WO2009147855A1 - Système de gestion de fichiers - Google Patents

Système de gestion de fichiers Download PDF

Info

Publication number
WO2009147855A1
WO2009147855A1 PCT/JP2009/002508 JP2009002508W WO2009147855A1 WO 2009147855 A1 WO2009147855 A1 WO 2009147855A1 JP 2009002508 W JP2009002508 W JP 2009002508W WO 2009147855 A1 WO2009147855 A1 WO 2009147855A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
label
information
management system
user
Prior art date
Application number
PCT/JP2009/002508
Other languages
English (en)
Japanese (ja)
Inventor
橋本宏美
荒井正人
笈川光浩
楠拓也
山口演己
甲斐賢
Original Assignee
株式会社 日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2009093324A external-priority patent/JP5390911B2/ja
Application filed by 株式会社 日立製作所 filed Critical 株式会社 日立製作所
Publication of WO2009147855A1 publication Critical patent/WO2009147855A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Definitions

  • the present invention relates to a file management system that achieves both prevention of information leakage and utilization of information.
  • Patent Document 1 a document management server that cannot register a document without obtaining approval checks whether or not the document contains confidential information, personal information, or typographical errors, and includes confidential information or personal information.
  • the technology for supporting the identification work of the approver's information by displaying on the approval screen is shown.
  • the setting of the information handling policy it may be possible to establish a strict rule such as prohibiting the uniform removal of portable media in order to prevent leakage of confidential information via the portable media, for example.
  • Non-Patent Document 1 there is a role-based access control technique according to Non-Patent Document 1. This does not give the user permission to execute the operation directly, but rather gives the role permission to execute the operation and associates the user with the role, so that "Read” or " This technique limits the number of users who perform the “Write” operation.
  • Patent Document 1 the keyword for specifying the confidential information set in advance and the text of the applied information are matched, but since the information handled by the organization varies, the quality matched to the information It is difficult to set good keywords in advance. Furthermore, since the detection accuracy does not change unless the keyword is updated, it is conceivable that a keyword that should be detected is leaked or an unnecessary keyword is detected indefinitely.
  • Patent Document 1 shows the number of keywords included in the document to the approver, but the approver cannot determine the contents of the document even if only the presence or the number of keywords is displayed. Eventually, it may be necessary to open and check the file. Further, the present invention aims to prevent information leakage in advance, and an approver who performs approval work is required to evaluate whether or not to take out after evaluating the information leakage risk. Therefore, if the method to be taken out is the same every time, the value of the document to be taken out may be judged, but since there are various types of information and the information sharing partners, the risk of leakage is appropriately judged, It is difficult to allow / reject approval.
  • Non-Patent Document 1 since the information leakage path is wide as described above, it is difficult to prevent information leakage only by associating the user with the role. For example, in the technique of Non-Patent Document 1, even if a file is permitted to be viewed inside the organization but is not desired to be viewed from outside the organization, if the user is assigned to a role that permits the operation, the change of the location of the user Therefore, there is a possibility that the file can be viewed outside the organization and the contents of the file can be seen by a third party. When managing organization information, it is necessary to prevent leakage in advance according to dynamic changes in the information usage environment and storage medium.
  • a policy that controls operations so that the shared range does not exceed the shared range in real time is determined from the storage location of the information that dynamically changes and the state / status of the user for the shared range that varies depending on the information. Setting them one by one takes time.
  • the present invention provides a file management system that prevents an operation that leads to leakage even if the information storage destination and the state / situation of the user dynamically change without hindering the use of the information.
  • the present invention sets a sharing range according to the value of information for information such as files scattered under the management of an organization, and prevents operations that are likely to lead to information leakage beyond the sharing range.
  • the file management method sets a combination of a category indicating the type of information and a confidential level as a label, sets an execution condition for each operation that is likely to cause information leakage in units of labels, and further knows in advance It also has a policy list that also sets sharing destinations, and sets the file sharing range by assigning labels to files instead of assigning policies directly to files.
  • execution conditions are set for each operation in the label, fine setting and control can be performed for the file to which the label is assigned.
  • the operation for setting the execution condition is intended for an operation that is likely to lead to information leakage, it is possible to centrally manage the execution conditions of a wide range of operations, not limited to “Read” and “Write”.
  • attributes such as the job title of the user, and the medium for storing the usage environment and information as execution conditions, it is possible to perform authority setting based on dynamic changes that could not be achieved with the prior art. .
  • the user should set the label to the file and label and apply the policy to the file simply by selecting the appropriate label according to the category of information and the confidentiality level. Can do.
  • the file usage environment in which the label is set includes an administrator who constructs and manages the environment, an approver, and a user who is a general user.
  • the administrator sets the access right for each label in advance as a policy, Distribute policies to clients assigned to users.
  • Users who handle files can apply controls set in the distributed policy by assigning labels to the files.
  • assigning a label to a file the file owner first sets the label based on the category of information and the confidentiality level, and then the approver determines whether the label assigned by the user is appropriate. By changing or approving, a label is assigned to the information. As a result, even if the user who first assigns the label assigns a label that is negligent or intentionally unsuitable, the approver can confirm it to ensure reliability.
  • files that are not assigned a label are regarded as confidential information, and operations such as sending mail outside the company or taking out portable media are prohibited. As a result, it is possible to prevent an operation of taking a file outside the company even if no label is assigned.
  • the above file management system has a database in which highly confidential objects (characteristics such as descriptions, images, and logos) are registered in order to determine the risk of leakage, and a certain file is given a label and approved by the approver.
  • highly confidential objects characteristics such as descriptions, images, and logos
  • the database is checked against the file, and the requested file contains sensitive objects Is identified and displayed on the approval screen.
  • the approver can quickly grasp the value of the file applied for.
  • the file management system updates the database based on the approval result, even if the approver or administrator does not update the database, it is possible to add an object to be originally registered that is effective in preventing leakage risk and Unnecessary objects can be deleted.
  • the above file management system when taking out files outside the organization, will always provide useful information in order to accurately and promptly understand the risk of information leakage associated with taking out, if the operation requires the approval of the approver.
  • An approval management server having a program to be presented is provided. On the approval management server, similar to the page that the approver has determined that the file with the highest risk is described on the approval screen for determining whether to allow or disallow the export, and the previous approval / rejection history If there is a file, the difference from the similar file is displayed, and whether or not the export destination and export method are high-risk is displayed.
  • the approver pointed out the part containing confidential information that would increase the asset value, and rejected or sent back the application to inform the user of the reason for rejection or pointed out in the subsequent approval decision.
  • a part including the part can be presented as highly confidential information. The approver can easily understand the risk of leakage associated with taking out the file that has been filed, making it easier to make approval decisions.
  • the file management system detects a movement of a registered user and a client and a document management server having a monitoring / control program for controlling a user operation based on a policy. It is equipped with a sensor that can grasp which area of the device, and by referring to the policy from the location information of the user obtained from the sensor and the information of the operation performed on the client, the operation execution permission / non-permission, If execution is permitted, label inheritance is performed. As a result, control can be performed without losing the label even when the information to which the label is assigned moves from the client to another medium. Alternatively, the operation can be executed only when the location of the user is appropriate.
  • the user when taking out a file outside the organization, the user stores the encrypted file in the notebook PC after obtaining approval from the approver.
  • the decryption key is transmitted to the mobile phone only when the location information of the user can be confirmed using the mobile phone.
  • the user passes the decryption key by communicating with the mobile phone and the notebook PC, and can use the file only at an appropriate place outside the organization.
  • ⁇ Users can set detailed policies just by selecting information levels and categories. -Since the system is configured to centrally manage policies and distribute them to clients, if the policies are modified, the settings of each file can be reflected on the clients without being updated. By setting a policy for a file that has not been assigned a label, an operation with a high possibility of leakage can be prevented even for a file that has not been assigned a label. This prevents information from being taken out of the organization regardless of negligence or intention. -By updating the database used for identification at the time of approval judgment, the identification accuracy of information can be improved without the administrator updating it. -In an organization that wants to allow only approved information to be taken out, the approver can appropriately determine the risk of information leakage. For example, it can be used as a tool for supporting file management by a security department administrator in managing files scattered in an information system and its surrounding environment in preparation for preventing information leakage.
  • the file management system of the present invention described above is a system that assigns labels to files and restricts operations that lead to information leakage, and distributes at least policy setting means for setting policies and clients that include monitoring / control means to the policies.
  • Policy distribution means a sensor for identifying the user when the user passes, a state management means for centrally managing information acquired from the sensor to identify the location of the user, and assigning a label to the file Label assigning means for associating a policy
  • the monitoring / control means identifies a label assigned to the file when the user operates the file, and determines the location of the user, the attribute of the user, and the storage location of the file.
  • the label and the policy are collated, and the execution of the operation is permitted.
  • the file management system of the present invention is a file management system that assigns a label, which is a combination data of a category indicating the type of information and a confidentiality level, to a file and restricts an operation that leads to information leakage.
  • the file identification means to be identified based on the above, and the approval result for the label application or file take-out application is obtained from another terminal or input means, and the handling information regarding the object in the object registration database Characterized in that it comprises a DB management means for updating, the.
  • the DB management unit may update the object registration database when an approval result is received.
  • the object registration database may be a database in which an object of a file is registered for each label, a database in which an object is registered for each partner having a history of taking out a file, and a file and a label. And a database in which objects are registered.
  • the file identification means identifies a page configuration, a text position and an object position on the corresponding page for the file for which the application has been accepted, and the items identified here are similar to each other
  • the other device is specified based on the attribute information of the object registration database, the difference between the file and the other file is acquired, and the presence / absence of the object registered in the object registration database is detected in the acquired difference. Alternatively, it may be output to another terminal.
  • the other file management system in particular, an object registration database for storing object attribute information and handling information, and a storage means for storing an approval management database for storing history data of file application concerning files,
  • an object registration database for storing object attribute information and handling information
  • a storage means for storing an approval management database for storing history data of file application concerning files
  • Specify based on the attribute information acquire the difference between the file and the other file, detect the presence or absence of an object with use restriction registered in the object registration database in the acquired difference, The approval result is identified in the approval management database, and the information on the presence / absence of the object having the use restriction and the information on the approval result of the other file are output to the other terminal or output means as the confirmation items for the approver who makes the approval determination.
  • a file identification means According to this, the approver who performs approval work browses the information on the confirmation required items, and can make an approval determination after firmly recognizing the items to be focused on in the application file. In addition, it is possible to omit determination work for items that overlap with past application files, and to perform efficient approval determination.
  • the file management system may further include a DB management unit that obtains an approval result for the label application or file take-out application from another terminal or input unit and updates handling information regarding the object in the object registration database. Good.
