JP7340708B1 - Evaluation providing device, evaluation providing method, and evaluation providing program - Google Patents

Abstract

The present invention provides an evaluation providing device, an evaluation providing method, and an evaluation providing program that make it possible to improve the convenience of a user entity while reducing the effort of a user entity to acquire security evaluations regarding various services. SOLUTION: An evaluation providing device includes a receiving unit that receives an answer to a checklist regarding the security of a service from a providing entity that provides the service, and a receiving unit that receives a security evaluation regarding the service from a user entity based on the answer to the checklist. and a display unit that displays a predicted delivery date by which the security evaluation can be provided to the user entity. [Selection diagram] Figure 2

Description

The present invention relates to an evaluation providing device, an evaluation providing method, and an evaluation providing program.

As cyber-attacks have increased in recent years, security evaluation against cyber-attacks has been attracting attention. For example, a system for managing a list of security-related questions (hereinafter referred to as a checklist), a system for deriving a security evaluation based on answers to the checklist, and the like have been proposed (for example, Patent Document 1).

Japanese Patent Application Publication No. 2003-044658

By the way, cases are assumed in which user entities use various services represented by SaaS (Software as a Service). In such cases, it may become cumbersome for the user entity to obtain security evaluations for various services such as cloud services.

From the perspective of reducing the effort of user entities, an evaluation providing system may be considered that executes, on behalf of user entities, a process of collecting answers to security-related checklists from providing entities that provide various services.

However, when collecting responses to checklists is performed on behalf of the evaluation providing system, it may be difficult for the user entity to know when the security evaluation can be obtained, which may reduce convenience for the user entity. .

Therefore, the present invention has been made to solve the above-mentioned problems, and makes it possible to improve the convenience of the user entity while reducing the effort of the user entity to obtain security evaluations regarding various services. The purpose is to provide an evaluation providing device, an evaluation providing method, and an evaluation providing program.

One aspect of the present disclosure includes a receiving unit that receives an answer to a checklist regarding the security of a service from a providing entity that provides the service, and a receiving unit that performs a security evaluation regarding the service to a user entity based on the answer to the checklist. and a display unit that displays a predicted delivery date by which the security evaluation can be provided to the user entity.

One aspect of the present disclosure includes step A of receiving an answer to a checklist regarding the security of a service from a providing entity that provides the service, and providing a security evaluation regarding the service to a user entity based on the answer to the checklist. and step C of displaying a predicted delivery date by which the security evaluation can be provided to the user entity.

One aspect of the present disclosure includes step A of receiving an answer to a checklist regarding the security of a service from a providing entity that provides the service, and providing a security evaluation regarding the service to a user entity based on the answer to the checklist. This is an evaluation providing program that causes a computer to execute step B of providing the security evaluation to the user entity, and step C of displaying a predicted delivery date by which the security evaluation can be provided to the user entity.

According to the present invention, there is provided an evaluation providing device, an evaluation providing method, and an evaluation providing program that make it possible to improve the convenience of the user entity while reducing the effort of the user entity to obtain security evaluations regarding various services. can do.

FIG. 1 is a diagram showing an evaluation providing system 100 according to an embodiment. FIG. 2 is a diagram showing the evaluation providing device 30 according to the embodiment. FIG. 3 is a diagram for explaining display contents according to the embodiment. FIG. 4 is a diagram for explaining display contents according to the embodiment. FIG. 5 is a diagram for explaining display contents according to the embodiment. FIG. 6 is a diagram for explaining the progress status according to the embodiment. FIG. 7 is a diagram for explaining the progress status according to the embodiment. FIG. 8 is a diagram for explaining the progress status according to the embodiment. FIG. 9 is a diagram for explaining the progress status according to the embodiment. FIG. 10 is a diagram for explaining the progress according to the embodiment. FIG. 11 is a diagram for explaining the progress status according to modification example 1. FIG. 12 is a diagram for explaining the progress status according to modification example 2.

Embodiments will be described below with reference to the drawings. In addition, in the description of the following drawings, the same or similar parts are given the same or similar symbols.

However, it should be noted that the drawings are schematic and the ratio of each dimension may differ from the actual one. Therefore, specific dimensions etc. should be determined with reference to the following explanation. Furthermore, it goes without saying that the drawings may include portions with different dimensional relationships or ratios.

