WO2015034176A1

WO2015034176A1 - Integrated document management system

Info

Publication number: WO2015034176A1
Application number: PCT/KR2014/006760
Authority: WO
Inventors: 최종욱; 조주원; 아이알 에이치 유셉 로스만스야엠에스씨 디알
Original assignee: 주식회사 마크애니
Priority date: 2013-09-04
Filing date: 2014-07-24
Publication date: 2015-03-12
Also published as: KR20150027567A

Abstract

Provided is an integrated document management system including a server device and a client device, the server device comprising an integrated control unit for controlling in an integrated manner a plurality of business work systems, which are installed by different providers, by connecting a document database, a human resources database, and a policy database, which are included in the server device, to the plurality of business work systems, wherein the plurality of business work systems share the human resources database and the like through the integrated control unit. Also, the client device comprises: a monitoring unit; a control unit; a document support unit; and a document security unit for extracting text data from an electronic document file, searching phrases related to internal information of a business from the extracted text data, calculating an exposure score of the electronics document file based on the number of searches and document level setting information, attributing a document level based on the exposure score, and inserting a watermark in the text of the electronic document file which is displayed on the client device.

Description

Document management system

The present invention relates to a document integrated management system, and more particularly, to a document integrated management system capable of integrated control of a plurality of enterprise business management system.

Recently, due to the revolution of information technology, the world is becoming digital, and the use of paper is gradually decreasing in the new paradigm of green growth based on environment-friendly. In addition, with the digitization and green growth trends, business systems can switch to smart work environments that eliminate time and space constraints, allowing them to access and process their work anytime, anywhere. This movement is spreading not only to developed countries, but also to governments and private companies, which are public institutions in developing countries.

Various corporate work systems are used to enable the introduction of smart work environments, to create and manage electronic documents in each organization, and to work more efficiently through collaboration. For example, the Electronic Document Management System (EDMS), which creates, archives and retrieves documents, and the Groupware (GW), which facilitates collaboration within the enterprise.

Another phenomenon in the current IT industry is the change in various devices. Existing computer systems are now being introduced into various micro devices via mobile devices such as smartphones and tablet PCs. Micro devices, such as Apple's iWatch and Google's Google Glasses, as well as miniature cameras and recorders are on the market. However, by exploiting them, the leakage of internal information from government and private companies is spreading, which is why the security is urgently needed.

The digitization of the world, the development of various devices, and the change of work systems provide us with convenience, but unfortunately it is fatal to security. In particular, the development of hacking techniques has resulted in the loss of internal information by government agencies and private companies, and enormous losses that determine the company's existence.

Due to the evolution of hacking techniques and the use of various micro devices, government agencies and private companies are building internal corporate security systems to enhance security as well as various corporate business systems for smart work. However, this structure is not a single system, but each system is additionally built into the existing system structure whenever needed. Therefore, the cost of construction and integration is increased and DB integration is not possible. For example, suppose a company uses EDMS and GW, which are corporate business systems, and separately builds and uses corporate security system DRM for enhanced security. First, EDMS, a document management system, imports the user's personal information (ID, PWD, department, position ...) and organizational chart information from the personnel database when the user logs in, compares it with the security level of each document, and then accesses by user. Only authorized documents are displayed. In the case of GW that promotes collaboration, when the user makes an electronic payment, the server gets the user's personal information and organizational chart information from the personnel database, and the document should be forwarded later for payment and according to the user's access rights for each document. There are restrictions such as 'read, write, edit'. In addition, the DRM server generates user access control information for documents based on the user's personal and organization information obtained from the personnel database and the security level of the document. After that, the generated access control information is inserted into the header of the document and encrypted with the user's encryption key to secure the document. That is, each system repeatedly stores the same information in each HR DB and retrieves the information from HR DB every time the user accesses it. This system structure in the past can cause many problems besides the above-mentioned increase in construction and integration costs.

In the previous system structure, since each system is independent, user's personal information (ID, PWD, department, position ...) and organization information are stored in HR DB of each system server. As a result, there are a number of secondary problems as well as the primary waste of data due to data redundancy. DB is not used by only one person, but is accessed by multiple users in real time and used at the same time. It is a place where continuous changes such as update, insert and delete occur. Therefore, if there are multiple databases with the same information, it is not easy to manage each of these databases consistently. For example, if a change to a user's personal information is applied only to the personnel database of an EDMS server, the user will not only be able to properly identify documents that can be identified by his class in GW, but will also be able to easily access inaccessible documents. This becomes possible and serious problems can arise accordingly. In other words, if the user's personal information changes are not consistently reflected in the personnel database of all servers, there will be a big hole in security. That is, there is a problem that all three factors of confidentiality, integrity, and availability can be destroyed.

