JP2006023916A - Information protection method, information security management device, information security management system and information security management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To attain the determination of information processing operations with a security policy (SP) as a criterion of propriety determination and the relatively simple determination of the propriety of the information processing operations. <P>SOLUTION: An information security management system manages an object to be managed for information protection in an institution configured for implementing business purposes, and supports the SP preparation of a plurality of items to be observed by the institution, and sub-divides the data of SP into management target-categorized application parts according to the contents of the items (S100), and determines whether or not the information processing operations are proper, and reports impropriety when the information processing operations are improper (S120), and diagnoses the defect of an in-house information protection system based on the determination result (S171), and prepares an audit report concerning the in-house information protection system based on the diagnostic result (S181), and updates the non-subdivided SP data according to the diagnostic result, and automatically updates the corresponding subdivided SP data into the contents of the updated SP data part in accordance with which of the management object categorized subdivided SP data corresponds to the updated SP data part (S100). <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an information protection method, an information security management device, an information security management system, and an information security management program, and in particular, an information protection method, an information security management device, an information security management system suitable for preventing information leakage, Information security management program.

  In recent years, the problem of information leakage, particularly the problem of leakage of customer information in companies, has become apparent. In addition, due to the establishment of the Personal Information Protection Law and the amendment of the Unfair Competition Prevention Law, regulations regarding the handling of personal information and trade secrets are being made. For this reason, various measures are being taken to prevent leakage of information such as personal information and trade secrets.

  For example, information leakage is prevented by monitoring network traffic in an organization.

  In this case, after information necessary for legitimate purposes such as business purposes is downloaded from a file server to a PC (Personal Computer) via a network, an unauthorized terminal is directly connected to the PC without going through the network, or FDD ( Information downloaded by connecting an external storage device such as a Flexible Disk Drive (MO), Magneto-Optical disk (MO) drive, HDD (Hard Disk Drive), or CD-R (Compact Disk Recordable) directly to the PC Can be obtained without leaving a trace.

  In addition, information is prevented from being leaked by performing personal authentication when logging on to a network or by controlling access to a file. In this case, if the user is a valid user of the network and has access authority, information can be acquired.

  In addition, information leakage is prevented by monitoring in-house and organizations. In this case, information can be acquired by taking out the mobile PC lent to each user from the organization. Therefore, there is a problem that information leakage cannot be prevented by the measures described above.

  In addition, there is a method for determining whether or not personal information can be provided to a server based on a comparison between a usage policy of personal information in the server and a disclosure standard for personal information set by the user (Patent Document 1). According to this, it is possible to automatically determine whether information can be provided.

  In addition, when an electronic device is accessed, an access log is acquired, the access log is statistically processed and stored as security management information, and obtained from the acquired access log and past access logs. Compared to the security management information, the difference between the current access status is detected, the access that was made in a different situation is judged as abnormal access, and a warning is issued to the administrator or a specific user. Yes (Patent Document 2).

  According to this, even if the authentication information of the user is leaked, it is possible to monitor the access status from the user or the network, detect an access different from normal, and issue a warning.

  In addition, there is a device that acquires only a necessary part of a security policy by specifying a range of the necessary security policy when acquiring a security policy (Patent Document 3). According to this, a security policy can be shared by a plurality of different types of systems.

In addition, when the user of the user terminal tries to access the document, the server refers to the security policy that is recorded and held, and whether the processing requirements are set or not is set. There is one that acquires whether or not it has been (Patent Document 4). According to this, access control to a document can be performed based on the security policy recorded and held by itself.
JP2003-132160A (paragraph 0015) JP 2000-148276 A (paragraph 0018) JP 2004-94401 A (paragraph 0013) JP 2004-133816 A (paragraph 0108)

  However, according to the above-described conventional technology, it has been impossible to determine a wide variety of information processing operations using the overall security policy as a criterion for determining suitability. In addition, not only the suitability determination of the information processing operation regarding the security policy related to the access to the specific file, but also the suitability judgment becomes complicated when the suitability determination of the information processing operation over the entire security policy is performed. There was a point.

