicators for risk assessment may be used. In the security management support system 5 of the present embodiment, the security level and the risk level are scored by a relatively simple method using the above formulas (2) and (3). It may be a method or a scoring method that is different for each security standard.

  As shown in FIG. 22, the scored security level is displayed by, for example, a gauge with a maximum width of 100% together with the score. In addition, for the risk level, a score is displayed for each classification of confidentiality, integrity, and availability. Furthermore, as the third party determination ratio, the ratio of the target control measures based on the third party determination is displayed together with the gauge. As for the third party determination ratio, as described above, for example, the item of the determination result of the diagnosis details table 251 is “manual (audit)” or “automatic”, and the number is controlled according to the third party determination. As a percentage of the total number of Those having a high third party determination ratio can be determined to have high reliability of the diagnosis result.

  The user who refers to the security level diagnosis result for each security standard on the security diagnostic screen of FIG. 22 further performs various operations (aggregation) on the target security standard by, for example, operation with a pull-down menu on the right side of the screen and an “analysis” button. Method). Upon receiving the request for detailed analysis, the security management support server 500 performs detailed analysis with reference to the diagnostic details table 251 by the detailed analysis unit 513 of the current state analysis unit 510 and displays the result on the client terminal 400.

  For example, FIG. 23 is a diagram illustrating an example of a department comparison screen that displays the current security level diagnosis result for each department. In the example of FIG. 23, for the designated department, the security level in the designated management policy category is tabulated for each immediate lower department, and the result is displayed as a graph. Thereby, the difference in the security level between departments can be grasped. This comparison can be used for the higher-level department to grasp the implementation status of the security measures of each lower-level department, and for the lower-level department to compare the implementation status with other departments in the same series.

  FIG. 24 is a diagram showing an example of a radar chart screen that displays the current security level diagnosis results for each control policy category. In the example of FIG. 24, the security levels of the designated departments are totaled for each control category and displayed in the form of a radar chart. Thereby, it is possible to grasp the difference (strength / weakness) in the implementation status of the security measures between the management policy categories.

  FIG. 25 shows a target security level (future and past setting history) set by a target setting process to be described later as information for comparing (predicting and managing) a plan and an actual performance of management measures in the relevant department. It is the figure which showed the example of the aged prognosis comparison screen which compares and displays the value of past and the value of the past security level (past diagnosis history). In the example of FIG. 25, the target value and the actual value of the set security level for each designated department are aggregated, and the target value and the actual value are displayed in a graph over the past three periods, the current period, and the future three periods. doing. Thereby, it is possible to grasp the achievement status of the set target security level. Note that the processing here is performed by the pre-actual management unit 523 of the target management unit 520.

FIG. 26 is a diagram showing an example of a diagnosis details inquiry screen that displays the current security level diagnosis result in detail for each management measure. In the example of FIG. 26, the diagnosis results (determination results) for each management measure corresponding to the specified asset type and management policy category are totaled and displayed for the specified department based on the implementation rate. Here, as an example, the person in charge of each department ("Sales Section 1, Section 2, ...") that implements "Management Measures 1, 2, 3, ..." for "Desktop PC" targeting "Headquarters" Is displayed as a task, and the diagnosis result of the current security level that is tabulated based on the implementation status is displayed.

  The implementation rate in the lower diagnostic result table is the implementation rate calculated by the lower comparison shown in FIG. 12 and FIG. 15 of the first embodiment for each target management measure for “headquarters”, which is 100%. If it is, the determination result is ○.

  In the lower diagnostic result table, as for the management measures for which the determination means is “automatic”, the determination results are automatically acquired from the security management tool server 300 as described above. In addition, regarding the management measures whose determination result is “detailed setting”, the determination result is different for each target asset (not “all ○” or “all ×”). As for this, by pressing the “details” button on the right side of the screen, a transition is made to an inquiry screen for diagnosis results in units of assets (devices).

  FIG. 27 is a diagram showing an example of a diagnosis details inquiry (details) screen that displays the current security level diagnosis result in detail for each asset. In the example of FIG. 27, the diagnosis result (determination result) is displayed for each corresponding asset (device) with respect to the designated department, asset type, and management policy with reference to the diagnosis details table 251. 26 and 27, it is possible to grasp the implementation status of security measures in detail for each individual management measure and each asset.

[setting a goal]
Hereinafter, the processing contents in the setting of the target level of the own department and the lower department (step S402) in FIG. 17 will be described. When the user requests the client terminal 400 to set a security level target via a main screen (not shown), the target setting unit 521 of the security management support server 500, for example, as shown in FIG. The own department target setting screen for setting the target is generated and displayed on the client terminal 400.

