JP6932175B2 - Personal number management device, personal number management method, and personal number management program - Google Patents

Description

The present invention relates to a specific personal information management device, a specific personal information management method, and a specific personal information management program.

In recent years, the My Number system (National Identification Number System), which manages information efficiently in the fields of social security, taxes, and disaster countermeasures by assigning one number (My Number) to each citizen, has attracted attention. There is. This My Number system is expected to be the basis for streamlining administration, improving the convenience of the people, and realizing a fair and just society. On the other hand, if My Number is used or leaked for purposes other than its intended purpose, it may be misused, so it is treated as specific personal information with stricter penalties than personal information. Therefore, there is a demand for the development of a system that can strictly manage the security of My Number. For example, Patent Document 1 discloses a security management system capable of controlling access to information resources.

Japanese Unexamined Patent Publication No. 2008-234200

However, in Patent Document 1 above, the security administrator manages the file access right, but the person in charge of the department manages the access right grant and the access right deprivation, so that important specific personal information such as My Number is leaked. It was difficult to prevent and strictly control. In addition, since the system administrator has all the privileges in the information system in the past, if the system administrator himself commits an illegal act (inquiry or change of information other than business use), specific personal information will be leaked. Could not be prevented, and there was no choice but to detect it after the fact using the log (history).

The present invention has been made in view of the above problems, and is a specific personal information management device and a specific individual capable of strictly managing information by preventing leakage of important specific personal information such as My Number. The purpose is to provide an information management method and a specific personal information management program.

In order to solve the above-mentioned problems and achieve the object, the specific personal information management device according to the present invention includes a storage unit and a control unit, and manages specific personal information in the information system. In the information system, a system administrator who manages the entire information system and a specific personal information manager who exclusively manages the specific personal information are arranged, and the storage unit stores the specific personal information. The control unit includes specific personal information storage means for storing, the control unit includes access authority setting means for setting access authority to the specific personal information storage means, and the access authority setting means is only performed by the specific personal information manager. It is characterized in that it is possible to set an access authority to the specific personal information storage means.

Further, in the specific personal information management device according to the present invention, when the access authority setting means sets the access authority to the specific personal information storage means, the user who uses the specific personal information and the intended use of the specific personal information. , The operation content of the specific personal information, and the setting using at least one criterion of the area or period for handling the specific personal information.

Further, in the specific personal information management device according to the present invention, the specific personal information storage means can access only a person authorized by both the system administrator and the personal number administrator when accessing the specific personal information storage means. It is characterized by

Further, the specific personal information management device according to the present invention is characterized in that the specific personal information storage means further includes a specific personal information operation authority table for which the specific personal information manager sets access authority.

Further, in the specific personal information management device according to the present invention, the storage unit further includes a specific personal information processing means for collecting the specific personal information with respect to the specific personal information storage means, and the specific personal information processing means is When the document image data in which the specific personal information is described and the manually input data of the specific personal information are input, the value obtained by reading the image data and the value of the manually input data are compared. If the values match, the value is stored as specific personal information in the specific personal information storage means, and if the values do not match, the person in charge confirms the image data and the manually input data and obtains the correct value. It is characterized in that it is stored in a specific personal information storage means.

The specific personal information management method according to the present invention is a specific personal information management method executed by a specific personal information management device having a storage unit and a control unit and managing specific personal information in an information system. The information system is provided with a system administrator who manages the entire information system and a specific personal information manager who exclusively manages the specific personal information, and the storage unit stores the specific personal information. The access authority setting step including the access authority setting step for setting the access authority to the specific personal information storage means, which is provided with the storage means and executed by the control unit, is specified only by the specific personal information manager. It is characterized by enabling the setting of access authority to personal information storage means.

The specific personal information management program according to the present invention is a specific personal information management program that includes a storage unit and a control unit and is executed by a specific personal information management device that manages specific personal information in an information system. A system administrator who manages the entire information system and a specific personal information manager who exclusively manages the specific personal information are arranged in the information system, and the storage unit is a specific individual who stores the specific personal information. The access authority setting step including the access authority setting step for setting the access authority to the specific personal information storage means, which is provided with the information storage means and executed by the control unit, is performed only by the specific personal information manager. It is characterized by enabling the setting of access authority to the specific personal information storage means.

According to the present invention, it is possible to prevent the leakage of the specific personal information and strictly manage the specific personal information.

FIG. 1 is a block diagram showing an example of the configuration of the specific personal information management device. FIG. 2 is a schematic view showing a configuration example of the My Number board. FIG. 3 is a diagram showing an example of a list of functions of the specific personal information management device. FIG. 4 is a diagram showing an example of a multidimensional security setting for enhancing security. FIG. 5 is a diagram showing an example of administrator separation for enhancing security. FIG. 6 is a diagram showing an example of improving the efficiency of the collection work of specific personal information. FIG. 7 is a diagram showing an example of an access right setting flow to the security DB before the introduction of the My Number infrastructure. FIG. 8 is a diagram showing an example of an access right setting flow to the security DB and the My Number DB at the time of introducing the My Number infrastructure. FIG. 9-1 is a diagram showing an example of a flow in which the system administrator grants job operation authority to the administrator. FIG. 9-2 is a diagram showing an example of a flow in which an administrator to whom job operation authority is granted is set as an individual number administrator. FIG. 10 is a diagram showing an example of an operation flow at the start of operation. FIG. 11 is a diagram showing an example of the setting contents of the user master in the security DB. FIG. 12-1 is a diagram showing an example of setting the usage security of the My Number DB. FIG. 12-2 is a diagram showing an example of setting operation security and record security of My Number DB. FIG. 12-3 is a diagram showing an example of setting the usage security of the My Number DB. FIG. 13 is a diagram showing an example of an operation flow during normal operation by the individual number manager. FIG. 14 is a diagram showing an example of an operation flow during normal operation by a user who does not have access right to the My Number DB. FIG. 15 is a diagram showing an example of an operation flow when the password is changed by the person himself / herself. FIG. 16-1 is a diagram showing an example of an operation flow when a malicious system administrator A illegally changes the password of the personal number administrator. FIG. 16-2 is a diagram showing an example of an operation flow when a malicious system administrator A impersonates an individual number administrator and logs in illegally. FIG. 17-1 is a diagram showing an example of an operation flow of recovery after fraud by the system administrator B. FIG. 17-2 is a diagram showing an example of an operation flow in which the individual number manager A and the system administrator B perform recovery after fraud.