In addition, the existing architecture causes each server to run independently, resulting in a waste of time due to duplication of work. This is because, when a user connects to each server, each server manages an independent HR database so that data on the user's personal information and organizational chart information must be newly retrieved. For example, in the structure of the existing system, when accessing the GW after accessing the EDMS server, retrieval of user personal information and organization chart information occurs repeatedly, which causes a problem of slowing down the system and reducing work efficiency. . In other words, in the past technology, various corporate business systems are used to promote corporate collaboration through smart work environment, but each system is not integrated efficiently, which causes enormous cost, construction difficulty, and security problems due to data duplication of DB. .

In addition, the existing technology has a problem that the security for the generalization of micro devices is inadequate, and support for the mobile work environment, which will be further activated in the future, has a problem. Traditional technology mainly uses digital right management (DRM) or data loss prevention (DLP) as an enterprise security system. However, DRM encrypts and delivers documents and controls access to decrypted documents according to user's authority. However, this digital rights management DRM method has a problem that a user with access to a document can easily access content at any time. The DLP method is a technology that extracts text by searching the contents of a document, determines the security level, and takes action accordingly. However, the DLP method that detects the leakage of content through the content search has an additional problem because the document is delivered in plain text when the leak occurs. The typical DRM and DLP methods used for enterprise security in the past technology are not enough to solve the security problem of very small devices with the existing DRM and DLP alone due to the problems mentioned above.

[선행기술문헌][Preceding technical literature]

[특허문헌][Patent Documents]

(Patent Document 1) Korean Laid-Open Patent Publication No. 2008-0064164 (Published: July 08, 2008)

The present invention is to solve this problem, based on the organic integration of the existing DRM and DLP content retrieval technology using encryption and access control to minimize the leakage of internal information of the enterprise, as well as to strengthen the enterprise security In order to integrate and manage various work systems in smart work environment using management control system, it is to provide a method and device for supporting user-oriented integrated digital work system based on enterprise information protection support. To this end, an integrated login system is established using an integrated management control system (IMCS) based on user personal information and organization chart information to integrate and manage various business systems.

In addition, after checking whether the confidential information of the company is included in the electronic document existing inside the company by using the content retrieval technology on the body of the electronic document, the importance of the electronic document is judged based on this, and the document is graded. Provides access control by assigning each access authority level. In addition, by encrypting the electronic document and inserting differentiated text watermarking based on the user's personal information, it is possible to follow up when the document is leaked, and to enhance the post-security as well as post-security using DRM and DLP. There is a purpose.

Another object of the present invention is to enhance security in a mobile work environment by various devices and smart devices through building a security system based on user devices. It provides an efficient security system in the flow of changes to mobile business environment by providing pre-security through text content marking and insertion of text contents in the user terminal itself rather than security system on existing server. There is another purpose to this.

However, the problem to be solved of the present invention is not limited thereto, and may be variously expanded within a range without departing from the spirit and scope of the present invention.

In order to achieve the object of the present invention, the document integrated management system according to the embodiments of the present invention may include a server device and a client device, the server device capable of integrated control of a plurality of enterprise business systems, different providers A plurality of corporate business systems installed by the server, a document database storing electronic document files containing corporate internal information, a human resource database storing organizational charts and user information, and a policy file containing information about internal corporate information security policies. A policy database to store and an integrated control unit connected to the plurality of corporate business systems, wherein the plurality of corporate business systems share a personnel database and a policy database through the integrated control unit. It may be. The integrated control unit is connected with the policy database, and the integrated control unit also includes a policy management unit for managing the policy file stored in the policy database and a policy transmitting unit for transmitting the policy file to the client device connected to the server device. And an encryption unit that performs encryption processing on the electronic document file to be transmitted from the document database to the client device, a login confirmation unit that checks the login authority of the user of the client device in comparison with the user information stored in the personnel database, and received from the client device. It may include a security unit, including a log information sensor for managing log information.

Next, the client device includes a monitor unit for monitoring the generation or change of an electronic document file, a control unit for receiving a policy file including document grade setting information and a security processing policy from a policy database of the server device, a document security unit, and a document support unit. It may also include. The document security unit extracts text data from the electronic document file, retrieves the internal corporate information phrase from the extracted text data, and based on the number of times that the internal corporate information phrase has been retrieved and the document grade setting information, An electronic score displayed on the client device for calculating an exposure score, assigning an electronic document file a document grade associated with a user's access right based on the exposure score, and based on user personal information about a user of the client device received from the server device; It may also be configured to embed a watermark in the text of the document file. In addition, the document supporter may be configured to upload the electronic document file generated by the document security unit to the document database, or download the encrypted electronic document file from the encryption unit.