  The present invention has been made to solve the above-mentioned problems, and one of the objects of the present invention is an information protection method and an information security management device capable of determining an information processing operation using a security policy as a criterion for suitability. To provide an information security management system and an information security management program.

  Another object of the present invention is to provide an information protection method, an information security management device, an information security management system, and an information security management program capable of determining the suitability of a relatively simple information processing operation.

  In order to solve the above-described problem, according to one aspect of the present invention, an information protection method of the present invention is a computer that manages a plurality of management objects for the purpose of protecting information in an organization configured to perform a business purpose. Is the way to manage. In addition, the information protection method includes a security policy creation support step that supports the creation of a security policy consisting of a plurality of items that the organization must comply with, and a part in which security policy data is applied to a plurality of management targets according to the contents of the items. A subdivision step for subdividing the information processing operation, a suitability determination step for determining whether or not the information processing operation is appropriate, and a notification step for notifying inappropriateness when the suitability determination step determines that the information processing operation is inappropriate. Based on the determination result of the suitability determination step, a diagnosis step for diagnosing whether or not the information protection system in the organization is inadequate, and the information protection system in the organization based on the diagnosis result in the diagnosis step Audit report creation step for creating an audit report, and subdivision depending on the diagnosis result of the diagnosis step Security policy update step that updates the security policy data other than security policy data, and the security policy data portion updated by the security policy update step is divided into multiple management targets. A sub-security policy data automatic updating step that automatically updates the sub-security policy data corresponding to the updated security policy data portion according to which one is supported.

  The security policy creation support step includes an option presentation step for presenting a plurality of security content options prepared in advance for each of a plurality of items ready-made according to a standardized format, and a plurality of options presented by the option presentation step. A selection result receiving step for receiving a selection result indicating which one of the options has been selected; and a creation step for creating an organization security policy according to the selection result received by the selection result receiving step.

  The adequacy determination step is a step of determining whether or not the information processing operation conforms to the security policy according to the adequacy determination program created so as to correspond to the standardized format in the security policy. A security policy determination step that is determined based on the data of the security policy that has been performed, and a high-frequency information processing operation pattern that is frequently repeated from the past information processing operation. A divergence determination step of performing an abnormality determination when the divergence degree of the current information processing operation exceeds a predetermined value.

  The security policy determination step is a subdivided security policy that is applied to the executed management target according to which management target information processing operation is executed in the subdivision security policy data subdivided in the subdividing step. A subdivision determination step for determining based on the data is included.

  According to the present invention, since the security policy is ready-made according to a standardized format, a computer for determining whether the security policy is appropriate or not by creating a program for determining appropriateness corresponding to the format. It is possible to provide an information protection method that can be determined and can be determined by a program for determining whether or not can be determined relatively easily. Furthermore, it is possible to provide an information protection method capable of determining an information processing operation using a security policy as a criterion for determining suitability and determining an abnormality of an information processing operation based on a past information processing operation.

  In addition, the security policy data is subdivided into a plurality of management targets according to the contents, and the subdivision applied to the management target executed according to which management target information processing operation to be judged for suitability is executed. Appropriateness judgment is performed based on the security policy data. Therefore, it is possible to make efficient judgment only for subdivided security policy data suitable for the management target in the entire security policy data. It is possible to prevent as much as possible the waste of performing the suitability determination based on the policy data.

  Furthermore, even when the entire security policy data is subdivided into a plurality of management targets, it is not necessary to update each subdivided security policy data one by one when updating the security policy data. By updating the security policy data that has not been updated, the updated security policy data part corresponds to the subdivided security policy data that is subdivided according to multiple management targets. Since the security policy data is updated and automatically updated to the contents of the security policy data portion, it is possible to prevent the security policy data from being complicated as much as possible.

  Further, the security policy in the organization can be diagnosed based on the determination result of the information processing operation, and an audit report for the security policy in the organization can be created based on the diagnosis result.