  • the file identification unit may be a past application file whose file export destination is the same as the file whose application has been accepted, or a past application file which has been determined to be rejected or permitted to be exported.
  • the other file may be specified from the past application files obtained by this search. According to this, processing can be made efficient when the other file is specified.
  • the file identification unit extracts the reason for rejection from the approval management database and includes it in the information on the confirmation required item. May be output to another terminal or output means. According to this, the approver can determine the approval of this application file after recognizing in advance the reason for refusal regarding the similar case.
  • the storage means stores a take-out rule database that stores rules for permitting or disallowing take-out in a combination of a file format and a take-out method at the time of file take-out, and the file identifying means
  • the file export method information specified in the application file is checked against the export rule database to determine whether the file export method specified by the corresponding application file is an allowed method, and the determination result is It may be included in the information on the confirmation item that is required and output to another terminal or output means.
  • the approver can recognize an application file whose designation of the take-out method is not appropriate, and as a result, the approver can be notified of a correction instruction for the take-out method.
  • the number of objects with usage restrictions is included based on the data of the confirmation required items including information on presence / absence of objects with usage restrictions and information on approval results of the other files.
  • the approval management unit may perform highlight setting on the usage-restricted object included in the corresponding page on the preview screen, and output to the other terminal or the output unit. . According to this, the approver can quickly recognize objects with usage restrictions in the preview screen, and can suppress omissions about objects that require judgment.
  • the present invention makes it possible to prevent operations leading to information leakage without hindering the use of information.
  • FIG. 1 is a configuration diagram of a file management system according to the first embodiment.
  • the file management system 1000 includes a policy setting server 10, a state management server 20, a log management server 30, an Internet server 41, one or more sensors 50, one or more printers 60, one or more clients 70, and a document management server 80.
  • the ID management system 90 and the asset management system 100 are connected to the network 40 by wire or wireless.
  • User 1 enters and leaves the organization using an IC card 76 in which his / her user ID is stored in a tamper-resistant area, for example.
  • the organization refers to the inside of the sensor arranged on the outermost side, in which sensors are installed in a part dividing a living room such as a building or office.
  • the user 1 further performs various operations using the client 70, the portable medium 77, or the notebook PC 78.
  • the user 1 has a mobile phone 79 in which user information that can be uniquely specified is stored in a tamper-resistant area, and carries the mobile phone 79 inside and outside the organization.
  • the client 70 can also read the ID recorded on the IC card by connecting the card reader 795, reading the IC card 76, and communicating with the client 70.
  • the administrator 2 performs various operations using the policy setting server 10.
  • the approver 3 performs various operations using the document management server 80.
  • the sensor 50 is installed at an entrance that divides the building of the organization or the office. For example, when the physical building is separated in the same organization, such as a branch, if the sensor 50 is installed, the sensor 50 is used. When the person 1 holds the IC card 76 over, the sensor reads the ID of the IC card, performs authentication, and can enter and leave the room.
  • the Internet server 41 is an e-mail server that relays transmission / reception of the e-mail 43 exchanged in the network 40 or on the Internet and stores the transmitted / received e-mail, or a proxy server that relays Web communication with the Internet 42. .
  • the client 70 can be connected to a portable medium 77 such as a CD-R / DVD-R, a USB flash memory, a portable HDD, an SD card for storing multimedia contents, and the client 70 exchanges files with the portable medium 77. Can do.
  • a portable medium 77 such as a CD-R / DVD-R, a USB flash memory, a portable HDD, an SD card for storing multimedia contents
  • the client 70 is assigned to each user 1.
  • the client 70 may be assigned to two or more users, and in this case, the client 70 can identify which user has used the client 70 by identifying and authenticating the user. You can do it.
  • account management is performed by the ID management system 90 so as to know who is associated with which account.
  • the policy setting server 10 includes a policy setting program 11 that sets a policy list 13 that stores policies to be applied to files, and a policy distribution program 12 that distributes the policy list 13 set by the policy setting program 11 to the client 70. Further, the policy setting program 11 and the policy distribution program 12 store the work log in the terminal log 14. The policy setting program 11 may be accessed by the administrator 2 directly to the policy setting server 10 or from the administrator terminal via the network 40.
  • the state management server 20 includes a label management list 23, a state management list 24, a decryption key list 25, and a terminal log 26.
  • the state management program 21 is operated in which the user list 91 for storing the attribute information is stored together and the location of the user registered in the user list 91 is written in the state management list 24. Further, the state management program 21 also updates the label management list 23 that manages file storage location information when a file moves between clients.
  • the state management server also includes an authentication program 22 for authenticating the mobile phone 79 carried by the user 1 and a decryption key list 25 distributed to the mobile phone that has been successfully authenticated. Thereby, even when the user is outside the organization, it is possible to control the file described in the present embodiment.
  • the log management server 30 collects the terminal log acquired by the client 70, the document management server 80, and the policy setting server 10 and the sensor log 52 acquired by the sensor 50, analyzes the collected terminal log, and shapes the log.
  • a log analysis program 31 that operates in the collection log 32 and transmits the sensor log acquired from the sensor among the collection logs to the state management server 20 operates.
  • the client 70 monitors the operation of the user 1 in detail, and when the operation occurs, the client 70 refers to the label management table 74 that stores the label information of the target file and the policy list 73 received from the policy setting server 10 to determine the policy.
  • the monitoring / control program 72 for permitting or preventing the operation and storing the control result in the terminal log 75 as a log operates.
  • a label allocation program 81 for assigning labels to files and a monitoring / control program 82 having the same function as the monitoring / control program 72 provided in the client 70 operate.
  • the label allocation program 81 receives the label information of the file applied by the user 1 at the client 70, receives the approval or change request from the approver, and updates the label management list 84.
  • Information on the correspondence between files and labels assigned by the label assignment program 81 is stored in the label management list 84.
  • Logs of operations executed by the label allocation program 81 and the monitoring / control program 82 of the document management server 80 are stored in the terminal log 85. Note that the file stored in the document management server 80 is a file that has been examined in the organization and is handled as overwriting prohibited.
  • file described in this patent is not a system file or the like, but targets all information assets that are generated within the organization or obtained from the outside and that are valuable within the organization.
  • FIG. 2 is a block diagram showing a hardware configuration of the client 70 in the file management system 1000.
  • the client 70 includes a terminal log 75, a policy list 73, an external storage medium 702 that stores a label management table 74, a CPU 701 that executes a monitoring / control program 72, a memory 703, a display unit 704 that displays an input / output screen, and an input / output.
  • the bus 709 is interconnected.
  • the document management server 80, the policy setting server 10, the state management server 20, and the log management server 30 also have the same hardware configuration as the block diagram of the client 70 shown in FIG.
  • the portable medium connection unit 706 is not necessarily provided in the document management server 80, the policy setting server 10, the state management server 20, and the log management server 30.
  • each device the CPU executes the program stored in the external storage medium 702, thereby realizing the processing and functions described below.
  • each program is an execution subject for convenience.
  • each program may be stored in advance in the external storage medium 702 or the memory 703 of each of the above devices, and the portable medium connecting unit 706 and the communication unit 708 and each device can be used when necessary. May be introduced from another device via a medium.
  • the medium refers to, for example, a removable portable medium 77 or a communication medium (that is, the network 40 or a carrier wave or a digital signal propagating through the network 40).
  • FIG. 3 shows an example of the data structure of the policy list 13.
  • the policy list 13 records conditions for performing an operation when an operation occurs on a file stored in any of the client 70, the document management server 80, the portable medium 77, and the notebook PC 78.
  • the information is stored in storage devices on the policy setting server 10 and the client 70.
  • the policy list 13 is table data composed of zero or more entries, a label 281 set for a combination of information category and level, an information category 282, a level 283 indicating the degree of confidentiality of information, a control target, Files can be shared among access subjects 285 indicating conditions for executing the operations 284 and 284, users not registered in the user list 91 of the ID management system 90, or Web sites accessible via the Internet 42, etc. A common sharing destination 286.
  • the label 281 is set by a combination of the category shown in the column 282 and the level shown in the column 283.
  • the label name may be an alphabet as shown in the column 281 or may be any other name as long as the label can be uniquely identified.
  • the files stored in each client 70 include a draft version that is being created and a completed document.
  • the policy list 13 sets different units of the sharing range as labels from categories and levels, and further specifies the access subject and the sharing destination for the operation for each label, and assigns the label to the file. You can apply a fine-grained policy.
  • a label “no label” 2811 is set as a policy to be assigned to a file with no label set, and a condition for the operation is set.
  • the monitoring / control program 72 of the client 70 applies a policy associated with the label, but the label is assigned to all the files stored by the client. It takes time and effort. Furthermore, there is a possibility that a file that is not labeled will be uncontrolled and leaked. Therefore, files that are not assigned a label should be treated as confidential at least, and operations that take information out of the organization should be controlled, and a policy without labels is also set and applied.
  • the category 282 is a value set based on the type of information of the organization.
  • the type of information such as “HR information”, “financial information”, and “technical information” may be defined. Or the like as customer information. These values can be added or modified by the administrator 2 using the policy setting program 11.
  • Level 283 is a value set based on the value of information, and defines, for example, “top secret”, “secret”, “public”, and “unset”. These definitions are classified so as to be easily set by the user 1 who assigns labels and the approver 3 who approves labels.
  • Operation 284 defines operations that have a high possibility of leaking beyond the information sharing range, in addition to “browse” and “edit”, which are operations in which access rights are designated by the conventional access control technology. For example, “browsing” “editing (including file deletion, file name change, etc.)” “copying (electronic, paper, scanning, etc.)” “printing” “network transmission (hereinafter referred to as NW transmission) (mail, Web upload) Etc.) ”“ Take out ”etc.
  • the access subject 285 defines conditions under which the operation 284 can be executed. Specifically, the access subject 285 is set based on the access subject condition list 301.
  • the access subject 285 is data composed of at least zero logical expressions, and defines an expression that can uniquely identify the condition selected from the access subject condition list 301.
  • the logical expression describes a condition under which the operation can be executed or a condition where the operation is not permitted. Further, in the logical expression, the symbol “ ⁇ ” indicates an AND operator, and the symbol “
  • the definition method of the access subject 285 will be described after the data structure of the access subject condition list 301 is described.
  • the access subject condition list 301 is table data composed of at least one or more entries.
  • the category number 302 is a candidate to be set as a condition, and the category summary 303 indicates attribute information that the organization can select for the category number 302. , Data that can be selected by the organization in the category 303 (304 to 308).
  • the category 303 includes user attribute information such as “employment classification”, “title”, and “organization name”, the location of the user who handles the file, the type of medium for storing the file, conditions for use outside the organization, etc. Define
  • Data set for each category is attribute information that can be selected by the organization, such as “part”, “contract”, “employee” in “employment classification” described in C1 of the access subject condition list 301, for example.
  • the administrator 2 may add a category or attribute information to be defined more finely.
  • management of users and assets is performed using a user list 91 and an asset list 101 separately.
  • the user list 91 is managed by the ID management system 90 and manages, for example, attribute information such as “name”, “employment classification”, and “position” in units of user IDs that can uniquely identify users.
  • the asset list 101 is managed by the asset management system 100 and manages, for example, “asset ID”, “type” indicating the type of storage medium, “owning department”, “medium identification ID” and the like in units of assets. is there.
  • These user list 91 and asset list 101 are used for ID management system 90 and asset management for registration associated with the addition of users and assets, or for deletion of items associated with movement or retirement of users, change or destruction of assets.
  • the general function of the system 100 is used.
