201101083 六、發明說明: 【發明所屬之技術領域】 本發明是有關於資訊安全管理領域的技術,且特別是有關 於一種應用於電腦之資訊安全管理方法,以及一種應用於電腦 系統架構之資訊安全管理方法。 【先前技術】 〇 〇 …近年來,許多公司紛紛採用資訊安全(information security) 官理系統’以保護公司内部的重要資料,避免重要資料外流而 造成公司的重大損失。g丨㈣示有—種習知之資訊安全管理 系統。請參關卜此資訊安全管理純包括有資訊安全舰 :1卜AD(activedirectory,譯為目錄服務)伺服器12、資料 控^台(·牆)14。其中,資訊安全伺服器11 有fr、i、咨 、19及20連接,且這些電腦都安f 有巧資_全管理軟體的代理程式(agent)。 π安可透過控制台14來對㈣庫13設定上述電腦的資 心全政滚(information securi /版的貝 ::::依據資訊安全政策來二 頁齡描 錄權限、棺案列印權限、軟體傕用描PP , ° 或某幾么發 女全官理系統來限制這些電腦中的 全進料電腦的資訊安 腦中是否― 3 201101083 ^接^外^存^進行管心這意味著’如果電腦 備,例如是連接H的任厂台電腦連接了一外接式儲存設 訊安全管理系絲、,SB(Umversal Serial Bus)隨身碟’此資 上述外接式儲存&、Γ如止此員工文將電腦中的重要資料儲存至 的漏洞。 中。如此一來,就會造成資訊安全防護上 【發明内容】 ❹ 理方是在提供—觀肋㈣之資訊安全管 本私明s控電腦對外接式儲存設備的操作行為。 訊安全管理甘目的疋提供一種應用於電腦系統架構之資 接式儲存設備的操作U 控上述電腦系統架構中之各電腦對外 腦安全管理方法。上述電 見南作業系統,並安裝有—裔却史入;k ❹ 設備名稱列於—設並將偵測到之硬體設備的 先是利用°在此#訊安全管理方法中’首 判斷是否有式掃描上述設備管理表中的設備名稱,以 為是時,述電腦。接著,當判斷 備的操作行為 式吕控上述電腦對上述外接式儲存設 ^發明提出-種制於電㈣統架構 ί中上4ΐ腦系統架構包括-資訊安全飼服器以及多台電i201101083 VI. Description of the Invention: [Technical Field] The present invention relates to technologies in the field of information security management, and in particular to an information security management method applied to a computer, and an information security applied to a computer system architecture Management method. [Prior Art] 〇 〇 ... In recent years, many companies have adopted information security (the information security system) to protect important information within the company and avoid the significant loss of important data. g丨(4) shows a familiar information security management system. Please refer to this information security management purely including information security ship: 1 AD (active directory, translated as directory service) server 12, data control station (· wall) 14. Among them, the information security server 11 has fr, i, consulting, 19 and 20 connections, and these computers are all agents of the full management software. π 安 can use the console 14 to set the (four) library 13 to the above-mentioned computer's privilege policy (information securi / version of the shell:::: according to the information security policy to the two-page age recording permission, file printing permission, The software 傕 uses PP, ° or a few women's full official system to limit the information in the computer's full feed computer. - 3 201101083 ^ Connect ^ outside ^ save ^ to manage the heart which means ' If the computer is equipped, for example, a computer connected to H is connected to an external storage security management system, SB (Umversal Serial Bus) flash drive 'this external storage>, such as the staff This article will store the important information in the computer to the loopholes. In this way, it will cause information security protection [invention content] ❹ 方 是 是 提供 提供 ( ( 四 四 四 四 四 四 四 四 四 四 四 四 四The operation behavior of the external storage device. The security management provides the operation of a connected storage device for the computer system architecture. The external brain security management method of each computer in the above computer system architecture. The system is installed with the _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The name of the device in the management table is considered to be the time when the computer is described. Then, when judging the operational behavior of the device, the above-mentioned computer proposes to the above-mentioned external storage device--the invention is made in the electric (four) system architecture. The architecture includes - information security feeding device and multiple electric appliances