  In the example of FIG. 28, a graph of a comparison between the target setting value of the security level so far and the past and actual results of the security standard for the target setting target for the designated department is displayed. This graph is the same as that shown in FIG. 25 described above, and is generated by the preliminary management unit 523 of the target management unit 520. The user can set the security level of the target of his / her department after the next period while referring to the graph of the comparison between the past and the past.

  When setting the target value of the own department, the target value set from the upper department on the lower department target setting screen described later is also set to the upper department setting target security level of the target setting table 241 or the upper department setting target of the risk target setting table 242. Displayed together with reference to the risk level. There may be a restriction that the value set as the target value of the own department cannot be smaller than the target value set by the higher department.

  The set target value is registered by the target setting unit 521 in the own department setting target security level of the target setting table 241 or the own department setting target risk level of the risk target setting table 242. At this time, based on the asset held by the own department, its asset type, and the contents of the management plan execution pattern table 237, the entries in the plan development detail table 243 and the system plan development detail table 244, that is, the assets held by the own department. Create an entry for the control assigned to the type (asset if the asset category is "system").

  Furthermore, it is possible to shift from the own department target setting screen shown in FIG. 28 to a lower department target setting screen for setting a security level target of the lower department as shown in FIG. In the example of FIG. 29, a graph of the current security level with respect to the security standard that is the target setting target is displayed for the subordinate department nearest to the designated department. This graph is the same as that in FIG. 23 described above, and is generated by the detailed analysis unit 513 of the current state analysis unit 510. The user can set the target security level of each subordinate department from the next term on while referring to the graph of the current security level of each subordinate department.

  When setting the target value of the lower department, the target value of the own department set in the target setting table 241 or the target risk of the own department set in the risk target setting table 242 is set for the target value of the own department set on the above-described own department target setting screen. It is displayed with reference to the level. The set target value is registered in the upper department setting target security level of the target setting table 241 or the upper department setting target risk level of the risk target setting table 242 for the target lower department. In this way, the goal setting for each department can be performed in consideration of the hierarchical structure of the department.

  Further, the person in charge of each department indicates the control measures to be implemented and the implementation timing for achieving the target value of the own department set on the own department target setting screen of FIG. Thus, it can be determined by a plan formulation screen as shown in FIG. In the example of FIG. 30, for the designated department, the management policy assigned by the security standard that is the target of target setting for each asset type held by the department is shown in the plan formulation details table 243 and the system plan formulation details 244. Acquired and displayed as plan details.

  Here, the priority in the table in the figure indicates the static priority of each plan item. For example, the reference weight value of the control measure security standard table 232 for the control measure corresponding to the plan item and the management It is assumed that the asset type weighting value of the measure execution pattern table 237 is multiplied. Further, the implementation rate calculated by the lower comparison shown in FIGS. 12 and 15 of the first embodiment for the task related to the target management policy is displayed. That is, the implementation rate is equivalent to the ratio of the total number of assets and the number of implemented assets in the organization below the target department for the management policy corresponding to the plan details.

  In addition, the approximate unit price and the unimplemented quantity when the management policy for each plan detail is acquired from the management policy execution pattern table 237 are also displayed. In addition, in the example of FIG. 30, each plan details are rearranged and displayed in the descending order of the value which multiplied the value of the priority mentioned above by the value of (1-implementation rate). As a result, it is possible to display the plan details having a high priority and a low implementation rate at the present time at the top of the table.

  For each plan detail displayed in this way, the user selects the necessity of implementation in the department and the completion target time using, for example, a check box or a pull-down menu. The contents selected here are reflected in the items of the plan setting category and the target achievement date in the plan formulation details table 243 or the system plan formulation details table 244. As described above, in the security management support system 5 of the present embodiment, the setting unit of the management policy to be implemented is basically an asset type, not an asset. It is possible to evaluate the security level more precisely by setting and managing the management measures to be implemented on an asset basis. However, managing in asset units in a large-scale organization requires a great deal of labor.

  In addition, since the target information assets exist in the departments of each hierarchy, the necessity of implementation for each plan item is basically set individually in the department of each hierarchy where the task is instructed (reassigned). It may be necessary, but it is not performed individually in each department, such as “development of security policy”, but if it is carried out in the unit of the whole company or each business division (higher department), other departments (lower departments) There is also a management policy that does not need to be implemented. Such control measures can be identified by, for example, individually assigning control measure categories, and are implemented or implemented automatically in the subordinate department if implemented in the upper department or if already implemented. You may process as a thing.

  The security management support system 5 of the present embodiment further has a simulation function in order to determine which plan details should be implemented when planning to effectively achieve the target security level. When you set the plan details to be implemented and the completion target time and press the save button, the security level achieved (simulation result) and the estimated cost (total cost of implementation) when each plan detail is executed at each time Is calculated and displayed in the table below along with the target security level of the relevant department for each period. Here, for the total cost of implementation, for example, for each plan detail, the unit price multiplied by the quantity if implemented at each time, zero if not implemented, and the total for each plan detail. To calculate.