According to one embodiment, a plurality of enterprise business systems include an electronic document management system (EDMS), groupware (GW), business process management (BPM) system, enterprise resource management (ERP); It may also include one or more of an Enterprise Resource Planning system and an email system.

According to the document integrated management system according to the embodiments of the present invention, based on various digital corporate business systems such as existing document management system, electronic payment system, etc., various corporate business systems are centered on Integrated Management Control System (IMCS). More specifically, since the user's personal information and organizational chart information are integrated into one HR database and provided as a single system centered on IMCS, rather than simple integration between various digital corporate business systems and corporate business systems, Significantly reduce deployment and integration costs. In addition, since various corporate work systems use a single human resource DB on the server, it is possible to reduce time wasted and increase work efficiency due to retrieval of user information and organizational chart information that has been repeatedly performed every time the server is accessed. In addition, it can solve security problems caused by inconsistency of information due to data redundancy, and can be easily integrated with various work systems in the future and promote consistent work.

In addition, according to a method of sharing an internal document between client devices through a server device according to another embodiment of the present invention, the client device adds a content retrieval function of the DLP to the DRM method using existing encryption and access control. Documents created on the device, documents sent via the web, and stored in the storage media can be enhanced according to the security level according to each security level, so the risk of external leakage can be enhanced. .

In addition, through the text watermarking technology of the present invention can differentiate the font size and spacing for each user to track the outflow path when the document is leaked, thereby enhancing the post-security as well as post-security. In other words, it is possible to consolidate the various systems around IMCS on the server and to enhance the post-security of the enterprise by preliminary security using DRM and DLP and tracking through text watermarking.

In addition, it is possible to reinforce security in mobile work environment by various devices and smart devices by building security system based on user device. It provides efficient security system in the flow of change to mobile business environment by providing pre-security through text search and insertion of text contents in the user terminal itself, and post-security by text watermarking. Can be.

However, the effects of the present invention are not limited thereto, and may be variously extended within a range without departing from the spirit and scope of the present invention.

1 is a schematic diagram of a document integrated management system including a server device and a client device capable of integrated control of a plurality of corporate business systems.

2 illustrates a client device according to an embodiment of the present invention.

3 is a flowchart of a method for generating an electronic document file in a client device for enhancing internal corporate information security according to an embodiment of the present invention.

4 shows a flow chart of a method for sharing an internal corporate document between client devices via a server device.

5 illustrates a policy file according to an embodiment of the present invention.

6 shows exemplary rating setting information used in the present invention.

7 illustrates a content searching unit according to an embodiment of the present invention.

8 illustrates a rating unit according to an embodiment of the present invention.

9 illustrates an embodiment of inserting watermarking in a method of adjusting the font size size and in a method of adjusting the thickness of the font.

With respect to the embodiments of the present invention disclosed in the text, specific structural to functional descriptions are merely illustrated for the purpose of describing embodiments of the present invention, embodiments of the present invention may be implemented in various forms and It should not be construed as limited to the embodiments described in.

As the inventive concept allows for various changes and numerous modifications, particular embodiments will be illustrated in the drawings and described in detail in the text. However, this is not intended to limit the present invention to a specific disclosed form, it should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting of the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In this application, the terms "comprise" or "having" are intended to indicate that there is a feature, number, step, action, component, part, or combination thereof that is described, and that one or more other features or numbers are present. It should be understood that it does not exclude in advance the possibility of the presence or addition of steps, actions, components, parts or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art. Terms such as those defined in the commonly used dictionaries should be construed as meanings consistent with the meanings in the context of the related art and shall not be construed in ideal or excessively formal meanings unless expressly defined in this application. .

Hereinafter, with reference to the accompanying drawings, it will be described in detail a preferred embodiment of the present invention. The same reference numerals are used for the same elements in the drawings, and duplicate descriptions of the same elements are omitted.

1 is a schematic diagram of a document integrated management system 10 including a server device 100 and a client device 200 capable of integrated control of a plurality of corporate business systems. The server device 100 may include an integrated control unit 110, a policy database 116, a personnel database 118, a document database 120, and a plurality of

corporate business systems

140, 142, 144, 146. have. The integrated management control system (IMCS) of the present invention may be implemented as the integrated control unit 110 in the server device.