[Summary of disclosure]
The evaluation providing device according to the summary of the disclosure includes a receiving unit that receives an answer to a checklist regarding the security of a service from a providing entity that provides the service, and a receiving unit that receives a security evaluation regarding the service to a user based on the answer to the checklist. The information processing apparatus includes a providing unit that provides the security evaluation to the entity, and a display unit that displays a predicted delivery date by which the security evaluation can be provided to the user entity. In the summary of the disclosure, an evaluation providing method and an evaluation providing program that are compatible with an evaluation providing device may be provided.

In the disclosure summary, when collecting answers to a security-related checklist on behalf of the evaluation providing device, the evaluation providing device displays a predicted delivery date by which the security evaluation can be provided to the user entity. According to such a configuration, the user entity can grasp the predicted delivery date, thereby improving the convenience of the user entity.

[Embodiment]
(Evaluation provision system)
An evaluation providing system according to an embodiment will be described below. FIG. 1 is a diagram showing an evaluation providing system 100 according to an embodiment.

As shown in FIG. 1, the evaluation providing system 100 includes a first terminal 10, a second terminal 20, and an evaluation providing device 30. The first terminal 10, the second terminal 20, and the evaluation providing device 30 are connected by a network 110. Although not particularly limited, network 110 may be configured by the Internet. Network 110 may include a local area network, a mobile communication network, and a VPN (Virtual Private Network).

The first terminal 10 is a terminal used by a user entity. A user entity is an entity that requests a risk assessment of a service provided by a providing entity. A user entity may be used as a term to indicate the first terminal 10. For example, the first terminal 10 may be a personal computer, a smartphone, or a tablet terminal. In FIG. 1, a first terminal 10A and a first terminal 10B are illustrated.

The second terminal 20 is a terminal used by the providing entity. A providing entity is an entity that provides a service that is subject to risk assessment. The service may include various services represented by SaaS (Software as a Service). The providing entity may be used as a term indicating the second terminal 20. For example, the second terminal 20 may be a personal computer, a smartphone, or a tablet terminal. In FIG. 1, second terminals 20A to 20C are illustrated.

The evaluation providing device 30 is a device that provides a security evaluation regarding a service provided by a providing entity. The entity that manages the evaluation providing device 30 may be referred to as a management entity. A management entity may be used as a term indicating the evaluation providing device 30. The evaluation providing device 30 may be configured by one or more servers provided on the network 110. Specifically, the evaluation providing device 30 collects answers to the security checklist from the providing entity. The evaluation providing device 30 provides a security evaluation regarding the service to the user entity based on the answers to the checklist. Details of the evaluation providing device 30 will be described later (see FIG. 2).

(Evaluation providing device)
An evaluation providing device according to an embodiment will be described below. FIG. 2 is a diagram showing the evaluation providing device 30 according to the embodiment. As shown in FIG. 2, the evaluation providing device 30 includes a communication section 31, a management section 32, and a control section 33.

The communication unit 31 is configured by a communication module. The communication module may be a wireless communication module that complies with standards such as IEEE802.11a/b/g/n, LTE, and 5G, or may be a wired communication module that complies with standards such as IEEE802.3.

The communication unit 31 communicates with the second terminal 20. For example, the communication unit 31 transmits a checklist regarding service security to the second terminal 20. The communication unit 31 receives answers to the checklist from the second terminal 20. The communication unit 31 may transmit a re-reply request for the checklist to the second terminal 20. The communication unit 31 may receive the re-answer results for the checklist from the second terminal 20.

The communication unit 31 communicates with the first terminal 10. The communication unit 31 transmits display data regarding content to be displayed on the first terminal 10 (hereinafter referred to as display content) to the first terminal 10. Transmission of display data related to display content may be read as display of display content. The display content may include the following content.

In option 1, the display content may include a security rating. Displaying a security evaluation may be read as providing a security evaluation. Security ratings may be provided by a system that views security ratings. The system for viewing security evaluations may be read as a system realized by the evaluation providing device 30.

However, the security evaluation may be provided by a method other than the system for viewing the security evaluation. Methods other than the system for viewing security evaluations may include methods using e-mail, chat tools, recording media, etc.

In option 2, the display may include an expected delivery date by which the security assessment can be provided to the user entity. The predicted delivery date may be expressed as a period (for example, one week, two weeks) from the time when the predicted delivery date is confirmed until the security evaluation can be provided. The estimated delivery date may be expressed as a date on which the security evaluation can be provided (eg, yyyy/mm/dd). The predicted delivery date may be manually set by an operator of the management entity.