  In this way, a list of target plan details is presented according to the asset type held in the relevant department, and furthermore, the plan details to be implemented can be set while referring to the simulation results. Can easily formulate a plan to achieve the goal.

[Self-inspection / internal audit]
Hereinafter, the contents of processing in the self-inspection / internal audit (S404) of the implementation status of the management measures in FIG. 17 will be described. When the user requests the client terminal 400 to perform a self-inspection about the current security countermeasure status via a main screen (not shown) or the like, the current state analysis unit 510 of the security management support server 500, for example, as shown in FIG. A diagnosis details input screen for inputting the diagnosis result of the security measure of the department is generated and displayed on the client terminal 400.

  In the example of FIG. 31, the diagnosis result (judgment result) is input from the pull-down menu by referring to the implementation rate for each management measure for the specified asset type from the same screen as the diagnosis details inquiry screen shown in FIG. can do. The input result is reflected in the diagnostic details table 251. Similar to the example of FIG. 30, the execution rate calculated by the lower comparison shown in FIGS. 12 and 15 of the first embodiment for the task related to the target management policy is displayed.

  In this way, the user's workload can be reduced by inputting the diagnosis result for each management measure not in units of assets but in units of asset types. On the other hand, if the judgment results are not the same for all the assets (devices) for the target management measures, and they are mixed, by pressing the “Details” button on the right side of the screen to enter the diagnosis results for each asset, It is also possible to transition to an input screen for diagnosis results in asset units.

  FIG. 32 is a diagram showing an example of a diagnosis details input (details) screen for inputting the diagnosis result of the security measures of its own department for each asset. In the example of FIG. 32, a diagnosis result (determination result) for each asset (device) can be individually input from a pull-down menu from the same screen as the diagnosis details inquiry (details) screen shown in FIG. The input result is similarly reflected in the diagnostic details table 251. For assets (devices) that can obtain a determination result from the security management tool server 300, the determination result is automatically reflected in the diagnosis details table 251, and therefore manual input is not necessary.

  When the security audit department conducts internal audits of the implementation status of management measures in each department, the same applies after selecting the department to be audited from the department pull-down menu on the diagnostic details input screen in FIGS. Enter the diagnosis result (judgment result).

  The outline of the processing contents in the security management support system 5 of the present embodiment has been described above with reference to FIGS. 22 to 32. The various screens shown in FIGS. User interfaces such as input / output items and methods are merely examples, and other user interfaces may of course be used.

  As described above, according to the security management support system 5 of the present embodiment, information related to information assets to be protected held by each department is systematically held and managed on a database, and a security management tool is used. By enabling linkage and input of security measure status determination results and asset setting / management in units of asset types, the user department can easily manage information assets.

  Furthermore, by easily quantifying and presenting the security level and risk level from various perspectives, it is possible for each department to easily grasp the current status of security countermeasures, set targets, and manage probabilities in the hierarchical structure of departments. It becomes possible. For this reason, it is possible to perform efficient and effective security management by distributing the load required for security management in the enterprise. In addition, each department at each level can quantitatively grasp the current status of security countermeasures and the results of their implementation, which raises interest in security measures in the user department and increases the psychology of competition between departments. The effect which promotes can be acquired.

  In addition, tasks that implement management measures are used as tasks, and by applying the functions of the task management system described in Embodiment 1, tasks are managed in a hierarchical structure, tasks are created, and subordinate departments / persons in charge are in charge. It becomes possible to easily calculate the execution rate in a form based on the development and the hierarchical structure of the tasks.

  Thereby, for example, a task (control measure) category and a control measure ID corresponding to this are defined, and the execution rate of the task (control measure) in one diagnosis cycle of the PDCA cycle shown in FIG. The task management function can be linked to the security management function for quantifying the security level and the risk level, for example, by automatically reflecting the result of diagnosis in the implementation rate as indicated by 30.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  INDUSTRIAL APPLICABILITY The present invention can be used for a task management system that manages tasks for which work is instructed from the top down in an organization such as a company.