  • the item described on the left side indicates the category number 302 of the access subject condition list 301, and the item described on the right side indicates the data numbers shown in the columns 304 to 308.
  • the employment classification indicated by C1 is 3 (that is, employee)”
  • the position indicated by C2 is a position that is greater than 3 (ie, the section manager or higher)”
  • the organization name indicated by C3 is 3 (ie, the research department).
  • the information sharing destination outside the organization is designated.
  • the NW transmission of operation 284 when the person in charge of the business partner is determined or the URL of the website for uploading the file is known, the mail address or URL of the person in charge is registered in advance.
  • the registered person in charge and URL can be set so that the file can be shared even outside the organization.
  • by registering these pieces of information it is possible to prevent erroneous transmission due to an incorrect input of an email address and erroneous transmission of a file to be transmitted.
  • Even when not registered as a sharing destination (column 286), it is possible to execute these operations by applying to the approver 3 for sharing destination information and purpose, and obtaining approval.
  • this policy is centrally managed by the policy list 13 stored in the policy setting server 10, and is set in advance by the administrator 2 using the policy setting program 11.
  • the administrator 2 may change the policy every time a periodic review is performed or according to an application from the user.
  • the label 281 is assigned to the file 300, once the label is assigned to the file, even if the category and level that define the label and the access subject for each operation are changed, the label 281 is already assigned. It does not affect the file.
  • the policy list 13 is also distributed to the client 70 by the policy distribution program 12 and is referred to by the monitoring / control program 72 of the client 70, even if the client changes due to file copying or the like, the same policy can be obtained if the label is known. Can be applied. A more specific policy setting example and feasible control will be described with reference to FIG.
  • FIG. 4 shows a specific example of the policy described in FIG. 3 and shows that fine control can be performed for each type of information.
  • the definition of the label “A” is 4001
  • the definition of the label “B” is 4002
  • the definition of the label “C” is 4003
  • the definition of the label “none” is 4004. Show.
  • the label A4001 is a label assigned to personnel information whose level is top secret, and is intended to further limit the sharing range within the organization. Such information should not be taken outside the company, and should be restricted within the organization until the expiration date. Therefore, as a control of the file to which the label A 4001 is assigned, a condition is set so that employees from the section manager or higher can execute only the operation from the browsing operation to the NW transmission only on the desktop PC in the office without allowing the take-out. As a result, for example, even if an employee who is a section manager or more tries to copy the file of the label A4001 from the desktop PC to the portable medium, the desktop PC is set as a device that can perform the copy operation. Cannot execute.
  • Label B4002 is a label assigned to catalog information that can be disclosed. Possible uses include in-house browsing and taking-out actions such as explanation to specific customers outside the company. Therefore, as a control of the file to which the label B 4002 is assigned, browsing and NW transmission are set to “* (possible without conditions)”, and other operation conditions are set. For example, since it has already been released, an “edit” operation is not permitted in order to prohibit overwriting. On the other hand, if the employee uses a medium other than the RFID attached paper, the take-out operation can be taken out of the organization regardless of the sharing destination.
  • the label C4003 is a label assigned to the business partner A whose level is secret. This information should be shared only with users who have a relationship with the business partner A within the organization, and with only the user of the business partner A outside the organization. Therefore, as a control of the file to which the label C4003 is assigned, it is defined in the company that a user more than a contract employee in the research or sales department performs browsing and editing operations in a place beyond the office. Further, the mail address of the person in charge of the business partner A is registered as a share destination of NW transmission, and the Tokyo office of the business partner A is registered as a take-out destination.
  • the label unset 4004 is a label assigned to a file to which no label is assigned.
  • Files that are not set with a label include information that should be handled in an extremely confidential manner, and information to be disclosed. Therefore, it should be controlled by setting the shared range to be the same as the internal secret or by setting the shared range to be the narrowest range. It is. Therefore, for example, printing, NW transmission, and take-out operations are prohibited, and browsing, editing, and copying are performed only by the user's own client (“ID” portion). If it is necessary to share a file with someone other than the user itself, such as when creating a file with someone or sharing information, an appropriate label other than “unset” may be assigned.
  • An unlabeled policy may be changed according to the business in the organization. For example, in cooperation with the ID system, the file system user information and affiliation between users, or between users It may be possible to adopt a policy permitting browsing, editing, printing, and NW transmission between users in positions and higher.
  • the template to which the label is assigned is stored in the document management server 80, and the user downloads and uses it.
  • Information take-out control For example, for a copy operation to a file that requires high confidentiality such as label A, by limiting the copy destination to the desktop PC, it is possible to leak high-value information. The act of writing to a portable medium can be prohibited.
  • the file that can be disclosed on the label B4002 can be copied to a portable medium or taken out, and the label C can be taken out according to the type of information because it is necessary to approve the takeout. Can control.
  • Control of printing For example, a policy that restricts a printing place such as a label A 4001 and a policy that allows anyone to print such as a label B 4002 can be set. By restricting printing according to the value of information, it is possible to control so that highly confidential information can be viewed but not printed.
  • Network transmission control For example, for highly confidential information of label A4001, network transmission is limited to in-house to prevent unauthorized transmission outside the organization, wrong destination, and wrong file to be transmitted. Is possible. Furthermore, for a file shared with an external business partner such as label C4003, the email address of the business partner or the contracted company and the URL of the Web upload destination are designated in advance as the sharing destination. By submitting an application, it is possible to perform an operation without waiting for the approval of the approver. In addition, it is possible to send an e-mail to the other party illegally, to prevent erroneous transmission, and to correctly send information to a legitimate destination.
  • Access control to confidential information from outside the company For example, in the browsing operation of the label A 4001, a place where browsing is possible is set as a condition. When the user leaves and leaves the office, the IC card is brought close to the sensor and the ID is read, so that the user's location is recorded as the outside in the status management list 24. Even when trying to access the file of A4001, it cannot be accessed. As a result, even if an employee who is permitted to use a notebook PC outside the company operates the notebook PC outside the company, it is possible to prevent the browsing of highly confidential information, and the third party can see the file. Leakage can be prevented.
  • FIG. 5 shows an example of the policy list 13 setting screen.
  • the administrator 2 directly accesses the policy setting program 11 via the operation unit 705 of the policy setting server 10, or the policy setting program 11 via a network 40 from another terminal. Set by accessing.
  • the display unit 704 displays the policy setting screen 501 shown in FIG.
  • the policy setting screen 501 includes a registered label list 510 representing a list of registered policy labels, and a new addition button 511 for setting a new policy.
  • the registered label list table 510 is table data including zero or more entries.
  • the registered policy label name 5011, the file category 5012, the level 5013 indicating the degree of confidentiality, and the policy set in the label 5011 A setting display button 5014 for displaying a label, a correction button 5015 for displaying a screen for correcting a policy already set in the label 5011, and a policy already set in order to reuse a policy set in the label 5011 to add a new policy
  • a reuse button 5016 for displaying the policy setting screen, and the number of registered files 5017 to which the label 5011 is assigned.
  • a column 5014 button is pressed to refer to a set policy
  • a column 5015 button is pressed to modify a set policy
  • a new label is registered by copying the set policy.
  • a new addition button 511 is pressed.
  • the policy setting program 11 displays a policy setting screen 502.
  • the policy setting screen 502 specifies a label setting form 520 for assigning a category and level to a label name to be newly registered, an input form 5214 for inputting a share destination URL and mail address, and specifying the share destination URL and mail address from an ID management system or the like.
  • an operation authority setting screen 522 for setting authority to be executed for each operation, and a registration button 523 for registering the set data in the policy list 13.
  • the button 5014 is pressed, the set policy is displayed on the operation authority setting screen 522.
  • the button 5015 is pressed, the set policy is displayed on the operation authority setting screen 522. Furthermore, the displayed authority can be changed. Further, when a button 5016 is pressed, the set policy is displayed on the operation authority setting screen 522, and the label 520 can be corrected to be newly added.
  • the label name 5211 is input, and the value to be set by the administrator 2 is selected from the pull-down menu from the category 5212 and the level 5213. If there is no category to be set, the administrator 2 may input an appropriate category name in the new input form 521.
  • the external sharing destination input form 5214 when a partner who shares a file outside the company is known in advance, information such as a URL or an e-mail address that can uniquely identify the partner is input.
  • the operation authority setting screen 522 can switch the authority setting screen with a different tab 5221 for each operation. Therefore, the administrator 2 presses the tab 5221 to switch the operation and sets the authority for all operations.
  • the operation authority setting screen 522 includes a table 5223 for setting operation authority and a reset button 5222 for invalidating all inputs only to the displayed table among the set data and returning to the initial display.
  • the operation authority setting table 5223 is a table for setting authority for all operations likely to cause information leakage described in FIG. 3, and the background is displayed when nothing is input, such as when a new addition button 511 is pressed. It is displayed in white (5224).
  • the administrator 2 sets the operation authority, when an item that does not satisfy the condition is pressed in the operation authority setting table 5223, the background of the pressed item is reversed to, for example, black (5225).
  • the operation authority can be set by changing the color of the item pressed in the operation authority setting table 5223.
  • the policy setting program 11 closes the operation authority setting screen 522, and the data entered in the operation authority setting table 5223 is shown in the access subject 285 of FIG. Then, all the input data is registered in the policy list 13.
  • the data registration to the policy list 13 is completed, the last line of the registered label list table 510 is newly added and the set label information is displayed.
  • the policy list 73 of the client 70 is updated. Distribution of the policy list 13 to the client 70 will be described with reference to FIG.
  • Figure 6 shows the policy distribution process flow.
  • the monitoring / control program 72 of the client 70 accesses the policy distribution program 12 of the policy setting server 10, transmits the user ID of the client 70, and applies for acquisition of the policy table ( Step 602).
  • the policy distribution program 12 After receiving the policy table acquisition application, the policy distribution program 12 refers to the user list 91 of the ID management system 90 (step 603) and determines whether the received user ID is registered in the user list 91 (step 604). . If the user ID is registered, the policy list 13 is distributed to the client 70 (step 607). If not registered, an error is returned to the monitoring / control program 72 of the client 70 (step 605). The error and user ID are displayed on the display unit 704 (step 606).
  • the monitoring / control program 72 of the client 70 Upon receiving the policy list 91 from the policy distribution program 12, the monitoring / control program 72 of the client 70 updates the policy list 73 of the client 70 (step 608).
  • the policy list 73 is updated to the latest state every time the client 70 is activated.
  • a policy list storing at least a policy for a file with the label “none” is installed at the same time. Thereby, even if the label is not assigned to the file immediately after the monitoring / control program 72 is installed, the control based on the label can be executed. If the client 70 is not connected to the network, cannot communicate with the policy setting server 10, or if the card reader 795 cannot confirm that the IC card and the client are in the organization, the label “none” is displayed. Apply the policy to all files.
  • FIG. 7 shows the flow of label allocation processing.
  • the process of assigning a label to a file is performed when the file user 1 wants to set the file sharing range to other than the user. Even when the file creator is not the user 1, when the file is stored in the client 70, the label “none” policy is applied until the user 1 assigns a label.
  • the user 1 of the client 70 newly assigns a label to a file that is newly created or obtained and stored via NW transmission or the Internet 40 from outside the client
  • the user assigns a label assignment program of the document management server 80. 81 and log in.
  • the client monitoring / control program 72 transmits the user ID of the client.
  • the monitoring / control program 72 accesses the document management server and transmits a user ID (7001).
  • the label allocation program 81 of the document management server 80 performs server authentication (7002), refers to the policy list 13 of the policy setting server 10 (7003), and specifies a label whose user ID satisfies the conditions of the access subject ( 7004), a label allocation screen is displayed on the screen of the client (7005).
  • User 1 assigns the label of the file on the displayed label assignment screen (7006), further specifies the file to which the label is assigned (7007), and transmits it to the label assignment program 81 (7008). Details of the label allocation screen will be described with reference to FIG.