Embodiments of the present invention will be described in detail with reference to the drawings. The present invention is not limited to the present embodiment. The specific personal information (My Number) handled in this embodiment is stipulated by law regarding the scope of use and strictness of handling, and there are also severe penalties. If an employee commits an offense contrary to this, not only the offender but also the corporation will be fined, so it is necessary for the company to implement strict control.

[1. Overview]
The main features of the present embodiment will be briefly described in the following outline.
(Multi-dimensional security settings)
The feature of the specific personal information management device 100 according to the present embodiment is that the leakage of the specific personal information is prevented and the specific personal information is strictly managed by setting the security in multiple dimensions. For example, by combining multiple security settings such as who can access, business use, operation content (inquiry, addition, change, deletion), data range (narrowing down by company or business establishment), detailed personal information can be obtained. Enables access control. Furthermore, it is also possible to control job start restrictions in the conventional system management security by a system administrator. In this way, access to specific personal information can be made by making multidimensional security settings such as access right holder (use security), business use (use security), operation content (operation security), and data range (record security). The risk of fraud can be minimized by narrowing down the access.

(Separation of system administrator and personal number administrator)
Further, another feature of the specific personal information management device 100 according to the present embodiment is that (1) a personal number manager as a specific personal information manager independent of the system administrator is assigned, and (2) a specific individual. Information security settings are stored outside the jurisdiction of the system administrator, and (3) when accessing specific personal information, only those authorized by both the system administrator and the personal number administrator can access it. As a result, even if the system administrator who has full authority in the information system has malicious intent, it is not possible to access specific personal information such as My Number, which is confidential information, so that leakage of confidential information can be prevented. .. That is, the specific personal information management device 100 in the present embodiment separates the system administrator and the personal number administrator, so that each administrator alone cannot perform fraudulent acts. As described above, the specific personal information management device 100 in the present embodiment utilizes the conventional mechanism and has the above-mentioned two (multidimensional security setting) and (separation of system administrator and personal number administrator). By adding functions, it has become possible to realize a more robust security infrastructure.

[2. composition]
An example of the configuration of the specific personal information management device according to the present embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing an example of the configuration of the specific personal information management device 100.

The specific personal information management device 100 constructs, for example, a My Number DB (My Number Database) that exclusively stores My Number, which is important specific personal information, and data related thereto in a commercially available desktop personal computer. , The application for realizing the security management system (My Number platform) for setting the access authority to access the My Number DB is introduced. The specific personal information management device 100 is not limited to a stationary information processing device such as a desktop personal computer, but is not limited to a commercially available notebook personal computer, a PDA (Personal Digital Assistants), a smartphone, a tablet personal computer, or the like. It may be a portable information processing device.

The specific personal information management device 100 includes a control unit 102, a communication interface unit 104, a storage unit 106, and an input / output interface unit 108. Each part of the specific personal information management device 100 is communicably connected via an arbitrary communication path.

The communication interface unit 104 connects the specific personal information management device 100 to the network 300 so as to be communicable via a communication device such as a router and a wired or wireless communication line such as a dedicated line. The communication interface unit 104 has a function of communicating data with another device via a communication line. Here, the network 300 has a function of connecting the specific personal information management device 100 and the server 200 so as to be able to communicate with each other, and is, for example, the Internet or a LAN (Local Area Network).

Various databases, tables, files, and the like are stored in the storage unit 106. In the storage unit 106, a computer program for giving an instruction to a CPU (Central Processing Unit) in cooperation with an OS (Operating System) to perform various processes is recorded. As the storage unit 106, for example, a memory device such as a RAM (Random Access Memory) or a ROM (Read Only Memory), a fixed disk device such as a hard disk, a flexible disk, an optical disk, or the like can be used. In addition to the existing security DB 106a and business DB 106c, the storage unit 106 includes the My Number DB 106b, which is characteristic of the present embodiment.

The security DB 106a stores data related to security settings such as granting job operation authority to a user who uses the information system by the system administrator. Further, the security DB 106a includes a user master UM that manages the job operation authority given by the system administrator by a user ID and an encrypted password.

My number DB 106b stores various data related to my number as specific personal information. For example, personal number, personal information, security information, log information, confirmation documents, usage, retention period, etc. are stored. Further, in the My Number DB 106b, an individual number administrator who gives the operation authority to the My Number is arranged separately from the system administrator, and the operation authority to the My Number given by the individual number administrator is encrypted with the user ID. It is equipped with My Number User Master MUM as a specific personal information operation authority table managed by the password.