  According to another aspect of the present invention, an information security management device manages a plurality of management targets for the purpose of protecting information in an organization configured to accomplish a business purpose. The information security management device stores security policy data storage means for storing security policy data to be observed by the organization, and whether the information processing operation conforms to the security policy is stored in the security policy data storage means. Appropriateness determining means for determining based on the data of the security policy that is present, and an abnormality processing means for performing processing when an abnormality occurs when the appropriateness determining means determines that it is inappropriate.

  The security policy data storage means stores security policy data created in accordance with a standardized format. The suitability judging means includes a memory storing a suitability judging program created so as to correspond to a standardized format, and a central processing unit for performing suitability judging processing in accordance with the suitability judging program stored in the memory. including.

  According to the present invention, since the security policy is created in accordance with a standardized format, a computer that uses the security policy as a suitability judgment standard by creating a suitability judgment program corresponding to the format. It is possible to provide an information security management apparatus that can determine whether or not it is appropriate by a program for determining appropriateness that can be created relatively easily.

  According to still another aspect of the present invention, an information security management device manages a plurality of management targets for the purpose of protecting information in an organization configured to accomplish a business purpose. In addition, the information security management device includes a security policy data storage unit that stores security policy data that the organization must comply with, a suitability determination unit that determines whether the information processing operation is appropriate, and a suitability determination unit. And an abnormality processing means for performing processing when an abnormality occurs when it is determined that it is appropriate.

  The suitability determination means includes a security policy determination means for determining whether the information processing operation conforms to the security policy based on the security policy data stored in the security policy data storage means, and a past information processing operation. A divergence determination unit that learns a high-frequency information processing operation pattern that is frequently repeated, and performs abnormality determination when the current information processing operation is deviated from a past information processing operation based on the learning result. Including.

  According to the present invention, there is provided an information security management device capable of determining an information processing operation using a security policy as a criterion for determining suitability and capable of determining an abnormality in an information processing operation based on a past information processing operation. Can do.

  Preferably, the information processing terminal on which the information processing operation is performed is connected to a network in the organization. Further, the divergence determination means includes the operation content storage means for each operator that stores the contents of past information processing operations classified and stored for each person who performed the information processing operations, and the contents of past information processing operations are managed. An operation content storage means for each management target that is classified and stored for each operation, and the high-frequency information processing operation pattern for each operator is learned from the information stored in the operation content storage means for each operator. For each managed object that performs a determination of abnormality based on the learning result by learning a high-frequency information processing operation pattern for each managed object from the information stored in the operation content storing means for each managed object, Divergence determination means.

  According to the present invention, the information security management device can determine the abnormality of the information processing operation regarding the information processing terminal connected to the network, and determine the abnormality of the information processing operation for each operator or each management target. be able to.

  According to still another aspect of the present invention, an information security management system manages a plurality of management targets for the purpose of protecting information in an organization configured to accomplish a business purpose. In addition, the information security management system includes security policy data storage means for storing security policy data that conforms to a standardized format that is security policy data that an organization should comply with, and information processing operations. When the suitability judging means for judging whether or not conforming to the security policy is determined based on the data of the security policy stored in the security policy data storing means, and the suitability judging means are judged to be inappropriate Abnormality processing means for performing processing when an abnormality occurs.

  The security policy data storage means stores security policy data so that subdivided security policy data subdivided for a plurality of management objects according to the contents can be specified and accessed. The adequacy determination means performs the adequacy determination based on the subdivided security policy data applied to the executed management target according to which management target information processing operation to be determined is executed among the security policy data. Subdivision suitability determination means to be performed is included.

  According to the present invention, since the security policy is created in accordance with a standardized format, information that can be used to determine the suitability of information processing operations using the security policy as a criterion for suitability is relatively easy. A security management system can be provided.