  • the monitoring / control program 72 updates the label management table 74 and sets the status of the file applied for awaiting approval (7009).
  • the label allocation program 81 collates the user ID and label information received from the client 70 with the policy list 13 to determine whether approval is required (7010), and if the label requires approval, transmits the application contents to the approver. To do. A label that does not require approval may or may not be set. At this time, the label allocation program 81 refers to the label management list 84, and from the list of label allocated files registered in the label management list 84, a file to which the same label as the label selected by the user is allocated, or At least one file assigned with the same category is extracted and transmitted (7011).
  • the extraction condition may be a label of a file owned by a user in the same department as the user.
  • the approver 3 confirms whether the file and label applied are appropriate, and requests change of the label if necessary (7012). Details of the editing screen at this time will be described with reference to FIG.
  • the label allocation program 81 stores the file in the document management server 10 (7014) when the file to which the label is allocated is a completed document (7013), The label management list 84 is updated (7015). If the document is not a completed document, the label management list 84 is updated without storing the file (7015).
  • the label allocation program 81 confirms whether or not the sharing destination is specified in the application content (7016), and if the sharing destination needs to be specified, refer to the policy list 13 to add the sharing destination. Share destination information is transmitted to the setting program 11 (7017). In addition, no operation is performed when it is not necessary to specify the sharing destination information.
  • the label allocation program 81 completes registration and sends a registration completion notification to the monitoring / control program 72 (7018)
  • the monitoring / control program 72 of the client 70 updates the label management table 74 and approves the status of the file applied. (7019).
  • a label is assigned to the file, and the policy set for the label is applied to the file thereafter.
  • the label assignment to the file is not limited to the method of managing the label using the table described in this embodiment, but the method of embedding the label in the header area and content of the file, and the label and the file body using the DRM technology. May be encapsulated.
  • FIG. 8 shows an example of a label assignment application screen.
  • the user 1 of the client 70 that stores the file first assigns a label, and the approver 3 checks whether the assigned label is appropriate.
  • a label is assigned to the file, and control based on the label is performed.
  • the label assignment application screen 801 includes a button 8011 for selecting whether to assign a new label or change a label once assigned, a user ID 8012 of a user who requests label assignment, a file path 8013 for assigning a label, A button 8014 for referring to and selecting a file to which a label is to be assigned, whether or not to register the file in the document management server, and when registering, a registration destination folder 8015 for designating a registration destination folder and a registration destination folder 8015 as a document
  • the label displayed as an option of the history use tab 8017 is a label that satisfies the condition for the user 1 to perform the operation.
  • the user 1 can select a label to be assigned by selecting a corresponding label as shown in 8010.
  • a label assignment application screen 802 is displayed.
  • the basic configuration is the same as the label assignment application screen 801, and a pull-down selection table 8021 for selecting a part of the label selection table 8019 by pull-down is displayed.
  • the pull-down selection table 8021 displays a pull-down for selecting the category 8022 and a pull-down for selecting the level 8023. Therefore, the user 1 selects the corresponding category and level, and presses the decision button 8014 when the selection is completed. You can apply for the assigned label.
  • Fig. 9 shows an example of the label assignment approval screen, and the label approval method of the approver 3 is described.
  • the label approval screen 901 includes a user ID 9011 of the applicant, a file path 9012 to which the user 1 has assigned a label, a registration destination folder 9013 in the case of registration in the document management server 80, and a label 9014 to which the user 1 has been assigned. And a display button 9015 for displaying a file, a label candidate list 9016 to be selected when changing the label, a label list 9018 of similar files, and an approval button 9019.
  • the approver 3 looks at the label approval screen 901 and determines whether the file and the label are suitable. If the contents of the file are to be confirmed, when the display button 9015 is pressed, the file uploaded to the document management server 10 is opened, so that the approver 3 can approve the label by looking at the contents of the file. If the approver 3 determines that it is not necessary to change the label for the file applied, the approver 3 presses the approval button 9019, and if it is determined that the label needs to be changed, selects another label (9017). Then, an approval button 9019 is pressed. As a result, even if the user 1 assigns an inappropriate label to the file, the approver 3 makes a change to make an appropriate label assignment.
  • the approver 3 can use it as a guide for determining whether the label set by the user 1 is appropriate.
  • FIG. 10 shows an example of the data structure of the label management list 23 and the state management list 24.
  • the label management list 23 stores data relating to files to which labels are assigned.
  • the label management list 23 is data composed of at least 0 or more entries.
  • the file path 1011 can uniquely identify the storage location of the information, the medium identification ID 1012 for storing the file, the label 1013 assigned to the file, and the label at the end.
  • the data managed in the other status 1017 displays the status of the file such as “label approval in progress”, “takeout application is in progress”, and “takeout is in progress”.
  • the label management list 23 it is possible to quickly grasp which client has which label has information stored, and the approval status of information to which a label is assigned.
  • the client 70 includes a label management table 74 having the same format
  • the document management server 80 includes a label management list 84 having the same format.
  • the statuses of files stored in the client 70 or the document management server 80 are managed in the same format.
  • the state management list 24 manages the location of the user registered in the user list 91 of the ID management system 90 based on the log that the user has passed through the sensor 50.
  • the state management list 24 is data composed of at least 0 or more entries, and includes a user ID 1031 and a location 1032 indicating the current location of the user.
  • the client 70 indicates that the user is in the building in the state management list 24. If the login condition is set as follows, the client 70 is operated by impersonation or sharing and the client 70 is operated to access the file, but if there is no record of entering the status management list 24, control is performed so that even the login cannot be performed. be able to.
  • FIG. 11 shows a flow of processing for specifying the location of the user.
  • the sensor log acquired by the sensor log acquisition program 51 of the sensor 50 is logged. It transmits to the log analysis program 31 of the management server 30 (1102).
  • the log analysis program 31 refers to the user list 91 (1104) and specifies the user ID of the user who has entered or exited the room (1105). Further, the log analysis program 31 transmits the specified user ID and sensor identification information to the state management program 21 of the state management server 20 (1106).
  • the state management program 21 refers to the state management list 24 (1108) and updates the location information of the received user ID (1109).
  • the monitoring / control program 72 When the monitoring / control program 72 is activated (step 1201), the operation of the user in the client 70 is monitored (step 1202). When the user performs an operation on the file (step 1203), the state of the generated operation is identified (step 1204). At this time, the monitoring / control program 72 also displays the operation that has occurred and the external sharing destination information such as the mail address or URL as the destination, the user ID of the client, the file path, etc. Identify.
  • step 1205 the label management table 74 stored in the client 70 is referred to (step 1205), and the label assigned to the file is specified using the file path of the operation target file as a key (step 1206).
  • step 1207 If the label is set to something other than “none” (step 1207), the state management server 20 is accessed and the state management list 24 is referred to (step 1209), and the user's location is specified using the user ID as a key. (Step 1210).
  • step 1208 the policy for label non-setting is referred to (step 1208). Note that if the status management list 24 cannot be accessed in step 1209, it is considered that the label is not set. If the status management server 20 cannot be accessed, it is considered that the client is offline, and if it is offline, the location of the user is specified. This is because it cannot be done. Further, when the client is offline, the policy list 13 stored in the policy setting server 10 and the policy table 73 stored in the client 70 may be different. It is for preventing it.
  • step 1208 when the policy with the label “none” is referenced in step 1208, it is determined whether the state identified in step 1204 matches the policy with the label “none” (step 1214). If it does not match, the operation is prevented (step 1216). If the operation is prevented in step 1216, an alert is displayed to the user (step 1217), and a screen for allowing the user to perform label allocation operation or input is displayed, and input is performed when the user performs label allocation operation. Is received (step 1218), a label allocation screen is displayed (step 1219). When label allocation is not performed or after the label allocation screen is displayed (step 1219), a log is acquired (step 1220).
  • step 1210 it is determined whether the operation is an operation to any storage destination other than the client, such as NW transmission or file copy or printing to a storage medium other than the client. If the operation is an output operation (1211), the asset information of the file storage destination is acquired by referring to the asset list 101 (step 1212), and the policy set in the label of the policy list 73 is referenced (step 1213). ). If it is determined in step 1211 that the operation is not an output operation, step 1213 is executed.
  • step 1213 When the policy is referred to in step 1213 and it is determined whether or not the state identified in step 1204 matches the policy condition (step 1221), the operation is performed (step 1222). Further, if the file path is changed by executing an operation such as copying, renaming, or deleting (step 1223), the label management table 74 is updated (step 1224) and a log is acquired. (Step 1220). If the file path is not changed, step 1220 is executed.
  • Step 1221 In the case of an operation that does not satisfy the policy conditions in Step 1221, the operation is prevented (Step 1225), an alert is displayed to the user (Step 1226), and a log is acquired (Step 1220).
  • Step 1220 At least the operation occurrence time, the user ID, whether or not the operation is executed, and the file label are recorded as a log.
  • step 1220 After step 1220, unless a program end command is issued (step 1227), the process returns to step 1202 for monitoring. If a program end command is issued, the program is terminated (step 1228).
  • the file operation can be controlled also by the environment of the user who uses the file.
  • the monitoring / control program 72 in the client 70 has been described. However, in the monitoring / control program 82 of the document management server 80, the label management list 84 and the policy list 13 of the policy setting server 10 are referred to, and the notebook PC 78. Then, the label management table 7813 and the policy list 7814 copied from the client 70 are referred to.
  • Fig. 13 shows the flow of processing related to file export operations.
  • an application screen is displayed (1302).
  • the state management program 21 loads the file to be taken out with the label management list 23
  • the file label is identified by comparing with the path, and whether the file can be taken out is identified by referring to the policy of the identified label (1305). Is displayed (1306). If the conditions for the take-out operation are satisfied, the application information is transmitted to the approver 3 (1307).
  • the approver 3 confirms the take-out application information on the displayed approval screen, determines whether or not to take out the application information (1308), and transmits it to the state management program 21 (1309).
  • the state management program 21 accepts the approval result (1310), if not permitted, notifies the application not-permitted message (1311), and if permitted, takes out the status of the label management list 23 and updates it to approved (1312). Then, an encryption key including at least the location information of the usage destination and the identification ID of the storage medium as a decryption condition is generated (1313), and the file is encrypted (1314).
  • the state management program 21 When the state management program 21 sends a take-out permission notice to the user (1315), the user 1 accesses the state management server 20 (1316), downloads the encrypted file (1317), and downloads the file to the notebook PC 78 to be taken out. Store (1318). At this time, the monitoring / control program 71 of the client 70 detects the download of the file and reflects the approval result in the label management table 74 (1323).
  • the mobile phone 79 storing the IC card 76 or the user's ID information is brought close to the sensor 50 to perform short-range wireless communication and read the ID (1319). ). Then, user information is acquired by the log acquisition program 51 of the sensor 50 (1320), and the acquired information is transmitted to the state management program 21 (1321). The state management program 21 updates the state of the label management list 23 while it is being taken out based on the received user information (1322).
  • file encryption is forcibly performed even when the level of information stored in a portable medium having no CPU such as a USB memory is high.
  • the encryption method is disclosed in, for example, “Internal Control for Information Leakage Risk Recommendations and Information Asset Management (Author: Kai et al., Hitachi Review, September 2007, pp. 51, 3.3)”.
  • the file to be taken out is encrypted in a self-decryption type, and the identification information (MAC address, etc.) of the prescribed PC is stored in the encrypted file, so that browsing / editing on the home PC or suspicious PC can be prevented. .
  • FIG. 14 shows the flow of processing related to file operations outside the organization.
  • the user 1 accesses the authentication program 22 of the state management server 20 using the authentication program 791 stored in the mobile phone 79, and transmits login information 792 (1401).
  • the authentication program 22 of the state management server 20 determines whether or not the login information 792 is authentic (1402). If the authentication is successful, the authentication program 791 requests the authentication program 791 to transmit the location information of the mobile phone 79 (1403). If it fails, an error message is transmitted (1408).