In option 3, the display content may include notes regarding providing a security assessment for the user entity. The precautions may include at least one of matters regarding the possibility of providing security evaluations and matters regarding conditions that may be imposed on the user entity in providing security evaluations.

In option 4, the display may include the progress towards being able to provide the security assessment to the user entity. The progress status may include a first progress status belonging to the first hierarchy and a second progress status belonging to a second hierarchy lower than the first hierarchy. The second progress status includes an initial response to the checklist, a review of the initial response to the checklist, a second and subsequent response to the checklist, and a re-review of the second and subsequent responses to the checklist. But that's fine.

Two or more options selected from options 1 to 4 may be combined.

The management unit 32 is configured by a storage medium such as a nonvolatile memory, an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a magnetic tape.

For example, the management unit 32 stores past security evaluations in association with providing entities. The management unit 32 may store checklists used in past security evaluations in association with providing entities, or may store answers to checklists used in past security evaluations in association with providing entities. . The management unit 32 may store a history of communication between the providing entity and the management entity regarding past security evaluations. The management unit 32 may store the frequency of responses of providing entities to checklists used in past security evaluations.

Control unit 33 may include at least one processor. The at least one processor may be comprised of a single integrated circuit or a plurality of communicatively connected circuits (such as integrated circuits and/or discrete circuits).

For example, the control unit 33 generates display data regarding display content. The display content may include one or more options selected from Option 1 to Option 4 described above. Here, the generation of display data may be read as the display of display contents.

The control unit 33 may generate display data for displaying the predicted delivery date when past security evaluations are associated with the providing entity.

In the embodiment, the communication unit 31 constitutes a receiving unit that receives answers to the checklist regarding security of the service from the providing entity.

In the embodiment, the communication unit 31 constitutes a providing unit that provides a security evaluation regarding the service to the user entity based on the answers to the checklist.

In the embodiment, at least one of the communication unit 31 and the control unit 33 constitutes a display unit that displays the predicted delivery date by which the security evaluation can be provided to the user entity.

In the embodiment, the management unit 32 configures a database that stores past security evaluations regarding the service in association with the providing entity.

(Display content)
Display contents according to the embodiment will be described below. In the following, the providing entity may also be referred to as a vendor. Services provided by a providing entity are sometimes referred to as cloud services.

First, with reference to FIG. 3, the display contents related to the above-mentioned options 2 and 3 will be mainly explained. The display contents shown in FIG. 3 may be displayed on the first terminal 10 by the evaluation providing device 30.

As shown in FIG. 3, the display content includes a list of cloud services that the user entity plans to use, cloud services that the user entity is considering using, or cloud services that the user entity is currently using. For example, the list of services includes cloud services A to cloud services D, etc.

If past security evaluations for cloud services are stored in association with the vendor, the estimated delivery date 51 will be displayed along with the icon "Disclose investigation results" as shown in Cloud Services A to Cloud Services C. be done. For example, a predicted delivery date 51 of approximately one week is displayed for cloud service A, a predicted delivery date 51 of approximately two weeks is displayed for cloud service B, and a predicted delivery date 51 of approximately one week is displayed for cloud service C. Is displayed.

On the other hand, if past security evaluations regarding cloud services are not stored in association with the vendor, an icon that says ``Request a new investigation'' will be displayed, as shown in Cloud Service D. In such a case, information 52 such as "No investigation record" indicating that there is no investigation record of security evaluation in the past may be displayed together with the icon.

If there is a note regarding the provision of the security evaluation to the user entity, an icon 53 indicating the existence of the note is displayed. In FIG. 3, a case is illustrated in which there are precautions for cloud services B to D.

As shown in Figure 4, the precautions include "individual investigation", "third-party privacy policy", "contract plan", "usage status", "paid support", "NDA required", "competing product", It may also include types such as "lost contact" and "other (general purpose)".

"Individual investigation" is not accepted by the providing entity and does not support the scheme of sending checklists and receiving responses to checklists, so it is necessary to deal with each providing entity individually. This is a possible condition. If "individual investigation" exists as a precaution based on past investigation results, display wording associated with "individual investigation" may be displayed by selecting (clicking) the icon 53. Here, the display wording is a wording that explains the details of the precaution to the user entity. Additionally, the display text may include a text advising the user entity regarding precautions. For example, the displayed text may be, ``There are cases where security investigations have been declined due to policy, resource, and cost issues.If you enter the information of the person in charge, we may be able to disclose your information. ”.