The business DB 106c stores business data such as company payroll and year-end adjustment. When it is necessary to input my number (individual number) in this business data processing, the person in charge of business is permitted to access my number DB 106b when the individual number manager gives the operation authority to my number.

An input device 112 and an output device 114 are connected to the input / output interface unit 108. As the output device 114, a speaker or a printer can be used in addition to a monitor (including a home television). As the input device 112, in addition to a keyboard, a mouse, and a microphone, a monitor that cooperates with the mouse to realize a pointing device function can be used. In the following, the output device 114 may be referred to as a monitor 114, and the input device 112 may be referred to as a keyboard 112 or a mouse 112.

The control unit 102 is a CPU or the like that comprehensively controls the specific personal information management device 100. The control unit 102 has an internal memory for storing a control program such as an OS, a program that defines various processing procedures, required data, and the like, and performs various information processing based on these stored programs. Run. The control unit 102 is functionally conceptually provided with the existing system processing unit 102a and business processing unit 102c, as well as the My Number processing unit 102b, which is characteristic of the present embodiment.

The system processing unit 102a performs processing necessary for the management of the entire system by the system administrator. For example, there are user registration, change, deletion, forced change of user password, invalidation to stop the use of user, grant of job operation authority, and the like. When a personal number administrator, which is characteristic of this embodiment, is assigned, the job for operating my number is started unless the system administrator grants the personal number administrator job operation authority using the user master UM. become unable. The job operation authority is granted by the system authority setting unit 102a-1.

The My Number processing unit 102b performs the processing necessary for My Number management by the individual number manager characteristic of the present embodiment. For example, there are access permission to My Number, My Number operation permission setting, My Number range permission setting, My Number log policy setting, My Number audit policy setting, and the like. Various authority setting regarding My Number is performed by My Number authority setting unit 102b-1 as access authority setting means. In the present embodiment, a specific personal information management system in which the My Number processing unit 102b, which sets security for the My Number DB 106b, is dedicated to an individual number administrator other than the system administrator, is described here as the My Number platform MSF. Save the security settings outside the jurisdiction of the system administrator.

In the business processing unit 102c, the person in charge of business accesses the business DB 106c and performs various business processing such as year-end adjustment, qualification acquisition notification, and payment record. If it becomes necessary to enter my number during this business process, the person in charge of business will have the individual number administrator set the operation authority for my number.

[3. process]
Specific examples of the processing of the present embodiment will be described with reference to FIGS. 2 to 19. FIG. 2 is a schematic diagram showing an example of a configuration of the My Number infrastructure, FIG. 3 is a diagram showing an example of a list of functions of the specific personal information management device, and FIG. 4 is a multidimensional security for enhancing security. It is a figure which shows an example of a setting, and FIG. 5 is a figure which shows an example of the administrator separation for strengthening security.

As shown in FIG. 2, the specific personal information management device 100 according to the present embodiment adds the My Number platform MSF to the conventional system platform and manages the entire system separately from the system administrator SA. A personal number manager PA as a specific personal information manager who exclusively manages specific personal information (my number) is assigned.

As shown in FIG. 2, the My Number platform MSF provides security settings, data access availability, audit / notification, etc. for My Number (Individual Number) as specific personal information and My Number DB106b that stores related information. Is managed by My Number Class MC. The individual number manager PA who manages the operation authority for the My Number DB 106b sets and registers various functions shown in FIG. 3 using the security setting screen MSS and the registration / inquiry screen MRS in the My Number infrastructure MSF. For example, on the My Number platform registration / inquiry screen MRS, registration (information registration, suspension, file acceptance, file output), inquiry (business use), and deletion (retirement) related to data access can be performed. In addition, on the My Number infrastructure security setting screen MSS, as information leakage measures related to safety management measures, encryption, access authority (use security), use authority (use security), operation authority (operation security), use range authority ( You can make settings for record security), monitoring (audit policy), and audit trail (log).

As described above, the feature of the specific personal information management device 100 according to the present embodiment is that the My Number DB 106b and the My Number platform MSF that manages access to the My Number DB 106b are constructed in the existing system platform and managed exclusively. By arranging the personal number administrator PA, the management authority is given independently of the system administrator SA. As a result, even the system administrator SA or the person in charge of business who performs year-end adjustment cannot access the My Number DB106b and view the My Number of the employee without authority. Further, as shown in FIG. 4, the security effect can be further enhanced by setting multidimensional security settings such as usage security, usage security, operation security, and record security.

For example, since the handling of personal numbers (my numbers) is more strictly restricted than ordinary personal information, severe penalties will be imposed if the personal numbers are used, leaked, or collected for purposes other than the intended purpose. However, within the company, it is necessary for the general affairs department to collect and use personal numbers when creating tax withholding, qualification acquisition notifications, payment records, etc. for office workers. Therefore, it is necessary to strictly manage the personal number so that it can be used only by a specific person in charge, and prevent it from being leaked. For multidimensional security settings, detailed access control for personal numbers is possible by combining a plurality of security settings shown in FIG.

In the multidimensional security setting, "use security" is to set accessability for each person in charge (person) who can access the personal number. "Usage security" is to set accessability for each business use (tax withholding, qualification acquisition notification, payment record, etc.). "Operation security" is to set accessability for each operation (inquiry, addition, change, deletion, file acceptance, file output). "Record security" makes it possible to limit the data range that can be handled by each company or business establishment.