服接這些電腦’且資訊安全伺 1 乂 貝11文王官理軟體,而這些電腦均安裝有上述資 轉全管理軟體之代理程式,並均安裝有I 4 201101083 j =作業系統具有—設備管理程序,此設備管理程序用以 H屬電腦之硬魏備,並將細彳到之硬體設備的設備名稱列 Γί表中。在此f訊安全管理方法中,㈣是利用上 程式掃描所屬電腦之設備管理表中的設備名稱,以判斷 外接式贿設錢接至所屬電腦。接著,當判斷為是 料紐㈣電麟上料接讀存設備的 ο 切ίΐ㈣的—實蘭巾,上述之代雖式觸是否有外接 总拽:Γ備連接至上述電腦的方式,包括是判斷列於上述設備 =表的設備名稱t,是否具有含有特定名詞之—設備名稱。 5、,1、ΐΐ之特定名詞包括有儲存設備、通用串列匯流排及藍芽 主少其中之一。 斗、ft發明的一實施例中,上述之代理程式是以定時的方 式,來掃描上述設備管理表中的設備名稱。 本發明乃是制f腦巾的代理程絲掃描設備管理 的設備名稱’以判斷是否有外接式儲存設備連接至電腦,且— 但判斷為是時’就利用代理程式來管控電腦對外接式儲存設 的插作行為。如此一來,就可進一步避免員工 裝置來竊取儲存在電腦中的重要資料。 安飞佔存 “為讓本發明之上述和其他目的、特徵和優點能更 k ’下文特舉較佳實施例,並配合所_式,作詳細說明如下。 【實施方式】 圖2繪示依照本發明一實施例之應用 管理方法的流程圖。上述電腦安裝有一資訊安全管二 理程式,並安裝有-視窗作業系統,例如Wind鴨作 其中上述之視窗作業系統具有一設備管理程序,卩^ 5 201101083 作業系統而言,其設備管理程序就是一般熟知的設備管理員 (Device Manager)。所述設備管理程序可偵測上述電腦之硬體 設備’並將彳貞測到之硬體没備的設備名稱列於一設備管理表 中。為了說明之方便’以下先來介紹設備管理表的其中一樣 態,並以Windows作業系統所使用到的設備管理表為例,如 圖3所示。I received these computers' and the information security service 1 乂 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 This device management program is used for the hard work of the H computer, and the device name of the hardware device is listed in the Γ 表 table. In this method of security management, (4) is to use the program to scan the device name in the device management table of the computer to determine the external bribe to connect to the computer. Then, when it is judged that the material is connected to the storage device, the above-mentioned generation has an external connection: the method of connecting to the computer, including Determine whether the device name t listed in the above device=table has a device name containing a specific noun. 5, 1, ΐΐ specific nouns include storage equipment, universal serial bus and one of the main Bluetooth. In an embodiment of the invention, the agent program scans the device name in the device management table in a timed manner. The invention is a device name managed by the proxy silk scanning device of the f-brain towel to determine whether an external storage device is connected to the computer, and - if the judgment is yes, the agent is used to control the external storage of the computer Set the insertion behavior. As a result, employee devices can be further prevented from stealing important data stored on the computer. The following is a detailed description of the preferred embodiments of the present invention, and the following is a detailed description of the preferred embodiments of the present invention, and is described in detail below. [Embodiment] FIG. 2 illustrates A flowchart of an application management method according to an embodiment of the present invention. The computer is installed with an information security management system and a window operation system, such as Wind Duck, wherein the window operation system has a device management program, 卩^ 5 201101083 In terms of operating system, its device management program is a well-known device manager (Device Manager). The device management program can detect the hardware device of the above computer and will not be diagnosed. The device name is listed in a device management table. For the convenience of explanation, the following describes the same state of the device management table, and takes the device management table used by the Windows operating system as an example, as shown in Figure 3.