The "third party intervention privacy policy" is a condition under which the providing entity may not allow the evaluation providing device 30 (third party) to intervene. If "Third party mediated privacy policy" exists as a precaution, display text associated with "Third party mediated privacy policy" may be displayed by selecting (clicking) the icon 53. For example, the displayed wording may be, ``In some cases, we have been refused a survey due to policies that prohibit us from passing on information to third parties that do not have a contract with our company's services. We may be able to disclose your information if you contact us in advance.''

The "contract plan" is a condition under which the providing entity may refuse to provide security evaluation, depending on the contract plan, usage scale (number of accounts, etc.), contract amount, etc. of the service provided by the providing entity. If "contract plan" exists as a precaution, display wording associated with "contract plan" may be displayed by selecting (clicking) the icon 53. For example, the displayed wording is, ``The business operator decides whether or not to respond to an investigation based on the contract brand, scale of use (number of accounts, etc.), contract amount, etc., and there are cases where the request for an investigation was refused because the criteria could not be met. "Yes. When making this request, please be sure to enter the plan you plan to contract/are currently contracted for."

“Usage status” is a condition under which the providing entity may refuse to provide security evaluation unless the user is using the service provided by the providing entity or is not under contract. If "usage status" exists as a precaution, display wording associated with "usage status" may be displayed by selecting (clicking) the icon 53. For example, the displayed wording may be ``In some cases, we have refused security surveys because we do not accept security surveys without using the service or contracting.Therefore, we do not accept requests for surveys at the stage of considering implementation before using the service. If so, your request may be refused.Please be aware of this in advance before making your request.''

“Paid support” is a condition in which the providing entity may refuse to provide security evaluation for a service provided by the providing entity unless the security evaluation is for a fee. If "paid support" exists as a caution, display wording associated with "paid support" may be displayed by selecting (clicking) the icon 53. The display wording may be, for example, ``There are cases in which security investigations have become chargeable.Please be aware of this in advance before requesting.''

“NDA Required” is a condition under which a non-disclosure agreement may be required for providing a security assessment. If “NDA Required” exists as a precaution, display wording associated with “NDA Required” may be displayed by selecting (clicking) the icon 53. The display wording may be, for example, "There are cases in which a non-disclosure agreement has been required for a security investigation. Please be aware of this in advance before making your request."

A "competitive product" is a condition under which a providing entity may refuse to provide a security assessment because the service provided by the providing entity is in competition with a service that may be provided by the managing entity. The services that can be provided by the management entity may include the services realized by the evaluation providing device 30, and may also include services other than the services realized by the evaluation providing device 30 and other services provided by the management entity. good. If "competitive product" exists as a precaution, display wording associated with "competitive product" may be displayed by selecting (clicking) the icon 53. Services that fall under "competitive products" may not be displayed in the list of services because it is difficult for the management entity to obtain a security evaluation. The display wording may be, for example, "There are cases where the survey was refused due to a competing service."

“Lost contact” is a condition in which it is possible that the providing entity cannot be contacted. If "loss of communication" exists as a precaution, a display wording associated with "loss of communication" may be displayed by selecting (clicking) the icon 53. For example, the displayed text may be, ``This is a company that we have contacted many times after receiving your request, but we have not been able to communicate with you at all.If you enter the information of the person in charge, we may be able to disclose your information.'' good.

“Other (general purpose)” is a condition in which there is a possibility that a security evaluation cannot be obtained for reasons other than the conditions described above. If "Others (General Purpose)" exists as a precaution, display wording associated with "Others (General Purpose)" may be displayed by selecting (clicking) the icon 53. The display wording may be, for example, "There are cases that could not be investigated in the past."

Here, we consider that "individual investigation," "third-party mediated privacy policy," "competitive product," "lost contact," and "other (general purpose)" are examples of matters related to the possibility of providing security evaluation. Good too. “Contract plan,” “usage status,” “paid support,” and “NDA required” may be considered to be examples of items related to conditions that may be imposed on user entities when providing security evaluations.

The precautions are based on the past security evaluations that the management unit 32 stores in association with the providing entity, the history of communication between the providing entity and the management entity, the response frequency of the providing entity, etc., and the type of conditions and display wording. is selected.

Second, with reference to FIG. 5, the display contents related to the above-mentioned option 4 will be mainly explained. The display contents shown in FIG. 5 may be displayed on the first terminal 10 by the evaluation providing device 30.