In addition, since the system administrator SA is a privileged user who can set various privileges in the system, he / she can also use a job that handles My Number if he / she has malicious intent. Therefore, in the present embodiment, the individual number administrator PA system administrator SA is assigned as a privileged user in My Number separately from the individual number administrator PA system administrator SA, and has privileges independent of each other. The security settings of My Number DB106b are stored in My Number Infrastructure MSF, which is not under the jurisdiction of the system administrator SA. Therefore, in order to access My Number DB106b, only the individual number administrator PA and the person in charge authorized by the individual number administrator PA can access it. However, as shown in FIG. 5, the system administrator SA grants the job operation authority, and the individual number administrator PA grants the My Number operation authority (individual number authority). , If the job can be started but the My Number cannot be operated, or if the job cannot be started even if the My Number operation authority is granted, the My Number DB 106b cannot be accessed. In this way, since it is necessary for the system administrator SA and the individual number administrator PA to jointly grant the operation authority, the occurrence of fraud can be suppressed.

(My number collection business)
FIG. 6 is a diagram showing an example of improving the efficiency of the collection work of specific personal information. Since My Number is specific personal information, there are very few people who have the authority to check the contents, and it is conceivable that the collection work of My Number will be concentrated when the system is implemented. For this reason, it is necessary to prevent erroneous registration due to human error as much as possible and improve the efficiency of collection work. In this embodiment, as shown in FIG. 6, when applying for My Number, if only the image of the My Number card is initially displayed by OCR, the applicant CL will be alert and the confirmation accuracy will drop. In parallel with this, the My Number is manually entered, and the manually entered value and the image value are saved in the My Number DB 106a for each applicant (Mr. A, Mr. B). Since the OCR accuracy is not always perfect for the person in charge PC, the manually input value and the image value are matched on the system, and if the values match, the person in charge PC automatically collects my number data without seeing it. be able to. If the manually entered value and the image value do not match, the person in charge PC visually checks the number entered by the applicant CL against the OCR information on the registration card to check for human error and OCR. Both reading errors can be covered with very little effort. Furthermore, since the image data of the Individual Number Card can be saved at the same time, there is an advantage that the voucher for identity verification can be collected and saved at the same time. These processes are performed by the My Number processing unit 102b in the control unit 102 of the specific personal information management device 100.

(Setting process of my number base)
Here, with reference to FIGS. 7 to 10, the setting process of the My Number base will be specifically described. FIG. 7 is a diagram showing an example of an access right setting flow to the security DB before the introduction of the My Number infrastructure. FIG. 8 is a diagram showing an example of an access right setting flow to the security DB and the My Number DB at the time of introducing the My Number infrastructure. FIG. 9-1 is a diagram showing an example of a flow in which the system administrator grants job operation authority to the administrator. FIG. 9-2 is a diagram showing an example of a flow in which an administrator to whom job operation authority is granted is set as an individual number administrator. FIG. 10 is a diagram showing an example of an operation flow at the start of operation.

Before the introduction of the My Number infrastructure, as shown in Fig. 7, when the system administrator A (SA1) and the general affairs department staff A (PC1) are present and the general affairs department staff A (PC1) wants to access the security DB 106a. System administrator A (SA1) grants (1) access authority to general affairs department staff A (PC1), and (2) registers the user ID and password of general affairs department staff A (PC1) in the user master UM. By doing so, (3) the person in charge A (PC1) of the general affairs department can access the security DB 106a. In this case, the access authority of the person in charge A (PC1) of the general affairs department is the "general" authority.

At the time of introducing the My Number infrastructure according to this embodiment, as shown in FIG. 8, there are a system administrator A (SA1), an individual number administrator A (PA1), and a person in charge of the general affairs department A (PC1). Here, looking at the user master UM of the security DB 106a, the user ID and password of the individual number administrator A (PA1) are added as built-in users, but the access authority to the security DB 106a is not set (authority "Authority". None ”), the individual number manager A (PA1) cannot access the security DB 106a.

On the other hand, for the My Number User Master MUM of My Number DB106b shown in FIG. 8, the user ID and password of the Individual Number Administrator A (PA1) are added as built-in users, and the authority is also "Administrator". Therefore, only the individual number manager A (PA1) can access the My Number DB 106b. On the other hand, the system administrator A (PA1) and the person in charge of the general affairs department A (PC1) do not have access authority because they are not registered in the My Number user master MUM, and cannot access the My Number DB106b. Although the types of "authority" of the security DB 106a or My Number DB 106b in FIG. 8 are expressed as "administrator", "general", and "none", more detailed security settings are actually made. be able to. For example, in addition to "authorized", "unauthorized", and "prohibited", detailed security settings can be made according to the access right holder, business use, operation content, data range, usage period, and the like.

When the system administrator A (SA1) grants the job operation authority to the personal number administrator, the system administrator A (SA1) inputs the user ID and password on the login screen as shown in FIG. 9-1. When you enter and log in, the menu screen is displayed, and you can select and display the user registration screen from it. The displayed user registration screen is in the same state as the user master UM of FIG. The system administrator A (SA1) changes the user ID of the personal number administrator A (PA1) displayed as "Number Manager" to "Number Manager A" shown in the user master UM in the above figure of FIG. 9-1 and is also an individual. Create a new user ID "NumberManagerB" for the number administrator B (PA2) and register it together with the password. At this time, since neither the individual number manager A (PA1) nor the individual number manager B (PA2) has set the authority, the authority is "none". Therefore, the system administrator A (SA1) uses the authority setting screen to give the individual number administrator A (PA1) and the individual number administrator B (PA2) the operation authority of the My Number system job and the jobs used daily. By granting the operation authority of, the authority of the user master UM in the lower figure of FIG. 9-1 becomes "general". However, the system administrator A (SA1) cannot set the access authority for the My Number DB 106b to the Individual Number Administrator B (PA2).