The integrated control unit 110 may connect with the document database 120, and the integrated control unit 110 may also connect with the policy database 116 and the server policy unit 112 and the security management unit 114 connected with the personnel database. ) May be included. The server policy unit 112 may include a policy manager 122 and a policy transmitter 124. The policy manager 122 is a policy file including a policy for designating a document grade and a user authority level according to an exposure score of the internal information of the document, and stores, updates, and deletes the policy files stored in the policy database. The policy transmitter 124 may be responsible for transmitting the policy file stored in the policy database to the client as needed. The security management unit 114 of the server device checks whether a user is logged in, detects log information, and supports encryption of a document. More specifically, the security management unit 114 of the server device prior to transmitting the electronic document to the client device is provided. Encryption unit 126 for performing encryption processing on the electronic document, Login confirmation unit for checking the login authority for each user based on the user information and organization chart information stored in the personnel database in the server device when the user of the client device is logged in (128) And the log information detecting unit 130 that receives and manages information related to security processing according to the detection result from the client device in a log data format when the internal company information is detected by the client device.

As shown in FIG. 1, the policy database 116 is connected to the server policy unit 112, and the policy database stores policy files containing information related to the internal information security policy of the enterprise. 5 illustrates an exemplary policy file used in the present invention. The personnel database 118 is connected to the security management unit 114 of the server device, and the personnel database includes information on employees of the company, that is, information on users who can view documents including the internal information of the company. Organization chart information may be stored. When there is a login request by the client device connected to the server device, the login confirmation unit 128 of the server device may confirm the login by inquiring the organization chart and the user information stored in the personnel database. The document database 120, which is a repository of electronic document files containing enterprise internal information, may be connected with the integrated control unit and may store electronic document files uploaded from client devices. When there is a download request from the client device, the server device may inquire the electronic document file from the document database, encrypt the electronic document file by the encryption unit of the integrated control unit, and transmit the encrypted electronic document file to the client device.

The server device 100 may also include a plurality of

enterprise business systems

140, 142, 144, 146. The multiple enterprise business systems include Electronic Document Management System (EDMS), Groupware (GW), Business Process Management (BPM) system, and Enterprise Resource Planning (ERP) system. It may include any internal electronic document management system for processing internal documents such as payment, sharing, modification, storage and transmission of internal documents such as e-mail systems, and e-mail systems, each of which is installed by different service providers. It may be.

However, the plurality of corporate business systems installed in the server device according to the present invention do not have a personnel database and / or policy database for each system, but an integrated management control system (IMCS) in which various corporate business systems are implemented as an integrated control unit. ), I.e., share a personnel database and / or policy database that includes user information and organizational chart information. The introduction of an integrated management control system for various corporate business systems can greatly reduce the cost of additional system construction and integration required for each additional corporate business system. In addition, the server uses a personnel database and / or policy database that integrates various corporate business systems into one, reducing time wasted and retrieving work efficiency due to retrieval of personal information and organization chart information that is repeatedly performed every time the server is accessed. You can. In addition, it can solve security problems that may occur due to information inconsistency due to data duplication, and can easily integrate with various work systems in the future and promote consistent work.

As shown in FIG. 1, the server device 100 may be connected with a client device via a network, and may be simultaneously connected with a plurality of client devices. The client device connected to the server device may upload the electronic document file to the server device and download the electronic document file from the server device. In this regard, an exemplary detailed configuration of a client device that may be connected with a server device is shown in FIG. 2.

Referring to FIG. 2, the client device 200 may include a control unit 201, a monitor unit 202, and a client document management unit 203, and the client document management unit 203 may include a document security unit 204 and a document. Support 205.

Since the document security unit may need to be initialized by the initialization unit because the setting may be continuously changed due to periodic update or user's setting change, the control unit 201 is the document security unit 204 of the client document management unit 203. It can be configured to provide an initialization function that returns the value to its original state, receives a policy file from the server, and also opens, closes, reads specific items from the policy file, writes specific items, deletes specific items, and so on. It may be configured to provide a function of. The control unit 201 may also serve to instruct the document security unit to perform file inspection on the document file loaded on the client.

The monitor unit 202 may include a process filtering unit for notifying information of the process when the electronic document file is generated or modified in the document file process of the client device through real-time monitoring of the document file process, and includes a file name and an extension. It may include a file filtering unit that performs a real-time monitoring of the file based on the file, and notifies when a change to the file is detected, and manages the list of scanned files once so that they are excluded from the next scan. By doing so, it may include a file list mapping unit that serves to improve the efficiency of the inspection.