As shown in FIG. 5, the display content includes a list of cloud services that the user entity has requested to investigate. For example, the list of services includes cloud services A to cloud services D, etc. The display contents may include items such as service name, request date, completion date, investigation status, and reinvestigation. The investigation status is an example of the progress towards being able to provide a security assessment to the user entity. Furthermore, the list of services may include both cloud services that have a past research record and have been requested to disclose their research results, and cloud services that have no past research history and have been requested to be newly investigated.

The progress status may include a first progress status belonging to the first hierarchy and a second progress status belonging to a second hierarchy lower than the first hierarchy. Although not particularly limited, the second progress status may be displayed in the investigation status column shown in FIG. 5.

For example, as shown in FIGS. 6 to 10, the first progress status may include statuses such as "send request," "confirm party," "answer," and "complete." “Request sent” is a status in which a user entity requests a security evaluation investigation and requests a providing entity to conduct a security evaluation investigation. “Party confirmation” is a status for confirming whether or not the providing entity undergoes a security evaluation investigation. “Answer” is a status in which a checklist is sent to a providing entity, a response to the checklist is received from the provider entity, and the response to the checklist is reviewed by the management entity. “Completed” is a status in which the security evaluation investigation has been completed.

The second progress status may include "request transmission" which is lower than "request transmission" in the first progress status. As shown in FIG. 6, the second progress status "request sent" is a status in which a user entity requests a security evaluation investigation and the management entity confirms the request. When the management entity completes the confirmation of the request and requests the providing entity to investigate the security evaluation, the second progress status "Request Send" will be completed (for example, a black circle), and the first progress status "Request Send" will also be completed. Finish (for example, check). In this way, the statuses of the first progress status and the second progress status may be displayed using different icons.

The second progress status may include "person in charge reply" and "response negotiation" which are lower than the first progress status "confirmation with other party". As shown in the left column of FIG. 7, the second progress status "reply from person in charge" is a status that waits for a reply from the providing entity. When there is a reply from the providing entity, the second progress status ``reply by person in charge'' becomes complete (for example, a black circle). As shown in the right column of FIG. 7, "response negotiation" is a status in which a management entity and a providing entity negotiate regarding a request for a security evaluation investigation. When the negotiation is completed, the second progress status "response negotiation" is completed (for example, a black circle), and the first progress status "confirmation with the other party" is also completed (for example, checked).

The second progress status may include "start answer," "answer," and "review," which are lower than "answer" in the first progress status. As shown in the upper left column of FIG. 8, the second progress status "Reply Start" is a status in which a checklist is sent to the providing entity and the providing entity starts responding to the checklist. Once the checklist is sent to the providing entity, the second progress status "Response Start" ends (eg, black circle). As shown in the upper right column of FIG. 8, the second progress status "Answer" is a status in which the providing entity is responding to the checklist. Upon receiving a response to the checklist from the providing entity, the second progress "answer" ends (eg, a black circle). As shown in the lower left column of FIG. 8, the second progress status "Review" is a status in which the management entity reviews the responses to the checklist. If there are no deficiencies in the answers to the checklist, the "review" of the second progress status is completed (for example, a black circle), and the "answer" of the first progress status is also completed (for example, a check).

Here, if there is a deficiency in the answer to the checklist, as shown in Figure 9, the second progress status lower than the first progress status ``Answer'' will be changed to ``Re-Answer'' and ``Re-review''. Item is added. As shown in the left column of FIG. 9, the second progress status "re-response" is a status in which the providing entity is re-replying to the checklist. When a re-response to the checklist is received from the providing entity, the "re-response" of the second progress status ends (for example, a black circle). As shown in the right column of FIG. 9, the second progress status "Re-review" is a status in which the management entity re-reviews the responses to the checklist. If there are no deficiencies in the re-answers to the checklist, the "re-review" of the second progress status is completed (for example, a black circle), and the "answer" of the first progress status is also completed (for example, a check).

If there are any deficiencies in the re-answer to the checklist, the items "Re-answer" and "Re-review" will be added as a second progress status that is lower than the first progress status "Answer", and In the same procedure as in 9, the re-answers to the checklist and the re-review of the re-answers to the checklist are performed. The same procedure as in FIG. 9 may be repeated until there are no deficiencies in the re-answers to the checklist.

In addition, if the delivery date of the security assessment is delayed due to re-reply by the providing entity or re-review by the managing entity, the delivery date will be delayed along with the display of the first progress status and the second progress status. You may display a message to that effect.