  • the state management program 21 refers to the state management list 24 (1405) and checks whether the user's location is an approved location. (1406). If the location is not approved, the state management program 21 sends an error message (1407). If the location is approved, the state management program 21 refers to the decryption key list 25 and identifies the decryption key of the file that can be used at the current location. And transmit (1408).
  • the authentication program 22 receives the decryption key (1409) and activates the communication program 793 (1410).
  • the communication program 793 transmits login information to the authentication program 782 of the notebook PC 78 (1411).
  • the communication program 793 requests the decryption key from the communication program 793 (1413).
  • the decryption key is transmitted using (1414).
  • the communication program 783 of the notebook PC 78 stores the decryption key in the notebook PC 78 (1415).
  • the user 1 accesses the file (1416), only the approved file is decrypted with the decryption key ( 1417), an operation such as browsing can be executed.
  • the communication program 783 of the notebook PC 78 communicates with the authentication program 791 of the mobile phone 79 at regular intervals, and when the communication becomes impossible, the monitoring / control program 791 of the notebook PC 78 prevents the operation. As a result, the operation can be prevented from continuing when the notebook PC 78 is moved from an approved location with the notebook PC 78 open.
  • FIG. 15 shows the flow of processing in the organization after taking out the file.
  • the user 1 takes the notebook PC 78 from outside the organization back into the organization (1501) and causes the sensor 50 to read the ID, for example, the IC card 76 (1502)
  • the sensor log acquisition program 51 of the sensor 50 is stored in the IC card 76.
  • the acquired user information is acquired (1503), and data is transmitted to the state management program 21 of the state management server 20 (1504).
  • the state management program 21 refers to the label management list 23 (1505), specifies whether there is a file whose take-out time limit has expired among the files being taken out (1506), and uses it when there is a file whose take-out time limit has expired.
  • a file deletion message is displayed on the client 70 of the user 1 (1507).
  • the monitoring / control program 72 of the client 70 transmits the identification ID of the storage medium storing the deleted file to the state management program 21 ( 1509), the state management program 21 deletes the “Now taking” data set in the state column of the label management list 23 (1510).
  • Fig. 16 shows an example of an application and approval screen for take-out operations.
  • the take-out application screen 160 is a screen for the user 1 to take out a file outside the organization, and is displayed in step 1303 in FIG.
  • At least the applicant information 1601, the file name 1602 to be taken out, a button 1603 for referring to and selecting the file to be taken out from the client 70, the ID ID 1604 of the medium for storing the file, and the medium to be stored are referred to A selection button 1605, a usage destination 1606, a button 1607 for selecting location information of the usage destination, a take-out time limit 1608, a take-out purpose 1609, an application button 161, and an application cancellation button 162. To do.
  • the approver 3 approves the take-out operation and the file selected by the button 1603 for selecting the file name to be taken out is transmitted.
  • the take-out approval screen 163 is a screen on which the approver 3 who approves the application of the user 1 performs the approval, and is displayed in step 1308 in FIG.
  • the take-out approval screen 163 includes at least applicant information 1601, a take-out file name 1602, a medium ID ID 1604 for storing the file, a take-out time limit 1608, and take-out as information input by the user 1 on the take-out application screen 160.
  • a button 1611 for displaying a file to be taken out, label information 1612 of the file to be taken out, position information setting status 1613 of use destination information, a button 164 for permitting approval, and a button 165 for returning approval Is displayed.
  • the label information 1612 of the file to be taken out is identified and displayed by referring to the label management list 84 after the take-out approval program 83 receives the file name 1602 input by the user 1.
  • Example 2 shows a method of embedding file label information in a file.
  • FIG. 17 shows the flow of label allocation processing in the second embodiment.
  • the rough flow of the label allocation process in the second embodiment is the same as the label allocation process in the first embodiment shown in FIG. 7, but in the second embodiment, an extension area of a file is used, and at least a label name is included in the extension area. And label setting or approver information. Specifically, before identifying the completed document in step 7014, label embedding processing is performed (1701).
  • FIG. 18 shows an operation flowchart of the monitoring / control program in the second embodiment.
  • the general flow of the operation flowchart of the monitoring / control program in the second embodiment is the same as the operation flowchart of the monitoring / control program shown in FIG. 12, but in the second embodiment, the label information by referring to the label management table 74 is changed. Perform label reading processing instead of specific processing. Also, since the label is embedded in the extension area of the file, the file path changing operation is not executed. For this reason, after the state is identified in step 1204, label reading processing is performed (1801), and the label setting status is confirmed (1207). In addition, after performing an operation on the file for which the label is set in step 1222, a log acquisition process is performed (1220).
  • FIG. 19 shows a system configuration diagram of the third embodiment.
  • a mail server 192 including a mail log 1921 obtained from a log of transmitted / received mail and an approval management server 193 are newly provided.
  • the client 70 includes an application management program 1911, and the notebook PC 78 includes an application management program 7801.
  • the application management program 1911 and the application management program 7801 perform the same operation.
  • a file having an approved attribute is identified from the storage means, and the existing file
  • the approved file can be highlighted on the display interface in the search program or the like by the existing function or the like of the file search program (for example, the display of the corresponding file is highlighted or bolded).
  • the approval flow in this embodiment will be described in detail later with reference to FIGS. 27 and 28.
  • the application management program 1911 has “take-out application” in the context menu.
  • the application management program 1911 communicates with and connects to the approval management program 1931 (approval management means) of the approval management server 193, and displays an authentication screen for launching a take-out application screen.
  • the file take-out approval process is performed by the state management server.
  • an information processing apparatus having an approval management function an approval management server 193 is installed. A new role may be provided to share the role in the label allocation process.
  • the approval management server 193 generates screens to be displayed on the client 70 and the notebook PC 78 of the user 1 who applies for file take-out and the approver 3 who makes an approval decision for take-out, and manages the status and file of the application case.
  • Approval management program 1931 (approval management means), file identification program 1932 (file identification means) for identifying application file, supplier list 1941 registered supplier information outside the organization, and verification used for file identification DB management program 1934 (DB management means) that manages DB 1943 (object registration database), file conversion program 1935 that converts a file approved for export into a file format for export, and approval management that stores an approval status DB1942, file Comprising a takeout rules DB1944, who has registered the rules of the organization of the tissue outside the takeout.
  • the hardware configuration of the client 70 includes the terminal log 75, the policy list 73, the external storage medium 702 (storage means) for storing the label management table 74, the application management program 1911 and the monitoring.
  • CPU 701 for executing the control program 72, memory 703, display unit 704 (output unit) for displaying the input / output screen, operation unit 705 (input unit) for controlling input / output, data stored in the portable medium 77, and the like
  • a portable medium connection unit 706 for reading and writing, a RAM 707, a communication unit 708 for communicating with the network 40 by wire or wireless, and a bus 709 for interconnecting these devices and the like.
  • the notebook PC 78 and the approval management server 193 newly introduced in the third embodiment also have the same hardware configuration as the client 70.
  • each program is an execution subject for convenience.
  • each program may be stored in advance in an external storage medium or memory of each device described above, and when necessary, a portable medium connection unit or a communication unit, a medium that can be used by each device, It may be introduced from another device via
  • the medium refers to, for example, a removable portable medium or a communication medium (that is, the network 40 or a carrier wave or a digital signal propagating through the network 40).
  • the approval management server 193 in this third embodiment is a file management system that assigns a label, which is a combination data of a category indicating the type of information and a confidential level, to a file, and restricts operations that lead to information leakage.
  • the approval management server 193 determines whether or not there is a use-prohibited object in the file for which the application has been accepted based on the handling information in the database for comparison 1943 (object registration database) at the time of accepting the label application or accepting the file export application.
  • the file identification program 1932 (file identification means) to identify is provided.
  • the approval management server 193 identifies the structure of the corresponding file or the arrangement of objects in the relevant file at the time of accepting the label application or accepting the file take-out application, and matches or resembles the matters identified for the application file.
  • the other file is specified based on the attribute information of the collation DB 1943 (object registration database), the difference between the file and the other file is acquired, and the obtained difference is registered in the collation DB 1943 (object registration database).
  • the presence / absence of the restricted use object is detected, the approval result of the other file is specified in the approval management DB 1942, and the presence / absence information of the use restricted object and the approval result information of the other file are approved.
  • the approver who makes the decision And outputs to the another terminal to the display unit such as a client 70 and a notebook PC78 as confirmation items (output means) may include a program 1932 (file identification means).
  • the file identification program 1932 searches the approval management DB 1942 for a past application file whose file export destination is the same as the file for which the application has been accepted, or a past application file that has been determined to be rejected or permitted to be taken out.
  • the other file may be specified from past application files obtained by the search.
  • the file identification program 1932 extracts the reason for rejection from the approval management DB 1942 when the approval result of the specified other file is rejection, and includes the client 70 or You may output to notebook PC78 thru
  • the approval management server 193 stores a take-out rule DB 1944 for storing a take-out permission / deny rule in a combination of a file format and a take-out method at the time of file take-out in the storage unit.
  • the file identification program 1932 is a method in which the information on file take-out method specified in the application file is checked against the take-out rule DB 1944 and the file take-out method specified by the corresponding application file is permitted. The determination result is included in the information of the confirmation required item and output to the client 70, the notebook PC 78, or the display unit.
  • the approval management server 193 determines the number of objects with usage restrictions based on the data of the confirmation required items including information on presence / absence of objects with usage restrictions and information on approval results of the other files. In this order, the pages in the application file are ranked, and the screen data in which the preview screen data generated for each page is arranged according to the ranking is created and output to other terminals or display units such as the client 70 and the notebook PC 78.
  • An approval management program 1931 (approval management means).
  • the approval management program 1931 performs highlight setting on the usage-restricted object included in the corresponding page on the preview screen, and outputs it to the client 70, the notebook PC 78, and the display unit.
  • the approval management server 193 obtains an approval result for the label application or file take-out application from another terminal (such as the client 70 or the notebook PC 78) or the operation unit (input means), and the verification database 1943 (object A DB management program (DB management means) for updating handling information related to the object in the registration database) is provided. It is preferable that the DB management unit updates the object registration database when receiving the approval result.
  • the file identification program 1932 specifies the page configuration, the text position and the object position on the corresponding page for the file that has received the application, and another file that is similar with respect to the items specified here, Based on the attribute information of the collation DB 1943 (object registration database), the difference between the file and another file is acquired, and the object registered in the collation DB 1943 (object registration database) in the acquired difference is acquired. The presence or absence may be detected and output to a display unit (output means) or another terminal (client 70, notebook PC 78, etc.).
  • FIG. 20 shows the data structure of the supplier list 1941.
  • the business partner list 1941 is a list in which information of business partners other than the organization in which the file management system 1000 is introduced and the business in business is registered, and the DB management program 1934 is stored in the mail server 192. Created from the log 1921 or the like.
  • This supplier list 1941 includes a registration number 2001, an email address 2002, a supplier name 2003, a final reception date and time 2004 which is the date and time when the email was last received, an approval count 2005 indicating the number of times that the take-out application has been approved, It consists of the user ID that is recognized.
  • this supplier list it is possible to determine whether the export destination for which the file export has been applied is the partner with whom the organization has been involved or has started a new relationship.
  • the supplier list 1941 is created by the following procedure.
  • the approval management program 1931 periodically accesses the mail log 1921 stored in the mail server 192. Then, the approval management program 1931 analyzes the reception log of the user in the organization, and the sender information specifies the mail address of the other party outside the organization.