Next, the document security unit 204 constituting the client document management unit 203 will be described in more detail. The document security unit may include an interface unit 210, an encryption / non-encryption file inspection unit 220, a content retrieval unit 230, The rating determiner 240, the watermarking unit 250, the security processor 260, and the file generator 270 may be included.

The interface unit 210 receives a document change notification by the monitor unit 202, receives a content search instruction by the control unit 201, and receives a document downloaded from the server by the document support unit 205. The electronic document file downloaded from the server, received from the interface unit 210, is passed to the encryption / decryption file checker 220 to determine whether the electronic document file is encrypted or not, and if encrypted, temporarily It can also be decoded and stored in memory. The non-encrypted electronic document file or the decrypted electronic document file is transferred to the content retrieval unit 230 of the document security unit, and a search is performed on whether the internal file information is included in the document file. The content searching unit 230 is described in more detail with reference to FIG. 7. Based on the document text extraction result by the content retrieval unit 230 and the policy file received from the server, the grade determination unit 240 determines a grade and a user access authority grade for the document. The rating unit 240 will be described in more detail with reference to FIG. 8. The watermarking processing unit 250 receives user personal information from the server and inserts a text watermark that gives a difference to the document displayed for each user based on the information. Embodiments of embedding a text watermark are shown in FIG. Thereafter, security processing such as deletion and quarantine is performed on the electronic document file watermarked by the security processing unit 260, and the final file in which the authority information is inserted into the header of the file is generated by the file generation unit 270. .

3 is a flowchart of a method for generating an electronic document file in a client device for enhancing internal corporate information security according to an embodiment of the present invention. Referring to FIG. 3, the process starts as an electronic document file is downloaded or created on the client device (step S300). The monitor of the client device monitors the generation of the electronic document file on the client device and / or the change to the electronic document file downloaded from the server (step S302). The client device may also receive a policy file containing document grade setting information and a security processing policy from the server (step S304). Document rating setting information is the user's access authority that defines the user's access to the document according to the document ranking policy that defines the document's ranking according to the exposure score, the materiality information by the phrase related to internal company information It may also include a policy. The policy file may further include regular expressions and keywords, as shown in FIG. 5. This step may be performed regularly as well as when the creation and / or modification of an electronic document file is monitored at the client device.

The content retrieval unit 230 of the client device may also extract text data from the monitored electronic document file (step S306), and retrieve the corporate internal information-related phrase from the extracted text data (step S308). The rating unit 240 of the client device may calculate the number of times of detecting the internal corporate information-related text, and based on the number of times the internal corporate information-related text has been searched and the document grade setting information included in the policy file, The exposure score is calculated (step S310).

The rating unit 240 of the client device also assigns the document grade related to the user access right to the electronic document file based on the user access right designation policy included in the policy file according to the calculated exposure score (step S312). . The watermarking unit 250 of the client device receives user personal information about the user of the client device from the server, and inserts a watermark in the text of the electronic document file displayed on the client device based on the received user personal information. (Step S314). Inserting the watermark may include at least one of adjusting the font size of the text and adjusting the thickness of the font of the text according to user personal information.

Subsequently, the security processing unit 260 of the client device for the electronic document file having the security level determined and the watermark inserted therein is subjected to complete deletion processing, quarantine processing, encryption processing, and notification processing for the document based on the security processing policy for each grade. One security process may be performed, and the file generation unit 270 may generate a file including a header into which security related information is inserted (step S316).

4 is a flowchart illustrating a method of sharing an internal document among client devices through a server device capable of integrated control of a plurality of corporate business systems according to an exemplary embodiment of the present invention. First, the first client device may generate an electronic document file and upload it to the document database of the server device (step S400).

Thereafter, the second client device may request the server device to download the electronic document file stored in the document database. The upload from the first client device and the download request by the second client device may be continuous or discontinuous, and the first client device and the second client device may be terminals of the same user, or terminals of different users. It may be.

In response to the download request from the second client device, the server device receives the download request of the electronic document file from the second client device (step S410), and accordingly, based on the organization chart and user information stored in the personnel database, The login confirmation unit 128 confirms the login of the user of the second client device (step S420). Next, the server device transmits the electronic document file requested for download by the second client device from the document database to the encryption unit 126, and performs encryption processing in the encryption unit to generate an encrypted electronic document file (step S430). .