In other words, as shown in Figures 9 and 10, the display contents regarding the progress status include the first response to the checklist, the review of the first response to the checklist, the second and subsequent responses to the checklist, and the checklist. This may include re-reviewing the responses from the second time onwards.

The second progress status may include "completed" which is lower than the first progress status "completed". As shown in FIG. 10, the second progress status "Complete" is a status in which the provision of security evaluation has been completed. When the provision of the security evaluation is completed, the second progress status "completed" becomes finished (for example, a black circle), and the first progress status "completed" also becomes finished (for example, checked).

Here, in FIG. 5, a case was illustrated in which the second progress status is displayed in the investigation status column, but the first progress status is displayed in the investigation status column, and the second progress status is displayed in the investigation status column, and the second progress status is displayed in the investigation status column. Progress may be displayed. Alternatively, both the first progress status and the second progress status may be displayed in the investigation status column.

(action and effect)
In the embodiment, when the evaluation providing device 30 collects answers to security-related checklists on behalf of the user entity, the evaluation providing device 30 displays a predicted delivery date by which the security evaluation can be provided to the user entity. According to such a configuration, the user entity can grasp the predicted delivery date, thereby improving the convenience of the user entity.

In embodiments, the rating providing device 30 displays notes regarding providing security ratings to user entities. According to such a configuration, the user entity can grasp the precautions in advance, thereby improving the convenience of the user entity.

In the embodiment, the evaluation providing device 30 displays the progress toward being able to provide the security evaluation to the user entity. According to such a configuration, even when collecting answers to a security checklist on behalf of the user entity, the user entity can grasp the progress between the management entity and the providing entity, which increases the convenience of the user entity. Improves sex.

[Change example 1]
Modification example 1 of the embodiment will be described below. In the following, differences from the embodiment will be mainly explained.

In modification example 1, the display content may include the reason why the user entity's request for providing a security evaluation was canceled by the user entity (cancellation reason in FIG. 11), as shown in the left column of FIG. 11. Although not particularly limited, the reason for cancellation may be that the user entity has determined that it is difficult to obtain a security evaluation from the providing entity. Here, in the left column of Figure 11, a case is illustrated in which a request is canceled at the "request sending" stage of the first progress status, but the request is canceled in another first progress status or second progress status. may be done.

In modification example 1, the display content may include the reason why the providing entity cannot provide the security evaluation (NG reason in FIG. 11), as shown in the right column of FIG. Although not particularly limited, the reason for NG may be that the providing entity does not accept individual support for security evaluation. Here, in the right column of Figure 11, a case is illustrated in which it is determined that the security evaluation cannot be provided at the "request transmission" stage of the first progress status, but it is It may be determined that a security assessment cannot be provided in certain circumstances.

(action and effect)
In modification example 1, the evaluation providing device 30 displays at least one of the cancellation reason and the NG reason. According to such a configuration, the user entity can appropriately understand the reason why a security evaluation cannot be obtained.

[Change example 2]
Modification example 2 of the embodiment will be described below. In the following, differences from the embodiment will be mainly explained.

In modification example 2, the display content may include, as shown in FIG. 12, that the security evaluation was delivered by a method other than the system for viewing the security evaluation. If the providing entity refuses delivery via the management entity, or requests delivery by e-mail, etc., delivery may be made by a method other than the system for viewing security evaluations. Methods other than the system for viewing security evaluations may include methods using e-mail, chat tools, recording media, etc.

In such a case, the management entity may manually change the second progress status from "Completed" to Completed. The first progress status "Completed" may be manually changed to Completed by the management entity, or may be changed to Completed at the same time as the second progress status "Completed" is changed to Completed.

(action and effect)
In modification example 2, the evaluation providing device 30 displays that the security evaluation has been delivered by a method other than the system for viewing the security evaluation. According to such a configuration, even if the product is delivered by a method other than the system for viewing the security evaluation, the user entity can appropriately understand whether or not the security evaluation has been acquired.

[Change example 3]
Modification example 3 of the embodiment will be described below. In the following, differences from the embodiment will be mainly explained.

In the embodiment, a case where the predicted delivery date is manually set by the operator of the management entity has been exemplified. In contrast, in modification example 3, the predicted delivery date is specified by the control unit 33 based on information managed by the management unit 32. The information used to specify the predicted delivery date is as shown below.