  • the approval management program 1931 identifies the mail address of the user in the organization from the recipient mail address corresponding to the mail address from the identified partner outside the organization, for example, the user list 91 of the ID management system 90.
  • the user ID is specified by collating with the mail address registered in.
  • the approval management program 1931 updates the last reception date and time in the corresponding record of the business partner list 1941 (the specified user ID is related to the business partner). If it is an unregistered user ID, the user ID 2006 field is also updated). On the other hand, when the business partner is not registered in the business partner list 1941, the approval management program 1931 adds a new record and registers the acquired information (company name, e-mail address, etc. of the business partner).
  • FIG. 21 shows the data structure of the approval management DB 1942.
  • the approval management DB 1942 includes metadata relating to an approval item created for each user ID and metadata relating to the contents of the file applied for.
  • the metadata related to the approval item includes a user ID 2100, an approval item table 2101 created for each approval item, and a mail reception table 2102 in which the recipients of the mails are stored in order of date and time.
  • the approval case table 2101 is updated by the approval management program 1931 when the approval operation is completed, and the mail reception table 2102 is updated by the DB management program 1934 when the supplier list 1941 described in FIG. 24 is updated.
  • the approval item table 2101 includes an application ID 2111 assigned when an application is made, a supplier registration number 2112, a export method 2113, a file format 2114, a reason for export 2115, an approver comment 2116, a status 2117 related to approval, an approval date 2118, The file ID 2119 of the file applied for.
  • the mail reception table 2102 is a table in which the upper number of mails whose senders are outside the organization among the mails received by the user 2100 is registered, and includes a mail address 2121 and a reception date 2122. This number can also be customized by the administrator.
  • the metadata 2103 relating to the contents of the applied file includes the ID 2123 and the file 2124 of the applied file, data 2125 obtained by adding the object detected by the matching DB 1943 to the analysis data analyzed by the file identification program 1932, Data for file comparison 2126 is stored.
  • Data for file comparison a hash value or the like is stored so that the similarity between files can be compared.
  • FIG. 24 shows the data structure of the verification DB 1943 (object registration DB).
  • the collation DB 1943 includes a general-purpose DB 2104 and a partner-specific DB 2105.
  • the collation DB 1943 may further include a label database 2106 in which file objects are registered for each label. In each DB, a use prohibited object 2127 and a useable object 2128 are registered, and are registered together with the number of detected cases 2129 for the approved cases.
  • collation DB 1943 data indicating words such as the names of persons and organizations, data indicating templates, data relating to figures, logos, and the like become object attribute information.
  • information such as “takeout prohibited” and “takeout OK” associated with the attributes of these objects is the handling information.
  • FIG. 25 shows the data structure of the take-out rule DB 1944.
  • the take-out rule DB 1944 is a database in which rules for permitting or not permitting a combination of a file format and a take-out method at the time of file take-out are described. This is updated by the administrator or the approver in advance through the DB management program 1934, and can be set in small units such as the entire organization or department.
  • a rule 2129 is defined such that (1) file details need to be confirmed for export to a export destination not registered in the supplier list 1941, and (2) the reason is required if the file format is other than DRM. Is done.
  • FIG. 24 shows an example of an application screen 220 when the user 1 applies for taking out a file outside the organization.
  • the application management program 1931 of the approval management server 193 sends back the response to the client 70 or the notebook PC 78. It is something to be made.
  • the application management program 1911 of the client 70 receives an instruction from the user 1 in the context menu and connects to the approval management server 193, the application management program 1911 approves the file path of the selected file. Transmit to the management server 193.
  • the approval management program 1931 causes the user 1 to perform user authentication, and when the authentication is established, the user ID is specified from the authentication information at the time of the user authentication and displayed on the application screen 220.
  • the application screen 220 accepts input of the following information by the user (via the client 70, the notebook PC 78, etc.).
  • the user 1 depresses the reference button 2220 and designates the file from the dialog. You may enter.
  • the user 1 can additionally register files by pressing an “add” button 2221.
  • the approval management server 193 When the user presses the “input from history” button 2223, the approval management server 193 outputs the export destination candidate list 221 to the client 70, the notebook PC 78, etc. It may be selected. On the other hand, if it is not registered in the take-out destination candidate list 221, that is, if it is a new take-out destination, an input of an e-mail address may be accepted. For example, the approval management server 193 extracts data (e-mail address 2002, supplier name 2003, etc.) from the stored information of the supplier list 1941, and sends the e-mail address 222 and supplier name to the export destination candidate list 221.
  • the database is composed of 223.
  • the take-out destination candidate list 221 includes the business partner 2241 having a take-out history so far, the supplier order 2242 with the highest frequency of application for take-out, the mail receiving order 2243, and the registered name order 2244. It is more preferable that the data extracted from the list 1941 is listed, and the approval management server 193 performs display switching of the take-out destination candidate in response to pressing of the corresponding tab.
  • the approval management server 193 is registered in the supplier list 1941 next to the input form 2214.
  • the business partner name (“A company AAA" in the figure) is also displayed. As a result, it is possible to confirm whether or not a customer whose mail address is similar is entered by mistake.
  • the take-out method 2216 for example, DRM, encryption, plain text, etc. can be selected.
  • the default value (for example, “DRM”) of the export method 2216 can be designated in advance according to the organization (for example, the approval management server 193 receives the designation of the client 70, the notebook PC 78, etc.) A default value is set in the data of the application screen 220).
  • the approval management server 193 receives a designation to change from the default export method to another method, for example, if the reason 2218 is not filled in, the approval management server 193 does not shift the process even if the application button 2231 is pressed.
  • Such a determination may be executed, and the reason 2218 may be entered by the user.
  • the input data on the application screen 220 is transmitted from the client 70 or the notebook PC 78 to the approval management server 193. finish.
  • the approval management server 193 stores the input data on the application screen 220 in the approval management DB 1942.
  • FIG. 25 shows an approval screen when the approver 3 makes an approval decision.
  • the approval screen for making an approval decision includes an approval waiting list screen 230 showing a list of information that has been applied for and a detailed screen 233 for each case.
  • Instructions from the approver's client 70, notebook PC 78, etc. In response to pressing of the application button on the screen 220, the approval management server 193 generates and outputs it to the client 70, the notebook PC 78, and the like.
  • the approver 3 first performs approval determination of the target file on the approval waiting list screen 230, and for the file that needs detailed confirmation, sees the details screen 233 to determine approval. The details of the screen will be described below.
  • the approval wait list screen 230 is a screen that displays a check box 2410, an applicant name 2411, a take-out date 2412, a take-out destination 2413, a confirmation item 2414, a preview 2415, and an approval determination button 2416, and an approval management server 193.
  • the approval management server 193 checks the supplier list 1941 against the take-out destination input by the user, and the export destination registered in the supplier list 1941 If registered, the registered customer name is displayed. If not registered, “unregistered” is displayed.
  • data accepted by the approval management server 193 through the application screen 220 is set.
  • the approval management server 193 Since the approver cannot grasp the take-out destination only by the e-mail address, the approval management server 193 indicates whether or not the destination information corresponding to the e-mail address is registered and the registered name in the supplier list 1941 in the waiting list for approval. This information is shown as information of 230 take-out destinations 2413. Thereby, the approver can easily determine an erroneous input of a business partner or an input of an unauthorized business partner.
  • the confirmation required item 2414 on the approval waiting list screen 230 indicates an item that may have a high risk of taking out the application information when it is approved (processing executed by the approval management server 193 in the flow of FIG. 28 described later). Identified by). For example, in the case 2431 in the figure, personal information is detected, which indicates that there is a high possibility that personal information is being taken out.
  • the approval management server 193 displays a cover 2417 of the file applied for in the preview 2415 and a page 2418 on which information to be most confirmed in the file is described (the flow of FIG. 28 described later).
  • the reason why the cover of the file is displayed in preview is that information representing the summary information of the file such as the destination, creator name, and title is often described on the cover.
  • the approver can quickly grasp the contents of the information.
  • displaying the preview has an advantage that the approver can identify information without opening the file.
  • the approver in the case of an approval screen with only a file attached, the approver must know the contents efficiently and accurately without opening the file and seeing all the pages that are listed. It is difficult. On the other hand, like the preview 2415, by displaying the cover and the page that should be checked most preferentially, the effort for opening the file by the approver can be reduced. Further, when the approver presses the detail button 2432 on the screen 230, the approval management server 193 extracts information from the storage unit regarding the application item corresponding to the press of the detail button 2432, and generates data for the detail screen 233. Send back. According to this detail screen 233, for example, the approver can confirm the details of the file that could not be approved on the approval wait list screen 230.
  • the approval management server 193 determines the approval without displaying the detail screen 233. Can be accepted.
  • the “Approve all checked applications” 232 button may be a button to “Reject all checked applications”.
  • an application management server 193 is arranged so that an application case in which the number of required confirmation items 2414 is larger than a predetermined number cannot be approved even if the check box 2431 is checked unless the output of the detailed screen 233 is executed. May be controlled.
  • the details screen 233 is intended to allow the details of the application contents to be grasped when the approver cannot make an approval decision based on the information in the approval waiting list 230.
  • the detailed screen 233 is output from the approval management server 193 to the client 70, the notebook PC 78, and the like.
  • Screen data including each data in a comment description field 2465 such as a confirmation required item 2458, a file preview 2461, an inappropriate expression designation button 2463, a reason for rejection 2464, a reason for return / rejection.
  • the approval management server 193 in the flow of FIG. 28 described later. Specified and set by the process executed by If the most similar file is a rejected file, the rejection reason of the rejected case (eg, the approval management DB 1942 includes a column of the reason for rejection, and holds data of the rejection reason for the rejected case.
  • the approval management server 193 can extract the data of the reason for rejection from the approval management DB 1942 and display it up to the detailed screen 233, so that the approver can make a reference for the approval judgment.
  • the corresponding application item is most similar to a file rejected in the past, and the reason for rejection is “for personal information”.
  • the approver confirms the difference between the file export destination of the similar project and the file export destination of this application, and the similar project, and if there is no significant difference between the two, the approver rejects the similar project, Judgment such as approval can be made according to the difference in expression.
  • the approval management server 193 displays the preview screen displayed on the approval wait list screen 230 for each page in the corresponding file in the preview 2461. Further, an object having a high risk of information leakage included in the file such as personal information or a company name is displayed with a highlight 2462. Thereby, the approver can know where to check carefully on the preview screen 2461.
  • the approver presses the “confirmation order” button 2459 the approval management server 193 displays a preview screen in the order of high priority to be confirmed (eg, in descending order of the number of objects having a high upward leakage risk). Sort the.
  • the approver presses the “page order” button 2460 the approval management server 193 displays the preview screen in page order.
  • the approval management server 193 reads out the file of the application item from the storage unit and outputs it to the client 70, the notebook PC 78, etc., and the file contents of the approver Use for confirmation.
  • the approver selects an approval / rejection / return determination and presses one of the buttons “Approve” 2471, “Reject” 2472, and “Return” 2473 to determine the approval. Exit.
  • the approval management server 193 receives the reason input by the approver via the client 70 or the notebook PC 78 in the field of the comment 2465. Upon receiving such reason input, the approval management server 193 transmits the reason data to the user's client 70, the notebook PC 78, etc., thereby using the reason why the approver made the judgment of “return” or “rejection”. Can be notified.
  • the approver presses the inappropriate expression designation button 2463 (for example, the authorization management server 193 outputs a range designation cursor or the like to the client 70 or the notebook PC 78), and the range of the object on the preview screen 2461 is displayed. If specified, the approval management server 193 can accept the range specification and acquire information on the object that the approver feels inappropriate. The approval management server 193 can tell the user which part of the expression that the approver has determined to have a high risk of leakage by transmitting the range designation information to the client 70 or the notebook PC 78 of the user. it can.