Therefore, in addition to the individual number manager A (PA1) of FIG. 9-1, the personal number manager B (PA2) also describes the procedure for setting the access authority to the My Number DB 106b with reference to FIG. 9-2. The individual number manager A (PA1) logs in by entering the user ID and password on the login screen, and selects and displays the personal number authority setting screen as a job that can be used only by the personal number manager from the menu screen. Here, the individual number manager A (PA1) registers the user ID and password of the personal number manager B (PA2) in the My Number user master MUM shown in the upper figure of FIG. 9-2, and the personal number "administrator" is registered. ”. Then, the individual number manager A and the personal number manager B use the password change screen to set the passwords in the user master UM and the my number user master MUM in the lower figure of FIG. 9-2 to the unique passwords of the individual number managers. Change to. In this case, the identity can be confirmed only when the entered current password matches the value before the update, so that the password can be updated. As a result, the individual number manager B (PA2) can also be given the authority as the "administrator" of the personal number.

When the system administrator A (SA1), the individual number administrator A (PA1), and the general affairs department charge A (PC1) are present and the operation is started based on the settings shown in FIG. 9-2, as shown in FIG. , System administrator A (SA1) can be given user registration / change / deletion, forced change of user password, invalidation (suspension of use) of user, and job operation authority. Then, the system administrator A (SA1) has the access authority as the "administrator" in the security DB 106a, but does not have the access authority to the My Number DB 106b. In addition, the individual number manager A (PA1) has the authority to grant the operation authority to the My Number. Then, the individual number administrator A (PA1) can access the security DB 106a with the operation authority of the job used daily by the "general" authority, and can access the my number DB 106b with the operation authority as the "administrator". Become. Further, the general affairs department charge A (PC1) can access the security DB 106a with "general" authority, but cannot access the My Number DB 106b because he has no authority. In this way, by granting the job operation authority possessed by the system administrator A (SA1) and the operation authority to the My Number possessed by the individual number administrator A (PA1), the authority in the user master UM and the My Number user master MUM The settings are made, but depending on the settings, even the system administrator cannot access the My Number DB106b.

(Security settings for master)
Next, a specific example of the security setting contents for the master will be described with reference to FIGS. 11 to 12-3. FIG. 11 is a diagram showing an example of the setting contents of the user master in the security DB. FIG. 12-1 is a diagram showing an example of setting the usage security of the My Number DB. FIG. 12-2 is a diagram showing an example of setting operation security and record security of My Number DB. FIG. 12-3 is a diagram showing an example of setting the usage security of the My Number DB.

As shown in FIG. 11, the user ID registered in the user master UM of the security DB 106a is a system administrator, an individual number administrator, a general affairs person in Tokyo or Osaka, or a person in charge of general affairs in Tokyo or Osaka for the security DB 106a that can be used in a normal job. An accounting person is registered, and the security DB 106a can be accessed with job operation authority according to each user.

In addition, in order to limit the people who can use My Number DB106b (use security), the user ID of the user whose access right has been granted is registered in My Number User Master MUM. In the upper figure of Fig. 12-1, in addition to the individual number manager, general affairs personnel in Tokyo and Osaka are registered. In this case as well, the security settings for the My Number platform can only be used by registered individual number managers and members of general affairs {Requirement 1- (1)}. In the figure below of FIG. 12-1, it is the My Number user group master MGM that associates the My Number user master MUM in group units, and by grouping the members registered in the My Number user master MUM and associating them with the constituent members. , Access rights can be set for each group.

Further, in the upper diagram of FIG. 12-2, an operation security setting master in which the access right is set according to the operation content (inquiry, addition, change, deletion) of the My Number DB 106b is shown, and in the lower diagram of FIG. 12-2, the operation security setting master is shown. An example of registering a record security setting master that enables restrictions on the data range that can be handled for each company or business establishment is shown. As shown in the upper figure of FIG. 12-2, the operation security setting master has access rights set for each user group name for each operation content (inquiry, addition, change, deletion). For example, the security requirements of the Tokyo General Affairs User Group are that Tokyo data can be queried / added / changed / deleted {Requirement 2- (1)}, and Osaka data can only be queried {Requirement 2- (2)}. In addition, the security requirements of the Osaka General Affairs User Group are that Osaka data can be inquired / added / changed / deleted {Requirement 3- (1)}, and Tokyo data is inaccessible {Requirement 3- (2)}. ..

Furthermore, the record security setting master shown in the lower figure of Fig. 12-2 narrows down the range of personal number data that can be handled to those that can be handled only by the Tokyo office and those that can be handled only by the Osaka office. Can be restricted.