圖3即繪示Windows作業系統所使用到之設備管理表。 如圖所示,此設備管理表不僅列出了所屬電腦所具有之儲存設 備的設備名稱,也列出了所屬電腦之其他所有硬體設備的执備 名稱。而以設備管理員的操作來說,#有—外接式儲存裝^ 接至電腦’例如是有-USB隨身碟連接至電腦,並被 的設備管理員偵測到時,此電腦的設備管理員就會將此 隨身碟的設備名稱列於設備f理表巾,於 controllers的群組之下。 us 述設鮮縣的雜,來妨 儲 繼續參照圖2以便繼續說明本發明St 之貝戒女全官理方法。如圖2所示, 〃丨捉出 首么’利用上述代理程式掃描1述管 式管控上述電腦對上述外接 ’、'、、用上述代理程 S220所*)。 接式儲存设備的操作行為(如步驟 備連=二斷是否有外接式儲存設 定名詞包財料設設備名稱。⑽述之特 子又備通用串列匯流排及藍芽至少其中之 6 201101083 此外,在步驟82财,可叹_上 ==來掃描上述設備管理表中的 :匕定: 設備名稱掃描-次。而上述之預定時丄中的 之Γ管理者可將掃描的時間間隔設定 i理表中式也可叹叫㈣时心來掃描設備 Ο 〇 腦時如’―旦有將—外接讀存裝置連接至上比雷 式就可立即依照管理者事先設定:巧 來說,可二3=卜:f峨置的操作行為。舉: 存至此外接式儲存/置。迷電腦不能將電腦中的資料儲 全管=術,本發騎提出之資訊安 稱,以判斷是否有外描設備管理表中的設備名 上述電腦對上述外接^# η連接至上述電腦,進而管控 發明所提心=:的便操二,用本 接式梅電腦二重要資:利用外 單一的4腦,訊安全管财法是用於管理 具有多台電腦的電腦^H貝/文全管理方法亦可以應用於 圖“晴冓:,如圖4所述。 的流程圖,此資訊安八其"$冑把例之貧訊安全管理方法 架構。請參照圖4與^2可應用於圖1所示之電腦系統 首先,利用代理程、-^播:此資訊安全管理方法包括下列步驟: %式~描所屬電腦之設備管理表中的設備名 7 201101083 稱,以判斷是否有—外接^ S410所示)。接著,當^ 備連接至所屬電腦(如步驟 腦對上述外理程巧控所屬電 當然,在—⑽中:了如步驟卿所示)。 設備連接至所屬電腦的方式,包括是否有外接式儲存 備管理表的設Μ射,是轉有含電腦之設 稱。而所述之特定名詞亦是包括有儲存!^疋^之—設備名 及藍芽至少其中之—。此外,在步通用串列匯流排 ο 是以定時的方式或者是以不定時的 =代理程式可以 的設備名稱。 、式,來掃描設備管理表中 值得一提的是,由圖1之相關私 管理系統係透過公司内部網路二圖1之資訊安全 2〇連接,可進-步得知此内部網路Β本身就是一個=9及 (Local Area Network,LAN)。 疋 區域網路 综上所述’本發明乃是運用電腦中的 管理表中的設備名稱,以判斷是否有外 $ =設備 ο 儲存設備的操作行為。如此—來,就可進士對接式 接式儲存裝置來竊取儲存在電腦巾的重要資^。工1j用外 雖然本發明已以較佳實施例揭露如上,麸1 本發明’任何熟習此技藝者,在不脫離本發明 二= 二’當可作些許之更動與潤飾,因此本發明之㈣彳ΐ 附之申請專利範圍所界定者為準。 田視後 【圖式簡單說明】 圖1 %示有習知之一種資訊安全管理系統。 圖2 I會示依照本發明—實施例之㈣於電腦之資訊安全 8 201101083 管理方法的流程圖。 圖3繪示Windows作業系統所使用到之設備管理表。 圖4繪示依照本發明另一實施例之資訊安全管理方法的 流程圖,此資訊安全管理方法可應用於圖1所示之電腦系統架 構。 【主要元件符號說明】 11 :資訊安全伺服器 12 : AD伺服器 13 :資料庫 〇 14:控制台 15 :網路 16、17、18、19、20 :電腦 S210、S220、S410、S420 :步驟Figure 3 shows the device management table used by the Windows operating system. As shown in the figure, this device management table not only lists the device names of the storage devices owned by the computer, but also the names of all other hardware devices belonging to the computer. In the operation of the device administrator, the #有- external storage device is connected to the computer. For example, if there is a USB flash drive connected to the computer and detected by the device administrator, the device administrator of the computer The device name of the pen drive will be listed in the device, under the controllers group. Us Describe the miscellaneous conditions of Xianxian, to save. Continue to refer to Figure 2 to continue to explain the method of St. As shown in Fig. 2, it is the first to use the above-mentioned agent to scan the above-mentioned computer to control the above-mentioned external computer ', ', and use the above-mentioned agent S220*). The operation behavior of the connected storage device (such as the step-by-step connection = 2 breaks, whether there is an external storage setting, the noun package, the material designation device name. (10) The specials are also equipped with a universal serial bus and at least 6 of the Bluetooth 201101083 In addition, in step 82, sigh_up== to scan in the above device management table: 匕: device name scan-time. And the above-mentioned predetermined time 丄 manager can set the scanning interval i Chinese table can also sigh (four) when