The server device transmits the encrypted electronic document file to the second client device, so that the second client device downloads the encrypted electronic document file (step S440). In the second client device, if creation and modification of the electronic document file at the second client device are detected by downloading the electronic document file from the server according to the process described above with respect to FIG. 3, the text data from the electronic document file is detected. Extracting and calculating an exposure score by searching for phrases related to internal company information from the extracted text data, assigning a document rating according to document security level setting information included in a policy file received from a server device, A watermark is inserted on the basis of step S450. Then, based on the document access right according to the security level of the corresponding electronic document file of the user of the second client device, the electronic document file with the watermark inserted in the second client device is displayed (step S460).

The method of sharing an internal document between client devices according to the present invention as shown in FIG. 4 is not a document security process in a server device as in the prior arts, but the content retrieval and Providing pre-security through rating setting and post-security by inserting text watermarking can provide more efficient and enhanced security system in the flow of change to mobile work environment.

5 illustrates a policy file managed at a server device and received from a server device to a client device, in accordance with an embodiment of the present invention. The policy file 500 includes a regular expression 510, a keyword 520, a security processing policy 530, and rating setting information 540. According to an embodiment of the present invention, the policy file 500 may be updated regularly from the server device.

The regular expression 510 expresses all information that can be known by identifying or inferring internal information of a company by using a regular expression. Regular expressions are supported for searching and replacing strings in many text editors and programming languages. The keyword 520 defines words related to internal company information, and may include, for example, confidentiality, protection, limited disclosure, first-class secret, second-class secret, confidentiality, and the like.

The security processing policy 530 means a pre-arranged internal decision on how to apply security according to the grade of a document. The rating setting information 540 may include a file rating policy 541 and a user access permission policy 542. The rating setting information may also include information related to rating the internal documents, such as the importance information organized by phrases related to the internal information of the company and the reading period information of each document for the rating of the documents related to the company.

6 illustrates exemplary policy files that can be used in the present invention. 6 (a) shows importance information for each phrase related to internal company information. For example, the phrase "year of enrollment" has an importance of 1 point, and the phrase "employee social security number" has an importance of 5 points.

FIG. 6B shows a user rating of an internal document of a company according to a position within an enterprise. For example, a client user with an employee in the company has a user rating of '5', an agent with a user rating of '4', a manager with a user rating of '3', and the head or deputy manager has a user rating of '2'. It has a user level, and executives have a user level of '1'. In general, the higher the user level, the greater the access rights to documents.

7 illustrates in more detail a content retrieval unit 230 that may be included in a document security unit of a client device in accordance with one embodiment of the present invention. The content retrieval unit 230 may include an interface unit 710, a filtering unit 730, and a detection unit 750. The interface unit 710 receives a document inspection instruction from the control unit 201, and receives an unencrypted or decrypted electronic document file to be inspected from the encryption / non-encryption file inspection unit 220.

The filtering unit 730 is composed of a plurality of filters that perform a function of extracting text only for a specific electronic document in order to extract text information included in various electronic documents. The filtering unit 730 detects a document format, verifies a document error, extracts document information, and extracts text. More specifically, the filtering unit 730 may include a general file text filter 732, a memory text filter 734, a file format filter 736, a compressed file filter 738, and a specific page filter 740. have.

The general file text filter 732 transfers the path information of a specific file to extract the text of the file, and the memory text filter 734 passes the address information of the specific memory where the data is stored to pass the corresponding memory. This function extracts the text of the. The file format filter 736 performs a function of checking whether the extension of the file to be subjected to the content search has been forged, and the compressed file filter 738 is a file in the compressed file when the file to be scanned is a compressed file. You can also extract only the information (file name, format information, etc.) or filter only specific files. The specific page filter 740 provides a function of filtering text information only for a specific page of the entire content of the file.

The text information extracted through the filtering unit 730 is provided to the detection unit 750, and the detection unit 750 uses the regular expressions and keywords for the internal information of the company included in the policy file received from the server. By comparison, it is detected whether the relevant document information phrases related to the company's internal information. The detector 750 may load a policy file including a regular expression and a keyword received from the server by the controller 201 or store the loaded policy file in a separate memory.

8 illustrates in more detail a rating determiner 240 that may be included in a document security section of a client device in accordance with one embodiment of the present invention. The grade determiner 240 may include an interface unit 810, a count calculator 820, a score calculator 830, and a grader 840.

The interface unit 810 receives the text information detection result from the detection unit 750 of the content retrieval unit 230 with an instruction to start the rating determination. The count calculator 820 calculates the number of times of detecting the company information-related text extracted by the detector. In addition, the score calculating unit 830 calculates the exposure score of the internal information of the company by using a formula of 'sum of the number of times detected per sentence X the importance of the internal information of the company = the exposure score'. For example, assuming that the phrase "resident number" is detected twice from the text and the phrase "entry year" is detected once, referring to the importance of each phrase shown in FIG. It can be seen that "has a significance of 5 and" entry year "has a significance of 1, so in this case, according to the above formula, 5 x 2 (the importance x detection number of" Resident Number ") + 1 x 1 (" Importance x "number of detections" = 11, that is, the exposure score of the document is calculated to be 11 points.