  In addition, the security policy data is subdivided into a plurality of management targets according to the contents, and the subdivision applied to the management target executed according to which management target information processing operation to be judged for suitability is executed. Appropriateness judgment is performed based on the security policy data. Therefore, it is possible to make efficient judgment only for subdivided security policy data suitable for the management target in the entire security policy data. It is possible to prevent as much as possible the waste of performing the suitability determination based on the policy data.

  Preferably, the information processing terminal on which the information processing operation is performed is connected to a network in the organization. The information processing terminal is a means that constitutes a part of the security policy data storage means, and stores the managed security policy data storing the security security data corresponding to the management target in the security policy data. And information processing performed through the information processing terminal during the disconnection period when the disconnection determination unit determines that the information processing terminal has been disconnected from the network in the organization. The disconnection determining means that determines that the operation is inappropriate based on the sub security policy data stored in the managed sub security policy data storage means and the information processing terminal are reconnected to the network in the organization. Reconnection determination to determine If it is determined that the connection is reconnected by the reconnection determination means, the inappropriate information specifying that the disconnection determination means is determined to be inappropriate is output to the network in the organization. And a disconnection determination result output means.

  According to this invention, the information security management system determines that the information processing operation performed through the information processing terminal during the disconnection period in which the information processing terminal connected to the network is disconnected from the network is inappropriate. It is possible to detect what has been done and perform processing when an abnormality occurs.

  Preferably, the information security management system diagnoses whether there is a defect in the security policy in the organization based on the determination result by the suitability determination unit, and the security policy in the organization based on the diagnosis result by the diagnosis unit And an audit report creating means for creating an audit report for the.

  According to this invention, the information security management system can diagnose the security policy in the organization based on the determination result of the information processing operation, and the audit report on the security policy in the organization can be generated based on the diagnosis result. Can be created.

  Preferably, the information security management system includes a security policy update unit that updates data of an undivided security policy other than the subdivided security policy data, and a security policy data portion updated by the security policy update unit includes a plurality of management targets. An automatic subdivision security policy data update means that automatically updates the corresponding subdivision security policy data to the contents of the updated security policy data portion according to which of the subdivision subdivision security policy data is supported. And further including.

  According to the present invention, even when the entire security policy data is subdivided into a plurality of management targets by the information security management system, each subdivided security policy data is updated one by one when updating the security policy data. By updating the security policy data that is not necessary and not subdivided, the updated security policy data part corresponds to which of the subdivided security policy data subdivided for multiple management targets Since the corresponding subdivided security policy data is updated and automatically updated to the contents of the security policy data portion, it is possible to prevent the security policy data from being complicated as much as possible.

  According to still another aspect of the present invention, the information security management program is data of a security policy to be adhered to by an organization configured to carry out a business purpose, and is created in accordance with a standardized format. This is executed by an information processing terminal that includes security policy data storage means for storing the security policy data and manages a plurality of management targets in order to protect information in the organization.

  In addition, the information security management program performs an abnormality determination process for determining whether or not the information processing operation is appropriate, and an abnormality process for performing an abnormality occurrence process when the appropriateness determination step determines that the information processing operation is inappropriate. Steps. The suitability determination step is a step of determining suitability according to a suitability determination program created so as to correspond to the standardized format in the security policy, and whether or not the information processing operation conforms to the security policy. A security policy determination step for determining based on security policy data stored in the policy data storage means;

  According to the present invention, since the security policy is created in accordance with a standardized format, a computer that uses the security policy as a suitability judgment standard by creating a suitability judgment program corresponding to the format. It is possible to provide an information security management program that can be judged by the suitability determination and that can be judged by the suitability determination program that can be created relatively easily.

  According to still another aspect of the present invention, the information security management program is data of a security policy to be adhered to by an organization configured to carry out a business purpose, and is created in accordance with a standardized format. This is executed by an information processing terminal that includes security policy data storage means for storing the security policy data and manages a plurality of management targets in order to protect information in the organization.