The usage security setting master shown in FIG. 12-3 limits the data range that can be handled according to the business usage and the usage period. For example, the security requirement when the usage is general affairs of the withholding slip_user group for withholding is limited to access with the withholding slip from 12/1 to 1/31 as shown in Fig. 12-3 { Requirement 1- (2)}, Tokyo general affairs officer can only use withholding slip {Requirement 2- (3)}, Osaka general affairs officer can only use withholding slip {Requirement 3 -(3)}. In addition, access in the qualification acquisition notification is limited to 11/1 to 2/28 {Requirement 1- (3)}, and the person in charge of general affairs in Tokyo can use it only in the qualification acquisition notification {Requirement 2- (4). }, The person in charge of general affairs in Osaka can use it only in the notification of qualification acquisition {Requirement 3- (4)}. In this way, by using the usage security setting master, it is possible to limit the data range that can be handled according to the business usage and the usage period.

(From normal operation of specific personal information management device to fraudulent response operation)
Here, the normal operation operation of the specific personal information management device will be described with reference to FIGS. 13 to 15. FIG. 13 is a diagram showing an example of an operation flow during normal operation by the individual number manager. FIG. 14 is a diagram showing an example of an operation flow during normal operation by a user who does not have access right to the My Number DB. FIG. 15 is a diagram showing an example of an operation flow when the password is changed by the person himself / herself. FIG. 16-1 is a diagram showing an example of an operation flow when a malicious system administrator A illegally changes the password of the personal number administrator. FIG. 16-2 is a diagram showing an example of an operation flow when a malicious system administrator A impersonates an individual number administrator and logs in illegally. FIG. 17-1 is a diagram showing an example of an operation flow of recovery after fraud by the system administrator B. FIG. 17-2 is a diagram showing an example of an operation flow in which the individual number manager A and the system administrator B perform recovery after fraud.

As shown in FIG. 13, the individual number manager A (PA1) who manages the My Number infrastructure logs in by entering the user ID and password on the login screen, and then selects the job to be used from the menu screen. Here, when the individual number manager A (PA1) uses a normal job from the authority setting screen, the functions that the individual number administrator A (PA1) can use depend on the authority setting of the security DB 106a of FIG. That is, the authority of the individual number manager A (PA1) set in the user master of the security DB 106a is "general", and a normal job can be used within the range of the authority.

Further, when the Individual Number Manager A (PA1) uses the My Number system job, the functions that can be used by the Individual Number Manager A (PA1) depend on the authority setting of the security DB 106a shown in FIG. 13, and the My Number. It depends on the authority setting of DB 106b, and it is necessary that the password of the user master UM of the security DB 106a and the password of the My Number user master UM of the My Number DB 106b match. The reason for adding such a condition is to prevent the system administrator from attempting unauthorized access to the My Number DB as described later.

For example, as shown in FIG. 14, after the general affairs department person in charge A (PC1) or the system administrator A (SA1) who does not have access right to the My Number DB106b logs in using the existing login screen, the menu is displayed. When a normal job is used from the screen, it depends on the authority setting of the security DB 106a. That is, the person in charge A (PC1) of the general affairs department has "general" authority when looking at the user master UM, and the system administrator A (SA1) has "administrator" authority.

In addition, when using the My Number system job from the menu screen, it depends on the authority setting of My Number DB106b, but as shown in My Number User Master MUM in FIG. 14, the person in charge A (PC1) of the General Affairs Department also manages the system. Person A (SA1) cannot be used because the authority is not set. That is, regarding the use of My Number DB106b, even the system administrator A (SA1) who is a privileged user in the information system cannot use it unless the individual number administrator sets the authority.

Then, the individual number manager A (PA1) can change the passwords in the user master UM and the my number user master MUM by using the password change screen shown in FIG. That is, on the password change screen, if the current password entered by the individual number administrator A matches the password before the update, the identity can be confirmed, so that the password can be updated to a new password.

Here, when the system administrator A (SA1) maliciously attempts to illegally access the My Number DB 106b, the system administrator A (SA1) will display the user ID on the login screen as shown in FIG. 16-1. Enter the password to log in and select the job you want to use from the menu screen. For example, when the system administrator A (SA1) uses a normal job, he / she has full authority over the security DB 106a as an administrator. However, even the system administrator A who has all the authority cannot access the My Number DB 106b because he / she does not have the authority as it is when he / she selects the My Number system job.

Therefore, if the system administrator A (SA1) abuses the function of initializing the password due to forgetting the password of the person in charge and forcibly changes the password of the personal number administrator A, the security DB can be initialized. It is limited to the password of the user master of My Number DB, and the password of the My Number user master of My Number DB is not changed. However, as shown in Fig. 16-2, when system administrator A tries to log in by impersonating the individual number administrator, he / she logs in by entering the user ID of the individual number administrator and the initialized password on the login screen. The existing menu screen is displayed. When the system administrator A (SA1) impersonating the individual number administrator A uses a normal job, it can be used with the "general" authority set in the security DB 106a. However, when the system administrator A (SA1) impersonating the individual number administrator A uses the My Number system job, as shown in FIG. 16-1, the password of the user master UM of the security DB 106a and the My Number DB 106b Since the password of My Number User Master MUM does not match, the My Number job cannot be used. As described above, the specific personal information management device 100 according to the present embodiment can surely prevent unauthorized access from the malicious system administrator A (SA1).