The grader 840 plays a role of assigning a document grade to control access to each document for each document according to the grade setting information included in the policy file based on the exposure score calculated by the score calculator. In this regard, referring to FIG. 6C, an example of a document rating policy for assigning a rating according to an exposure score is illustrated. According to this embodiment, for example, the calculated exposure score is 0. FIG. If the score is from 5, the document is given a rating of 5, if the exposure score is from 6 to 9, a rating of 4 is given; if the exposure score is from 10 to 14, a rating of 3 is given, and if it is from 15 to 19, Two grades may be given, and in the case of 20 points or more, one grade may be given. As described above, the policy file received from the server also includes a user access authority designation policy. Referring to FIG. 6C further, for example, when the document class is given as 1 class, If a user has a user level of 1 or more, the right to view, save, print and modify the document may be provided. According to this embodiment, for a document having a document rating of 1, any user whose user rating does not correspond to a rating of 1 may not be able to view, store, output, and modify. In addition, according to this embodiment, for a document with a document rating of 2, a user who has a user rating of 2 or more can view, save, output, and modify the document, and if the user rating is 3 Documents can be viewed and printed, but they can be controlled so that they cannot be saved and modified. If the user level is 4, only the document can be viewed. And neither of the modifications may be allowed. These graded user access rights can be modified and updated on the server at any time in accordance with the corporate security policy.

9 illustrates an example method for inserting a watermark into a text document in a watermarking portion that may be included in a document security portion of a client device according to one embodiment of the invention. 9 (a) and 9 (b) illustrate a watermarking embedding method in which a font size of a specific text is reduced. The text to be watermarked is shown in Fig. 9A. This document assumes a default font size of 12 pt and assumes that the user of this document has a user key of "10011". In this embodiment, each text line in the text area shown in FIG. 9A may correspond to each bit value of the user key sequentially. According to this, the first line of the text area corresponds to "1", the first bit of the user key, the second line of the text area corresponds to "0", the second bit of the user key, and the third line of the text area corresponds to the user key. Corresponds to the third bit, "0", the fourth line of the text area corresponds to "1", the fourth bit of the user key, and the fifth line of the text area, corresponds to "1", the fifth bit of the user bit. Can be. Then, the watermarking unit 250 may reduce or enlarge the font size of the text included for each text line by the set size. For example, the texts assigned to bit "1" may be reduced by 1 pt. Specifically, as shown in FIG. 9B, the first line and the fourth line of the text area corresponding to bit "1" are shown. And the fifth line of text may be adjusted to have a font size of 11 pt, each reduced by 1 pt compared to the default font size. At this time, the font sizes of the second and third lines of the text area corresponding to bit "0" will be maintained at 12 pt. If the number of key bits of the user is fixed to 5 bits, the user's key value is repeatedly applied in units of 5 lines from the first line of text, so that the spacing between text lines is adjusted in units of 5 lines, in which case watermark detection is performed later. This may be easy. Meanwhile, the text size may be reduced or enlarged at the bit value "1" or "0", respectively, but a method of reducing the font size is generally preferred in order to prevent a problem of system overflow.

Next, (c) and (d) of FIG. 9 illustrate a watermarking embedding method of changing the thickness of a font of a specific text. Accordingly, the text to be inserted into the watermarking is shown in Fig. 9C. According to one embodiment of the invention, the most used consonants or vowels are detected from the text, and the bits of the user's key are sequentially and repeatedly corresponded to the texts containing the consonants or vowels, Change the font to make the font thin or thick. The font outline process for changing the thickness of the font according to the user key may be performed for the entire text area. For example, assuming that the user key is "10011" and that the most detected consonants are 'ㄱ', as shown in (d) of FIG. , 1, 0, 0, 1, 1 can be mapped to "angle," and "," in order, and the thickness of the font of the text corresponding to bit "1" can be made thin or thick. Watermark-embedded documents can be traced back to the user's key value using only the font thickness when the document screen is leaked by a third party. Security is enhanced.