  • the rejection reason 2464 can allow the approver to select whether there is an inappropriate expression as a rejection reason or whether there is an inappropriate content in terms of leakage risk. For example, if the requested content is confidential information that should be shared only within the organization, the approver checks “content inappropriate”. The approval management server 193 accepts the check contents for the rejection reason 2464 from the approver's client 70, the notebook PC 78, etc., determines that the risk of leakage is high regardless of the presence or absence of expression, and rejects the application. Notify the user (or may). Note that the comment entry or indication performed by the approver is an “approval result”, and is used for updating the collation DB 1943 (reflected in the next and subsequent applications).
  • the approval wait list screen 230 may be approved by an approver using a mobile phone. If it is necessary to check the file in detail, it is possible to request approval from a proxy registered in advance.
  • Example of processing flow First, referring to FIG. 26, the flow of file takeout application by the user will be described.
  • the approval management program 1931 of the approval management server 193 presents the interface related to the acceptance processing of the user's take-out application to the user's client 70, notebook PC 78, etc. (hereinafter referred to as client 70).
  • the approval management program 1931 of the approval management server 193 returns the data of the application screen 220 illustrated in FIG. 24 to the client 70 (2502).
  • the approval management program 1931 displays the ID of the user. Returns the data of the application screen with the selected file path entered.
  • the client 70 transmits the input data on the application screen 220 to the approval management server 193 (2507).
  • the approval management program 1931 of the approval management server 193 receives the input data.
  • the input data is collated with the take-out rule DB 1944, and it is specified whether there is any deficiency in the application contents (for example, contents that are prohibited from being taken out unconditionally such as “confidential” are included from the beginning) (2508). ).
  • the approval management program 1931 transmits a confirmation screen of the user application contents to the client 70 (2509). If it is determined in step 2508 that the application is deficient, the approval management program 1931 highlights the deficient items on the confirmation screen transmitted in step 2509, for example. In this case, the client 70 receives and displays the data of the confirmation screen from the approval management server 193, and accepts correction regarding the corresponding part from the user (2510: Y, 2511). In this case, the flow returns to step 2506. On the other hand, if it is determined in step 2508 that there is no flaw in the application (2510: N), the client 70 accepts pressing of an application button from the user (2512).
  • the approval management program 1931 of the approval management server 193 receives the data transmitted from the client 70, stores it in the approval management DB 1942, and accepts an outside organization application regarding the file (2514).
  • the client 70 accepts the user pressing the application button on the application screen 220 (2701) and transmits the application contents and the file to be applied to the approval management server 193 ( 2702).
  • the approval management program 1931 of the approval management server 193 receives this.
  • the approval management program 1931 refers to the supplier list 1941 for the requested take-out destination, and acquires counterpart registration information (2703). Then, the presence or absence of the collation DB 1943 for the other party is specified (2704). In addition, in the case of a new application, there is no matching DB 1943 for each partner, so that the file is identified using only the general-purpose DB 2104.
  • the approval management program 1931 reads the pending case from the application contents (and the “status” of the approval management DB 1942) (the case that was “deficient” in the step 2510 in FIG. 26 and was resubmitted). (2705), if the relevant case is a pending case (2705: Y), the previous file held is sent to the file identification program 1932 (2706). The requested file is also transmitted to the file identification program 1932 (2707).
  • the approval management program 1931 When the approval management program 1931 receives the identification result from the file identification program 1932, it refers to the take-out rule DB 1944 and extracts the confirmation items (2710).
  • the take-out rule DB 1944 rules for permitting or not permitting a combination of a file format and a take-out method at the time of take-out are described. This is updated by the administrator or the approver in advance through the DB management program 1934, and can be set in small units such as the entire organization or department. For example, a rule is defined in which (1) file details need to be confirmed for exports not registered in the supplier list 1941, and (2) the reason is required if the file format is other than DRM.
  • the approval management program 1931 that has extracted the necessary confirmation items notifies the approval request to the client 70 of the approver 3 (2711).
  • the approver's client 70 receives the approver's instruction, uses the approval management program 1931, communicates with the approval management program 1931, and reads and displays the contents of the application item corresponding to the approval request (2712, 2713). ).
  • the approval waiting list screen 230 viewed by the approver on the client 70 is as described with reference to FIG.
  • the client 70 transmits the determination result to the approval management program 1931 (2714).
  • the approval management program 1931 receives the determination result, and determines whether the content is rejected or suspended. If the content is “rejected” or “hold” (2715: N), the approval management program 1931 sends a notification that the application is not permitted to the user's client 70 (2716). This notification may be notified to the user using e-mail or the like, or the approval status may be displayed when the user's client 70 accesses the approval management program 1931.
  • the approval management program 1931 transmits the corresponding file to the file conversion program 1935 and converts it into an approved file format (2717). ). Further, the approval management program 1931 transmits the approval result to the DB management program 1934 to update the handling information of the object in the matching DB 1943 to the latest determination result (2718).
  • the file conversion program 1935 converts the file format and embeds attribute information that can identify the approved file.
  • the application management program 1911 identifies and colors the file and displays it. Which of the files stored in the client 70 is the approved file? Can be understood at a glance.
  • the approval management program 1931 updates the approval management DB 1942 (such as “status”) (2719) and notifies the user client 70 of the approval result (2720). .
  • the user client 70 accesses the approval management server 193 (2721) and downloads the file converted into the export format (2722), the user can take out the file.
  • Detailed processing of the control in the subsequent carry-out is as shown in the first embodiment.
  • the file identification program 1932 acquires the file to be applied from the approval management program 1931 (2811), and analyzes the structure of the application file (2812). In the structure analysis of the application file, header footer information, template information (eg, format template used for file creation), text information, and the like are acquired for each page and stored in a memory or the like. Further, in order to specify another file similar to the application target file, a hash value of the application target file is acquired. For the file whose structure could not be analyzed due to the file format or the like, in step 2812, the file identification program 1932 returns an error to the approval management program 1931 and ends the process.
  • the file identification program 1932 acquires the file of the suspended matter from the storage means (2814) when the application is a matter once suspended by the approver (2813: Y), and the pending matter file and The difference from the current application file is specified (2815).
  • the file identification program 1932 extracts from the approval management DB 1942 the history file that has been filed for the same export destination, the file rejected in the past, and the like. From the extracted files, the file most similar to the file to be applied is specified (2816). Similar judgment criteria include header / footer information and template information (for example, format template used for file creation), text information, etc., obtained in the structural analysis (step 2812).
  • the file identification program 1932 searches the approval management DB 1942 for a match (that is, a file application for the same export destination, a file rejected in the past, etc.).
  • the file identification program 1932 which specified such similar other files specifies the difference between the specified other file and the application target file (2817).
  • the file identification program 1932 selects one page of data from the analyzed application target file (2818), refers to the collation DB 1943, and uses the prohibited object in the difference part identified in the step 2817 ( (Example: Text such as “Top Secret”) and if a prohibited object is included, the position within the page (eg: XX line of the page XX) is identified, and the identified detection The position is highlighted by highlighting or the like (2819).
  • the collation DB 1943 may be classified into a plurality of security terms, personal names, company names, individual partner DBs, etc., and stored so that the collation results can be identified for each DB.
  • the file identification program 1932 When the file identification program 1932 performs the process of step 2819 for all pages in the application target file (2820: Y), the number of detected prohibited objects is compared on a page-by-page basis, and includes prohibited objects. List pages in descending order. In this way, the confirmation necessary order is determined (2821), and the result (display mode when the confirmation necessary order 2459 in the preview 2461 in the detail screen 233 of FIG. 25 is pressed) is transmitted to the approval management program 1931. .
  • the file identification program 1932 narrows down features that have not been permitted to be exported so far by specifying the difference between another file that has already been approved (or rejected) and the file to be applied for, and further prohibits use.
  • By detecting the presence or absence of an object it is possible to narrow down the points that the approver should check.
  • pages to be confirmed by the approver can be efficiently presented.
  • by specifying the detection position for each type of use-prohibited object it is possible to recognize at a glance which part of the page has a risk in which category.
  • the DB management program 1934 is a program for updating the collation DB 1943 based on the approval result when the approval determination is completed.
  • the DB management program acquires the approval result and the analysis data analyzed by the file identification program 1932 (241).
  • the approval result includes the registration information of the export destination and the approval result of any one of approval / rejection / holding.
  • the analysis data includes objects detected as corresponding to prohibited objects in the matching DB 1943 and the number of detected cases in addition to the structure data and text information of the file to be applied.
  • the DB management program 1934 specifies whether there is a collation DB 1943 for the export destination from the export destination registration information (for example, the company name of the export destination and its mail address) acquired from the approval result ( 242).
  • the collation DB 1943 for the export destination does not exist (242: N)
  • the DB management program 1934 newly creates a collation DB 1943 (243).
  • the DB management program 1934 lists the detected objects in the order of the detected number in the analysis data acquired from the approval management program 1931 (244). Further, when the approval result is “approval” (245: Y), the DB management program 1934 registers the detected object as a usable object in the collation DB 1943 for the export destination (246).
  • the detected object is registered as an unusable object in the collation DB 1943 for the export destination (248).
  • the data to be registered at this time is when the reason for rejection is “inappropriate in content”, and when there is an object selected by the approver as “inappropriate” on the detailed screen 233 (FIG. 25), only the selected portion Register. This is because there is no need to register an object in the matching DB 1943 for inappropriate parts such as punctuation marks and kanji mistakes.
  • the DB management program 1934 registers all detected objects in the collation DB 1943 in Steps 246, 248, etc.
  • the DB management program 1943 for each export destination currently registered in the approval management server 193 is stored. If there is an object registered in each DB 1943 for comparison at a rate equal to or higher than a preset threshold (250: Y), it is registered in the general-purpose DB 2104 (251).
  • a preset threshold 250: Y
  • objects that can be shared with the other party due to a contract, etc. are managed in the other party's collation DB 1943, and on the other hand, objects that should be managed in a unified manner (commonly handled across files, etc.)
  • the object to be managed can be managed by the general-purpose DB 2104. Therefore, an object to be detected can be set according to the file export destination and refined.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Selon l'invention, tout changement concernant la présence d'une personne ou d'un support de stockage stockant des informations est identifié, et une opération qui pourrait conduire à une fuite d'informations est empêchée. Une combinaison d'une catégorie d'informations et d'un niveau est traitée en tant qu'étiquette, des conditions dans lesquelles des opérations ayant des possibilités élevées de dépasser la plage de partage d'informations sont exécutées sont définies en tant que liste de politique pour chaque étiquette, et l'étiquette est attribuée au fichier. Lorsqu'un utilisateur entre/quitte l'endroit tout en plaçant la carte à CI de l'utilisateur sur le détecteur, des informations de présence concernant l'utilisateur sont acquises. Avec cela, lorsque l'utilisateur actionne un fichier et si les informations d'attributs de l'utilisateur, les informations de présence et un support de stockage dans lequel le fichier est stocké ne sont pas conformes à la liste de politique, l'opération effectuée par l'utilisateur est empêchée. Ainsi, une opération qui pourrait conduire à une fuite d'informations peut être empêchée. A chaque fois qu'une étiquette est attribuée et qu'une opération d'approbation qu'un fichier est pris hors de l'organisation est réalisée, le résultat de l'approbation est reflété sur la base de données pour identifier des informations, et par conséquent la précision d'identification d'informations peut être améliorée sans enregistrement par la personne qui approuve ou le gestionnaire.
PCT/JP2009/002508 2008-06-03 2009-06-03 Système de gestion de fichiers WO2009147855A1 (fr)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
JP2008-145265 2008-06-03
JP2008145265 2008-06-03
JP2009-093323 2009-04-07
JP2009-093324 2009-04-07
JP2009093324A JP5390911B2 (ja) 2008-06-03 2009-04-07 ファイル管理システム
JP2009093323A JP5390910B2 (ja) 2008-06-03 2009-04-07 ファイル管理システム