Next, the system recovery procedure after the above-mentioned system administrator A (SA1) makes an unauthorized access will be briefly described. As shown in Fig. 17-1, the system administrator B (SA2), who is different from the system administrator A (SA1) who performed the fraud, logs in by entering the user ID and password on the login screen, and from the menu screen. Display the user registration screen. Here, in order to recover the password that has been changed illegally, it is necessary to forcibly change the password of the changed personal number administrator A (PA1) to "abcde". However, the password that can be forcibly changed by the system administrator B (SA2) is only the user master UM of the security DB 106a, and the password of the My Number user master UM of the My Number DB 106b cannot be changed. Therefore, as shown in FIG. 17-2, the personal number administrator A logs in by entering the user ID and password on the login screen, and the password "abcde" forcibly changed by the system administrator B (SA2) on the password change screen. Enter the current password and enter "pass2" in the new password to change it. Subsequently, the Individual Number Administrator A displays a new My Number password synchronization processing screen, and inputs the old password "pass1" when the My Number DB106b could be accessed and the new password "pass2" to be synchronized. By updating and matching the password of the security DB 106a of the individual number administrator A ( PA1 ) with the password of the My Number DB 106b, it is possible to restore the original state.

[4. Summary of this embodiment and other embodiments]
As described above, the specific personal information management device 100 according to the present embodiment prevents leakage of specific personal information such as My Number, which is confidential information, and strictly manages the information to minimize the risk of fraud. It can be suppressed. In particular, in the information system, a system administrator with all privileges and an independent individual number administrator are assigned to exclusively manage access to the My Number DB that stores specific personal information. In addition, when accessing specific personal information, the leakage of confidential information is prevented by allowing only those who are permitted by both the system administrator and the personal number administrator to access it. Further, in the specific personal information management device 100 according to the present embodiment, the personal number administrator has many access right holders (use security), business use (use security), operation contents (operation security), data range (record security), and so on. By setting the security of the dimension and narrowing down the possible access, the risk of fraud can be minimized and detailed access control for specific personal information has become possible.

In addition to the above-described embodiments, the present invention may be implemented in various different embodiments within the scope of the technical ideas described in the claims.

For example, of each of the processes described in the embodiments, all or part of the processes described as being automatically performed may be performed manually, or all of the processes described as being performed manually. Alternatively, a part thereof can be automatically performed by a known method.

In addition, the processing procedure, control procedure, specific name, information including parameters such as registration data and search conditions of each processing, screen examples, and database configuration shown in the present specification and drawings are not specified unless otherwise specified. Can be changed arbitrarily.

Further, with respect to the specific personal information management device 100, each component shown in the figure is a functional concept and does not necessarily have to be physically configured as shown in the figure.

For example, with respect to the processing functions included in the specific personal information management device 100, particularly each processing function performed by the control unit, all or any part thereof is realized by the CPU and a program interpreted and executed by the CPU. It may be realized as hardware by wired logic. The program is recorded on a non-temporary computer-readable recording medium including a programmed instruction for causing the information processing apparatus to execute the process described in the present embodiment, and specific personal information is required. It is read mechanically by the management device 100. That is, a computer program for giving instructions to the CPU in cooperation with the OS and performing various processes is recorded in a storage unit such as a ROM or an HDD (Hard Disk Drive). This computer program is executed by being loaded into RAM, and cooperates with a CPU to form a control unit.

Further, this computer program may be stored in an application program server connected to the specific personal information management device 100 via an arbitrary network, and all or a part thereof may be downloaded as needed. It is possible.

Further, the program for executing the process described in the present embodiment may be stored in a non-temporary computer-readable recording medium, or may be configured as a program product. Here, the "recording medium" includes a memory card, a USB (Universal Serial Bus) memory, an SD (Secure Digital) card, a flexible disk, a magneto-optical disk, a ROM, an EPROM (Erasable Programmable Read Only Memory), and an EEPROM (registration). Trademarks) (Electrically Erasable and Programmable Read Only Memory), CD-ROM (Compact Disk Read Only Memory), MO (Magnet-Optical Disk), MO (Magnet-Optical Disk), MO (Magnet-Optical Disc), DVD (Digital), DVD (Digital) It shall include any "portable physical medium".

Further, the "program" is a data processing method described in any language or description method, regardless of the format such as source code or binary code. The "program" is not necessarily limited to a single program, but is distributed as a plurality of modules or libraries, or cooperates with a separate program represented by the OS to achieve its function. Including things. A well-known configuration or procedure can be used for a specific configuration and reading procedure for reading the recording medium in each device shown in the embodiment, an installation procedure after reading, and the like.

Various databases and the like stored in the storage unit are memory devices such as RAM and ROM, fixed disk devices such as hard disks, flexible disks, and storage means such as optical disks, and are used for various processes and website provision. Stores programs, tables, databases, files for web pages, etc.

Further, the specific personal information management device 100 may be configured as an information processing device such as a known personal computer or workstation, or may be configured as the information processing device to which an arbitrary peripheral device is connected. Further, the specific personal information management device 100 may be realized by mounting software (including a program or data) that realizes the processing described in the present embodiment on the device.

Further, the specific form of distribution / integration of the device is not limited to the one shown in the drawing, and all or a part thereof may be functionally or physically in an arbitrary unit according to various additions or functional loads. It can be distributed and integrated. That is, the above-described embodiments may be arbitrarily combined and implemented, or the embodiments may be selectively implemented.

The present invention is particularly useful when handling highly confidential specific personal information such as My Number in an information system.