In the document integrated management system of the present invention, a server device capable of integrated control of a plurality of corporate business systems implements an integrated management control system (IMCS) through an integrated control unit, thereby including a personnel database integrated with a plurality of corporate business systems. It is possible to provide a variety of digital enterprise work systems and enterprise security systems, which can greatly reduce the deployment and integration costs required. In addition, since various corporate work systems use a single human resource DB on the server, it is possible to reduce time wasted and increase work efficiency due to retrieval of user information and organizational chart information that has been repeatedly performed every time the server is accessed. In addition, it can solve security problems caused by inconsistency of information due to data redundancy, and can be easily integrated with various work systems in the future and promote consistent work.

In addition, the present invention is to handle the electronic document file containing the internal company information in the client device, the electronic document existing inside the enterprise whether to search for the inclusion of company confidential information using the content search technology for the electronic document after By calculating the exposure score based on the exposure level, the security level of the document is determined, and the user's access / permission is controlled for each of the security levels of the document, that is, the problems of the existing DRM technology and DLP technology are compensated for. As a result, access / permission control of documents can be controlled for each user, and an appropriate security policy can be applied to each document to provide strong proactive security that can prevent the internal information of an enterprise from being leaked to the outside. .

In addition, by inserting a watermark on the document based on a specific value that can distinguish each user, it provides a differentiation to the on-screen document displayed by each user, so that the document can be externalized by an action such as photographing by a third party. Since the leak path can be traced when the furnace is leaked, there is an advantage of providing post-security for the company in preparation for the development of various micro devices.

In addition, the present invention allows to create an electronic document file with enhanced internal security on the client device side, rather than on the server side, to provide more efficient and enhanced enterprise information security in the flow of micro device use and mobile work environment. There is an advantage that it can provide.

While the invention has been described above with reference to preferred embodiments, those skilled in the art will be able to make various modifications and changes to the invention without departing from the spirit and scope of the invention as set forth in the claims below. I will understand.

According to the present invention, since the user's personal information and organizational chart information is integrated into one HR DB and provided as one system integrated around IMCS, additional construction and integration costs can be reduced.

In addition, since various corporate work systems use a single human resource DB on the server, it is possible to reduce time wasted and increase work efficiency due to retrieval of user information and organizational chart information that has been repeatedly performed every time the server is accessed.

In addition, it can solve security problems caused by inconsistency of information due to data redundancy, and can be easily integrated with various work systems in the future and promote consistent work. In addition, according to the present invention, since the security policy according to each security level of the document is less risk of external leakage, it is possible to enhance the preliminary security.

In addition, text watermarking technology can differentiate the font size and spacing of each user, so that the document leakage path can be traced, thereby enhancing not only pre-security but also post-security.

In addition, by building a security system based on user devices, it is possible to enhance security in a mobile work environment by various devices and smart devices.

Claims

A document integrated management system comprising a server device and a client device,

The server device,

A plurality of enterprise business systems installed by different providers;

A document database for storing electronic document files containing corporate internal information;

A personnel database for storing organization charts and user information;

A policy database that stores a policy file associated with an enterprise internal information security policy; And

An integrated control unit connected to the plurality of enterprise business systems,

The plurality of corporate business systems share the personnel database and the policy database through the integrated control unit,

The integrated control unit,

A server policy unit connected to the policy database and including a policy manager configured to manage the policy file stored in the policy database and a policy transmitter configured to transmit the policy file to a client device connected to the server device; And

A login confirmation unit for confirming the login authority of the user of the client device in comparison with the user information stored in the personnel database, an encryption unit for performing an encryption process on the electronic document file to be transmitted from the document database to the client device; It includes a security unit, including a log information detection unit for managing the log information received from the client device,

The client device,

A monitor unit for monitoring generation or change of an electronic document file;

A control unit for receiving a policy file including document grade setting information and a security processing policy from the policy database of the server device;

Extracting the text data from the electronic document file, searching for the phrase related to the internal information of the enterprise from the extracted text data, and exposing the text to the electronic document file based on the number of times that the phrase related to the internal information of the enterprise was searched and the document grade setting information. Calculate a score, assign a document grade associated with a user access right to the electronic document file based on the exposure score, and at the client device based on user personal information about a user of the client device received from the server device; A watermark is inserted into the text of the displayed electronic document file, and at least one of a secure deletion process, a quarantine process, an encryption process, and a notification process for the electronic document file with the watermark embedded on the basis of the security processing policy for each document grade. Document security department which performs processing ; And

And a document support unit for uploading the electronic document file generated by the document security unit to the document database or downloading an encrypted electronic document file from the encryption unit.
The method of claim 1,

The plurality of enterprise business systems include an electronic document management system (EDMS), groupware (GW), a business process management (BPM) system, and enterprise resource planning (ERP). A document integrated management system, comprising at least one of a system and an email system.