In option 3-1, the control unit 33 specifies the predicted delivery date based on the actual delivery date required until past security evaluations can be provided. The actual delivery date is the period of time required from receiving a request for security evaluation to providing security evaluation regarding past security evaluations.

In option 3-2, the control unit 33 specifies the predicted delivery date based on the version of the checklist used in past security evaluations. For example, the control unit 33 may specify a longer delivery date as the predicted delivery date as the version of the checklist becomes older.

In option 3-3, the control unit 33 specifies the predicted delivery date based on the degree of sufficiency of the answers to the checklist used in past security evaluations. For example, the control unit 33 may specify a longer delivery date as the predicted delivery date, the lower the degree of sufficiency of the answers to the checklist used in past security evaluations.

In option 3-4, the control unit 33 identifies the expected delivery date based on the history of communication with the providing entity regarding past security evaluations. For example, the control unit 33 may specify a longer delivery date as the predicted delivery date as the provider entity's response to the inquiry to the provider entity becomes slower.

In option 3-5, the control unit 33 specifies the predicted delivery date based on the frequency of the providing entity's responses to checklists used in past security evaluations. For example, the control unit 33 may specify a delivery date that is longer as the predicted delivery date as the response frequency is lower.

Two or more options selected from Option 3-1 to Option 3-5 may be combined. Furthermore, if a delivery date longer than the past actual delivery date is specified using any of the options, this may be displayed as a warning.

(action and effect)
In modification example 3, the evaluation providing device 30 specifies the predicted delivery date based on at least one of options 3-1 to 3-5. According to such a configuration, it is possible to appropriately specify the predicted delivery date while reducing the effort of the management entity.

[Other embodiments]
Although the present invention has been described with reference to the embodiments described above, the statements and drawings that form part of this disclosure should not be understood as limiting the present invention. Various alternative embodiments, implementations, and operational techniques will be apparent to those skilled in the art from this disclosure.

Although not particularly limited, a security evaluation investigation may be read as a security investigation.

Although not specifically mentioned in the embodiment, a program that causes a computer to execute each process performed by the evaluation providing device 30 may be provided. Moreover, the program may be recorded on a computer-readable medium. Computer-readable media allow programs to be installed on a computer. Here, the computer-readable medium on which the program is recorded may be a non-transitory recording medium. The non-transitory recording medium is not particularly limited, but may be a recording medium such as a CD-ROM or a DVD-ROM, for example.

Alternatively, a chip may be provided that includes a memory that stores programs for executing each process performed by the evaluation providing device 30 and a processor that executes the programs stored in the memory.

[Additional notes]
The above disclosure may be expressed as follows.

A first feature includes a receiving unit that receives answers to a checklist regarding the security of a service from a providing entity that provides the service, and provides a security evaluation regarding the service to a user entity based on the answers to the checklist. The present invention is an evaluation providing device comprising: a providing unit that provides the security evaluation; and a display unit that displays a predicted delivery date by which the security evaluation can be provided to the user entity.

A second feature is the evaluation providing device according to the first feature, wherein the display unit displays notes regarding providing the security evaluation to the user entity.

A third feature is that in the second feature, the precautions include at least one of a matter regarding the possibility of providing the security evaluation and a matter regarding conditions that may be imposed on the user entity in providing the security evaluation. It is an evaluation providing device that includes one or more of the following:

A fourth feature is that in at least one of the first to third features, the display unit displays the progress until the security evaluation can be provided to the user entity. It is an evaluation providing device.

A fifth feature is that in the fourth feature, the progress status includes a first progress status belonging to a first hierarchy and a second progress status belonging to a second hierarchy lower than the first hierarchy. It is an evaluation providing device.

A sixth feature is that in the fifth feature, the second progress status includes the first response to the checklist, the review of the first response to the checklist, and the second and subsequent re-answers to the checklist. , and re-reviewing responses to the checklist from the second time onward.

A seventh feature is that in at least one of the first to sixth features, the display unit displays the reason why the user entity's request regarding provision of the security evaluation was canceled by the user entity and the security The evaluation providing device displays at least one of the reasons why evaluation cannot be provided.

An eighth feature is that in at least one of the first to seventh features, the display section displays that the security evaluation was delivered by a method other than a system that views the security evaluation. , is an evaluation providing device.

A ninth feature, in at least one of the first to eighth features, includes a database that stores past security evaluations regarding the service in association with the providing entity; The evaluation providing device displays the predicted delivery date when past security evaluations are stored in association with the providing entity.