100 Specific personal information management device 102 Control unit 102a System processing unit 102a-1 System authority setting unit 102b My number processing unit 102b-1 My number authority setting unit 102c Business processing unit 104 Communication interface unit 106 Storage unit 106a Security DB
UM User Master 106b My Number DB
MUM My Number User Master 106c Business DB
108 Input / output interface unit 112 Input device 114 Output device 200 Server 300 Network

Claims (6)

Equipped with a control section, a supervises as information system in the smell of personal number in a row cormorant personal number management system,
You can access the security database and the My Number database where your personal number is stored.
The security database includes a user master who manages the operation authority of the security database given by the system administrator who manages the entire information system by a user ID and a password, and the user master is dedicated to the personal number by the system administrator. The operation authority given to the personal number administrator managed by is managed by the user ID and password.
The My Number database includes a My Number user master that manages the operation authority of the My Number database given by the individual number administrator by a user ID and a password.
The control unit
When the user ID and password are entered, a means for displaying the initial screen for selecting a job for accessing either the security database or the My Number database on the display unit, and
When a job for accessing the security database is selected on the first screen, the operation authority in the user master associated with the use of the selected job is associated with the entered user ID and password. When a job to access the My Number database is selected on the first screen, the password in the user master associated with the entered user ID and the entered user master are entered. Check if the passwords in the My Number user master associated with the user ID match, and if it is confirmed that they match, use the selected job and use the My Number associated with the entered user ID and password. Means to allow within the range of operation authority in the user master,
Bei obtain,
It shall be the feature and this personal number management device. The control unit
When the user ID and password are entered, a means to display the second screen for changing the password on the display unit, and
When the password to be changed and the password to be changed are entered on the second screen, (1) a password linked to the entered user ID and matching the password to be changed exists in the user master . If it is confirmed that it is in the user master, the matching password in the user master is changed to the password that the user wants to change, and if it is not confirmed that it is in the user master. Does not change the password in the user master, and (2) confirms whether the password associated with the entered user ID and matching the password to be changed exists in the My Number user master. If it is confirmed to be in the My number in the user master, to change the matching password of the My number in the user master password of the change hope, did not confirm that there is in the My number in the user master In that case, a means of executing the process of not changing the password in the My Number user master in any order, and
Further prepare,
The personal number management device according to claim 1. The initial screen allows you to select to change the password in the user master.
The control unit
When the change is selected on the first screen, it is confirmed whether the entered user ID and password are associated with the operation authority for the system administrator and exist in the user master. If confirmed, a means for displaying on the display unit a third screen for changing the password in the user master and displaying the user ID in the user master.
When the password to be changed is entered for the user ID to be changed on the third screen, the password associated with the user ID to be changed in the user master is changed to the password to be changed. Means to do and
Further prepare,
The personal number management device according to claim 1. The control unit
When the user ID and password are entered, a means to display the fourth screen for changing the password on the display unit, and
When the password to be changed and the password to be changed are entered on the fourth screen, it is confirmed whether the password associated with the entered user ID and matching the password to be changed exists in the user master. and, if it is confirmed that there is, and the hand-stage to change the matching password of the user in the master password of the change hope,
A means for displaying the fifth screen for synchronizing the password in the My Number user master with the password in the user master on the display unit, and
When the password to be synchronized and the password to be changed are entered on the fifth screen, a password linked to the entered user ID and matching the password to be synchronized exists in the My Number user master. If it is confirmed that it exists, the means for changing the matching password in the My Number user master to the password desired to be changed, and
Further prepare,
The personal number management device according to claim 3. It is a personal number management method executed by a personal number management device that has a control unit and manages personal numbers in an information system.
The personal number management device can access the security database and the my number database in which the personal number is stored.
The security database includes a user master who manages the operation authority of the security database given by the system administrator who manages the entire information system by a user ID and a password. In the user master, the system administrator exclusively assigns a personal number. The operation authority given to the personal number administrator managed by is managed by the user ID and password.
The My Number database includes a My Number user master that manages the operation authority of the My Number database given by the individual number administrator by a user ID and a password.
Executed by the control unit,
When the user ID and password are entered, the step of displaying the initial screen for selecting a job to access either the security database or the My Number database on the display unit, and
When a job for accessing the security database is selected on the first screen, the operation authority in the user master associated with the use of the selected job is associated with the entered user ID and password. When a job to access the My Number database is selected on the first screen, the password in the user master associated with the entered user ID and the entered user master are entered. Check if the passwords in the My Number user master associated with the user ID match, and if it is confirmed that they match, use the selected job and use the My Number associated with the entered user ID and password. Steps to allow within the range of operation authority in the user master, and
including,
A personal number management method characterized by that. It is a personal number management program that has a control unit and is executed by a personal number management device that manages personal numbers in an information system.
The personal number management device can access the security database and the my number database in which the personal number is stored.
The security database includes a user master who manages the operation authority of the security database given by the system administrator who manages the entire information system by a user ID and a password. In the user master, the system administrator exclusively assigns a personal number. The operation authority given to the personal number administrator managed by is managed by the user ID and password.
The My Number database includes a My Number user master that manages the operation authority of the My Number database given by the individual number administrator by a user ID and a password.
To make the control unit execute
When the user ID and password are entered, the step of displaying the initial screen for selecting a job to access either the security database or the My Number database on the display unit, and
When a job for accessing the security database is selected on the first screen, the operation authority in the user master associated with the use of the selected job is associated with the entered user ID and password. When a job to access the My Number database is selected on the first screen, the password in the user master associated with the entered user ID and the entered user master are entered. Check if the passwords in the My Number user master associated with the user ID match, and if it is confirmed that they match, use the selected job and use the My Number associated with the entered user ID and password. Steps to allow within the range of operation authority in the user master, and
including,
A personal number management program characterized by that.

Images