the heart to scan the device 〇 〇 如 如 如 如 如 ― ― ― ― 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外 外= Bu: f 峨 的 的 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 The name of the device in the management table is connected to the above computer by the above-mentioned external connection ^# η, and then the control of the invention is controlled =: the second operation, the use of the connection type of the computer two important assets: the use of a single 4 brain, news Safety management method is used to manage multiple power stations The computer ^H Bei / Wenquan management method can also be applied to the figure "Qing Wei:, as shown in Figure 4. The flow chart, this information An Baqi's "$胄" example of the poor security management method architecture. Please refer to Figure 4 and Figure 2 can be applied to the computer system shown in Figure 1. First, the agent process, - ^ broadcast: This information security management method includes the following steps: % type ~ description of the device name in the device management table of the computer 7 201101083 Said to determine whether there is - external ^ S410.) Next, when the device is connected to the computer (such as the step brain to the above-mentioned external process control power, of course, in - (10): as shown in step Qing) The way the device is connected to the computer, including whether there is an external storage management table, is the name of the computer. The specific nouns are also included in the storage! ^疋^—the device Name and Bluetooth are at least one of them. In addition, the step in the universal serial bus ο is in a timed manner or in an irregular time = the device name that the agent can use. Is related to the private management of Figure 1 Through the internal security network of the company's internal network, the information security 2〇 connection can be further learned that the internal network itself is a =9 and (Local Area Network, LAN). 'The invention uses the name of the device in the management table in the computer to determine whether there is an external $= device ο the operating behavior of the storage device. So, the access docking storage device can be stolen and stored in the computer towel. Although the present invention has been disclosed in the preferred embodiment as above, the bran 1 of the present invention can be modified and retouched without departing from the invention. Therefore, the scope defined in the scope of the patent application (4) of the present invention shall prevail. After the field view [Simplified description of the drawings] Figure 1 shows a known information security management system. FIG. 2I shows a flow chart of the management method according to the present invention - (4) in the information security of the computer. Figure 3 shows the device management table used by the Windows operating system. 4 is a flow chart of an information security management method according to another embodiment of the present invention. The information security management method can be applied to the computer system architecture shown in FIG. 1. [Main component symbol description] 11 : Information security server 12 : AD server 13 : Database 〇 14: Console 15 : Network 16, 17, 18, 19, 20: Computer S210, S220, S410, S420: Steps