  In addition, the information security management program includes a suitability determination step for determining whether or not an information processing operation conforms to a security policy based on security policy data stored in the security policy data storage means, and a suitability determination step. And an abnormality processing step for performing processing when an abnormality occurs when it is determined that it is inappropriate. The security policy data storage means stores security policy data so that subdivided security policy data subdivided for a plurality of management objects according to the contents can be specified and accessed.

  The suitability determination step is a subdivision applied to the management target executed according to which management target information processing operation to be determined is executed among the security policy data stored in the security policy data storage means. A subdivision determination step for performing suitability determination based on the subdivision security policy data accessed to the security policy data is included.

  According to the present invention, since the security policy is created in accordance with a standardized format, information that can be used to determine the suitability of information processing operations using the security policy as a criterion for suitability is relatively easy. A security management program can be provided.

  In addition, the security policy data is subdivided into a plurality of management targets according to the contents, and the subdivision applied to the management target executed according to which management target information processing operation to be judged for suitability is executed. Appropriateness judgment is performed based on the security policy data. Therefore, it is possible to make efficient judgment only for subdivided security policy data suitable for the management target in the entire security policy data. It is possible to prevent as much as possible the waste of performing the suitability determination based on the policy data.

  According to still another aspect of the present invention, an information security management program includes security policy data storage means for storing data of a security policy to be complied with by an organization configured to carry out a business purpose. It is executed by an information processing terminal that manages a plurality of management objects for protection against the problem. In addition, the information security management program performs an abnormality determination process for determining whether or not the information processing operation is appropriate, and an abnormality process for performing an abnormality occurrence process when the appropriateness determination step determines that the information processing operation is inappropriate. Steps.

  The suitability determining step is repeated from the security policy determining step for determining whether the information processing operation conforms to the security policy based on the security policy data stored in the security policy storing means, and the past information processing operation. A divergence determination step that performs an abnormality determination when a current information processing operation is deviated from a past information processing operation based on a learning result. .

  According to the present invention, there is provided an information security management program capable of determining an information processing operation based on a security policy as a criterion for suitability and capable of determining an abnormality in an information processing operation based on a past information processing operation. Can do.

  According to still another aspect of the present invention, an information security management program is a subdivision in which security policy data to be complied with by an organization configured to carry out a business purpose is subdivided into a plurality of management objects according to the contents thereof. This is executed by an information processing terminal connected to a network in the organization that manages a plurality of management targets in order to protect information in the organization, and includes subdivided security policy data storage means for storing security policy data.

  In addition, the information security management program executes a disconnection determination step for determining that the information processing terminal has been disconnected from the network in the organization and a determination that the information processing terminal has been disconnected through the information processing terminal during the disconnection period. A separation determining step for determining that the information processing operation performed is inappropriate based on the data of the sub security policy stored in the sub security policy data storage means, and the information processing terminal is connected to the network in the organization. When it is determined that the connection is reconnected by the reconnection determination step and the reconnection determination step for determining that the connection has been reconnected, it is determined that the determination that the connection is incorrect is made by the disconnection determination step. Separate medium format that outputs inappropriate information to the network in the organization Results, including output and step.

  According to the present invention, since the security policy is created in accordance with a standardized format, it is possible to determine the suitability of a relatively simple information processing operation using the security policy as a suitability judgment criterion, and the network. It is possible to provide an information security management program capable of determining that the information processing operation performed through the information processing terminal during the disconnection period in which the information processing terminal connected to the network is disconnected is inappropriate.

  An information security management system according to one embodiment of the present invention will be described below with reference to the drawings. In addition, the same code | symbol in the figure shows the same or equivalent member, and the overlapping description is not repeated.

  FIG. 1 is a diagram showing an outline of an information security management system 1 in one embodiment of the present invention. Referring to FIG. 1, an information security management system 1 includes a plurality of users and information processing systems for protecting information in an organization such as a corporation, an organization, a government, or a local public organization that is configured to carry out a business purpose. Manage assets and other management targets using computers.