A tenth feature is, in the ninth feature, the actual delivery time required to be able to provide the past security evaluation, the version of the checklist used in the past security evaluation, and the version used in the past security evaluation. at least one of the following: the degree of sufficiency of the answers to the checklist used in the past security evaluation, the history of communication with the providing entity regarding the past security evaluation, and the frequency of the providing entity's responses to the checklist used in the past security evaluation. The evaluation providing device includes a control unit that specifies the predicted delivery date based on the estimated delivery date.

An eleventh feature is step A of receiving an answer to a checklist regarding the security of a service from a providing entity that provides the service, and providing a security evaluation regarding the service to the user entity based on the answer to the checklist. and step C of displaying a predicted delivery date by which the security evaluation can be provided to the user entity.

A twelfth feature is step A of receiving an answer to a checklist regarding the security of the service from a providing entity that provides the service, and providing a security evaluation regarding the service to the user entity based on the answer to the checklist. This is an evaluation providing program that causes a computer to execute step B of providing the security evaluation and step C of displaying a predicted delivery date by which the security evaluation can be provided to the user entity.

10...first terminal, 20...second terminal, 30...evaluation providing device, 31...communication department, 32...management department, 33...control unit, 100...evaluation providing system, 110...network

Claims (12)

a receiving unit that receives a response to a checklist regarding service security from a providing entity that provides the service;
a providing unit that provides a security evaluation regarding the service to a user entity based on answers to the checklist;
a database storing past security evaluations regarding the service;
a control unit that identifies a predicted delivery date when the security evaluation can be provided based on information regarding the past security evaluation, and generates display data for displaying the predicted delivery date;
An evaluation providing device , comprising: a display unit that displays the predicted delivery date based on the display data generated by the control unit . The evaluation providing device according to claim 1, wherein the display unit displays notes regarding provision of the security evaluation. 3. The precautions include at least one of matters regarding the possibility of providing the security evaluation and matters regarding conditions that may be imposed on the user entity in providing the security evaluation. Evaluation providing device. The evaluation providing device according to claim 1, wherein the display unit displays a progress status until the security evaluation can be provided . 5. The evaluation providing device according to claim 4, wherein the progress status includes a first progress status belonging to a first hierarchy and a second progress status belonging to a second hierarchy lower than the first hierarchy. The second progress status includes the first response to the checklist, the review of the first response to the checklist, the second and subsequent responses to the checklist, and the second and subsequent responses to the checklist. The evaluation providing device according to claim 5, comprising: a review. 2. The display unit according to claim 1, wherein the display unit displays at least one of the reason why the user entity's request for providing the security evaluation was canceled by the user entity and the reason why the providing entity cannot provide the security evaluation. Evaluation providing device as described. The evaluation providing device according to claim 1, wherein the display unit displays that the security evaluation has been delivered by a method other than a system for viewing the security evaluation. The evaluation providing device according to claim 1, wherein the display unit displays the predicted delivery date when the past security evaluation is stored . The control unit includes the actual delivery date required until the past security evaluation could be provided, the version of the checklist used in the past security evaluation, and the answers to the checklist used in the past security evaluation. The prediction is based on at least one of a degree of sufficiency, a history of communication with the providing entity regarding the past security evaluation, and a frequency of responses of the providing entity to the checklist used in the past security evaluation. The evaluation providing device according to claim 1 , which specifies a delivery date. Step A in which the evaluation providing device receives an answer to a checklist regarding the security of a service from a providing entity that provides the service;
Step B, wherein the evaluation providing device provides a security evaluation regarding the service to the user entity based on the answers to the checklist;
Step C in which the evaluation providing device stores past security evaluations regarding the service in a database;
Step D in which the evaluation providing device identifies a predicted delivery date when the security evaluation can be provided based on information regarding the past security evaluation, and generates display data for displaying the predicted delivery date;
An evaluation providing method, comprising a step E in which the evaluation providing device displays the predicted delivery date based on the display data generated in the step D. A step of receiving a response to a security checklist for a service from a providing entity that provides the service;
B providing a security assessment for the service to a user entity based on the answers to the checklist;
step C of storing past security evaluations regarding the service in a database;
Step D of identifying a predicted delivery date when the security evaluation can be provided based on the information regarding the past security evaluation, and generating display data for displaying the predicted delivery date;
An evaluation providing program that causes a computer to execute step E of displaying the predicted delivery date based on the display data generated in step D.