1 ... task management system, 5 ... security management support system,
DESCRIPTION OF SYMBOLS 100 ... Task management server, 110 ... Task execution management part, 111 ... Task operation part, 112 ... Task information acquisition part, 120 ... Implementation status management part, 130 ... Management part,
210 ... User / department DB, 211 ... Company table, 212 ... Department table, 213 ... Affiliation department table, 214 ... Role table in charge, 215 ... Role table, 216 ... User table,
220 ... Asset DB, 221 ... Asset type table, 222 ... Asset table, 223 ... Asset type storage information table, 224 ... Information table, 225 ... System storage information table,
230 ... Control measure DB, 231 ... Security standard table, 232 ... Control measure security standard table, 233 ... Control measure table, 234 ... Risk content table, 235 ... Control measure risk content table, 236 ... Control measure execution department table, 237 ... Control strategy execution pattern table,
240 ... planning DB, 241 ... target setting table, 242 ... risk target setting table, 243 ... planning specification table, 244 ... system planning table,
250 ... diagnosis DB, 251 ... diagnosis details table,
260 ... task DB, 261 ... task table, 262 ... category table,
270 ... Task progress DB, 271 ... Task progress table, 272 ... Status table,
300 ... Security management tool server,
400: Client terminal,
500 ... security management support server, 510 ... current state analysis unit, 511 ... security level diagnosis unit, 512 ... risk analysis unit, 513 ... detailed analysis unit, 520 ... target management unit, 521 ... target setting unit, 522 ... plan formulation unit, 523 ... Predictive management unit, 530 ... business processing unit, 540 ... asset management unit, 550 ... management unit.

Claims (6)

A security management support server that evaluates and manages the security level or risk level of information assets to be protected held by an organization consisting of a plurality of departments having a hierarchical structure, and a client that connects to the security management support server via a network A security management support system comprising terminals,
The security management support server includes:
In response to a request from a user in each department via the client terminal, for each department, an asset management unit that registers or updates information about the information asset held by the department in an asset database;
In response to a request from the user in each department via the client terminal, for each department, register a diagnostic result about the implementation status of the management measures for the information assets held by the department in the diagnostic database, and In response to a request from the user in each department via a client terminal, based on the contents of the diagnostic database, the current security level or the risk level in each department is scored based on the security standards to be managed, A current state analysis unit that displays on the client terminal the result of aggregation by the aggregation method specified by the user;
In response to a request from the user in each department via the client terminal, the target level of the security level or the risk level specified by the user for the department and the time of achievement thereof are registered in the planning database or The goal management department to be updated,
Against the lower personnel under the upper personnel hierarchy before Symbol department, the task is an indication of the implementation of security controls for the information assets,
In response to a request from a user in each department via the client terminal, the task that newly instructs one or more persons in charge of the user in the hierarchical structure of the department is created and registered in the task database and registers with the task proceeds Hakadode database to create a progress rate and task progress performing status management of the tasks in the unit of each person receiving the instruction of the task according to the task, also, the client terminal and a task operation unit in response to a request from the user, to update and correct the content of the task progress registered in the task and the task progress database registered in the task database the in each department via,
Task information acquisition for acquiring and outputting the task progress information related to the user among the one or more task progresses registered in the task progress database in response to a request from the user via the client terminal And
An implementation status management unit that calculates and outputs an implementation status for the task instructed to the user in response to a request from the user via the client terminal;
Security management support system, comprising a management unit for managing holds the user and the information of the department and its hierarchical structure utilizing the security management support system in the user department database. The security management support system according to claim 1,
The task operation unit re-instructs execution of the designated task to one or a plurality of persons under the user in the hierarchical structure of the department in response to a request from the user who is designated the task. A security management support system comprising: creating a child task to be registered, and registering the created child task and information on the task progress relating to the child task together with information on a hierarchical structure thereof in the task progress database. The security management support system according to claim 1 or 2,
When the task operation unit newly creates the task or the child task in response to a request from the user in each department via the client terminal, and the task progress is newly registered in the task progress database. The status of the task progress is not indicated,
When the progress rate indicating that the work related to the task progress is partially executed is specified, the status of the task progress is updated to incomplete,
When the execution of the task related to the task progress is re-instructed to one or more persons in charge of the user in the hierarchical structure of the department, the status of the task progress is updated to indicated. ,
A security management support system that updates the status of the task progress to complete when it is specified that the task related to the task progress is completed. In the security management support system according to any one of claims 1 to 3,
The implementation status management unit calculates the implementation status of the task instructed by the user in response to a request from the user via the client terminal. A security management support system that calculates and outputs an execution rate for all the task progresses belonging to a lower level including itself in a hierarchical structure. In the security management support system according to any one of claims 1 to 3,
The implementation status management unit relates to each person in charge who has received an instruction for the task when calculating the implementation status for the task instructed to the user by a request from the user via the client terminal. A security management support system, wherein for each task progress, an implementation rate for all the task progresses belonging to a lower level including itself in the task hierarchy is calculated and output. In the security management support system according to any one of claims 1 to 5,
The task information acquisition unit acquires information on the task progress related to the user among the one or more task progresses registered in the task progress database in response to a request from the user via the client terminal. Security management support, wherein the task progress information related to the user in the task instructed by the user and the task instructed or re-instructed by the user is acquired and output system.

Images