Publications (1)

Publication Number Publication Date
WO2009147855A1 true WO2009147855A1 (fr) 2009-12-10

Family

ID=41397935

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/002508 WO2009147855A1 (fr) 2008-06-03 2009-06-03 Système de gestion de fichiers

Country Status (1)

Country Link
WO (1) WO2009147855A1 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0250708A (ja) * 1988-08-12 1990-02-20 Tokin Corp サーボモータ位置決め制御方式
JP5143310B1 (ja) * 2011-09-09 2013-02-13 三菱電機株式会社 プログラマブル表示器
US8533850B2 (en) 2010-06-29 2013-09-10 Hitachi, Ltd. Fraudulent manipulation detection method and computer for detecting fraudulent manipulation
US8850592B2 (en) 2010-03-10 2014-09-30 Hitachi, Ltd. Unauthorized operation detection system and unauthorized operation detection method
JP2015060302A (ja) * 2013-09-17 2015-03-30 大日本印刷株式会社 ユニバーサルicカードおよびセキュリティ属性の照合方法
US9124616B2 (en) 2010-04-02 2015-09-01 Hitachi, Ltd. Computer system management method and client computer
JP2017120566A (ja) * 2015-12-28 2017-07-06 キヤノンマーケティングジャパン株式会社 ワークフローサーバ、ワークフローサーバの制御方法およびプログラム
CN110929110A (zh) * 2019-11-13 2020-03-27 北京北信源软件股份有限公司 一种电子文档检测方法、装置、设备及存储介质
JP6938065B1 (ja) * 2020-04-24 2021-09-22 株式会社L&I 情報処理システムおよびプログラム
CN114363319A (zh) * 2020-08-26 2022-04-15 腾讯科技(深圳)有限公司 管理文件处理方法、装置、介质以及电子设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002279104A (ja) * 2001-03-19 2002-09-27 Nippon Telegr & Teleph Corp <Ntt> コンテンツ流通における権利管理システム及び方法、権利管理プログラム並びにそのプログラムを記録した記録媒体
JP2003173284A (ja) * 2001-12-05 2003-06-20 Hitachi Ltd 送信制御可能なネットワークシステム
JP2005202888A (ja) * 2004-01-19 2005-07-28 Ricoh Co Ltd アクセス許可付与方法、アクセス許可処理方法、そのプログラム、およびコンピュータ装置
JP2007080046A (ja) * 2005-09-15 2007-03-29 Fuji Xerox Co Ltd 電子文書処理システム、文書配送サーバ
JP2007087128A (ja) * 2005-09-22 2007-04-05 Konica Minolta Business Technologies Inc データ処理装置、複合多機能端末、データ処理方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002279104A (ja) * 2001-03-19 2002-09-27 Nippon Telegr & Teleph Corp <Ntt> コンテンツ流通における権利管理システム及び方法、権利管理プログラム並びにそのプログラムを記録した記録媒体
JP2003173284A (ja) * 2001-12-05 2003-06-20 Hitachi Ltd 送信制御可能なネットワークシステム
JP2005202888A (ja) * 2004-01-19 2005-07-28 Ricoh Co Ltd アクセス許可付与方法、アクセス許可処理方法、そのプログラム、およびコンピュータ装置
JP2007080046A (ja) * 2005-09-15 2007-03-29 Fuji Xerox Co Ltd 電子文書処理システム、文書配送サーバ
JP2007087128A (ja) * 2005-09-22 2007-04-05 Konica Minolta Business Technologies Inc データ処理装置、複合多機能端末、データ処理方法

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0250708A (ja) * 1988-08-12 1990-02-20 Tokin Corp サーボモータ位置決め制御方式
US8850592B2 (en) 2010-03-10 2014-09-30 Hitachi, Ltd. Unauthorized operation detection system and unauthorized operation detection method
US9124616B2 (en) 2010-04-02 2015-09-01 Hitachi, Ltd. Computer system management method and client computer
US8533850B2 (en) 2010-06-29 2013-09-10 Hitachi, Ltd. Fraudulent manipulation detection method and computer for detecting fraudulent manipulation
US9218492B2 (en) 2011-09-09 2015-12-22 Mitsubishi Electric Corporation Programmable display
JP5143310B1 (ja) * 2011-09-09 2013-02-13 三菱電機株式会社 プログラマブル表示器
WO2013035203A1 (fr) * 2011-09-09 2013-03-14 三菱電機株式会社 Dispositif d'affichage programmable
CN103765500A (zh) * 2011-09-09 2014-04-30 三菱电机株式会社 可编程显示器
JP2015060302A (ja) * 2013-09-17 2015-03-30 大日本印刷株式会社 ユニバーサルicカードおよびセキュリティ属性の照合方法
JP2017120566A (ja) * 2015-12-28 2017-07-06 キヤノンマーケティングジャパン株式会社 ワークフローサーバ、ワークフローサーバの制御方法およびプログラム
CN110929110A (zh) * 2019-11-13 2020-03-27 北京北信源软件股份有限公司 一种电子文档检测方法、装置、设备及存储介质
JP6938065B1 (ja) * 2020-04-24 2021-09-22 株式会社L&I 情報処理システムおよびプログラム
CN114363319A (zh) * 2020-08-26 2022-04-15 腾讯科技(深圳)有限公司 管理文件处理方法、装置、介质以及电子设备
CN114363319B (zh) * 2020-08-26 2023-04-18 腾讯科技(深圳)有限公司 监管文件处理方法、装置、介质以及电子设备

Similar Documents

Publication Publication Date Title
JP5390910B2 (ja) ファイル管理システム
WO2009147855A1 (fr) Système de gestion de fichiers
US8424056B2 (en) Workflow system and object generating apparatus
US8255784B2 (en) Information processing apparatus, information processing system, computer readable medium storing control program, information processing method, and image processing apparatus
EP1906321B1 (fr) Système, appareil et procédé pour la gestion de documents
US7801918B2 (en) File access control device, password setting device, process instruction device, and file access control method
CN112262388A (zh) 使用个人身份信息(pii)的标记和持久性来保护pii
US20120030187A1 (en) System, method and apparatus for tracking digital content objects
US20090292930A1 (en) System, method and apparatus for assuring authenticity and permissible use of electronic documents
US20070220614A1 (en) Distributed access to valuable and sensitive documents and data
JP4527374B2 (ja) 画像形成装置及びドキュメント属性管理サーバ
JP2012224000A (ja) 画像形成装置及び認証印刷データの管理権限委譲方法
US20090177751A1 (en) Mail transmission method
JP2007249912A (ja) 共用資源管理システム、共用資源管理方法、およびコンピュータプログラム
JP2006229653A (ja) 画像形成装置、情報処理装置、プログラム、記録媒体、及びデータ送信方法
JP3705439B1 (ja) 個人情報探索プログラム,個人情報管理システムおよび個人情報管理機能付き情報処理装置
JP4826428B2 (ja) 情報処理システムおよび情報処理装置および情報処理プログラム
JP4082520B2 (ja) 個人情報探索プログラム
JP5112153B2 (ja) 承認者選択方法、システム、装置及びプログラム
JP4764614B2 (ja) 情報処理装置、操作許否情報生成方法、操作許否情報生成プログラム及び記録媒体
JP2021052332A (ja) 紙文書管理システム及び紙文書管理方法
JP2007128387A (ja) 電子回覧システム
JP6777213B2 (ja) 情報処理装置及びプログラム
JP6849018B2 (ja) ドキュメント管理システム
JP6791308B2 (ja) ドキュメント管理システム、及び管理装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09758122

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09758122

Country of ref document: EP

Kind code of ref document: A1