  The information security management system 1 includes an Intensive Guard Manager (hereinafter referred to as “IGM”) 100, a Central Surveillance Monitor (hereinafter referred to as “ASM”) 200, a Segment Defense Manager (hereinafter referred to as “Segment Defense Manager”). A personal computer (hereinafter referred to as “PC (ODA)”), an operation defense manager (hereinafter referred to as “ODM”) 400, and an operation defense agent (hereinafter referred to as “ODA”). ) ") And 600A and B.

  The IGM 100 and the ASM 200 are connected by a LAN (Local Area Network) 502. That is, the IGM 100 and the ASM 200 are provided in the same segment. The SDM 300, the ODM 400, and the PCs (ODA) 600A and B are connected by a LAN 503. That is, the SDM 300, the ODM 400, and the PC (ODA) 600A, B are provided in the same segment.

  The LAN 502 and the LAN 503 are connected by a network 501. The network 501 may be a LAN or a WAN (Wide Area Network).

  The IGM 100 is configured by a server computer such as a workstation. It has a policy formulation function, an information security defense function, an information security diagnosis function, and an information security audit function. The IGM 100 only needs to have at least an information security defense function. The policy formulation function, the information security diagnosis function, and the information security audit function may be provided in a computer other than the IGM 100.

  Policy formulation functions include BS (British Standards) 7799, ISMS (Information Security Management System) conformity assessment system ISMS certification standards, FISC (The Center for Financial Industry Information Systems, financial information system foundation) Center) A function that formulates a security policy according to a standardized format based on safety measures standards.

  In this embodiment, this policy formulation function is realized by security policy formulation support software that supports the formulation of a security policy. This software is divided into multiple items according to the contents in advance, displays a checklist consisting of multiple questions for each item, answers each checklist one by one, and creates a security policy based on the results. is there. Multiple items by content and questions in each item are ready-made according to a standardized format. As a result, the result data entered in response to the presented questions are also standardized in advance. The data follows the specified format. Therefore, this format is an original format and does not have to be standardized throughout Japan or around the world. In addition, when this original format becomes the de facto standard, it may be standardized throughout Japan or around the world.

  BS7799 is a standard established as an ISMS by the British Standards Institute (BSI). The ISMS Conformity Assessment System is certified by JIPDEC (Japan Information Processing Development Corporation) in Japan to comply with ISO / IEC (International Electrotechnical Commission) 17799. It is a system. ISO / IEC17799 is a standard that BS7799 is internationally standardized by ISO (International Organization for Standardization).

  In formulating a security policy, a security policy corresponding to the target asset or user is formulated. Assets include information assets, software assets, physical assets, and the like. Organizations can set levels of protection that correspond to the value and importance of assets. That is, the level of protection can be set according to the risk to the asset. The risk can be calculated by, for example, a formula of risk level = information asset value level × threat level × vulnerability level. In addition, for the user, a monitoring level can be set according to the responsibility, the job, or the degree of relevance for each asset.

  According to TR (Technical Reports, Standard Information) X0036-1: 2001, risk refers to the possibility that a threat will cause loss or damage to an asset by exploiting the vulnerability of the asset or asset group. Say. A threat is a potential cause of an undesired accident that harms the system or organization. Vulnerability is the weakness of an asset or group of assets that can be affected by a threat.

  The information security defense function is a function for managing the SDM 300 and the ODM 400 to protect information security. The information security diagnosis function is a function for diagnosing whether or not the information security defense function is defective. The information security audit function is a function for auditing the information security defense function and creating an audit report based on the diagnosis result of the information security diagnosis function.

  The ASM 200 may be configured with a server computer or a PC. The ASM 200 includes a policy violation notification function for notifying an administrator of a security policy violation discovered by the SDM 300, ODM 400, and PC (ODA) 600A, B.

  The SDM 300 includes a server computer and a PC. The SDM 300 includes a network operation protection function that protects information processing operations that violate security policies in networks within a segment.

  The ODM 400 includes a server computer and a PC. The ODM 400 includes an ODA management function for managing a plurality of PCs (ODA) 600A and B, and an ODA collection information management function for managing information collected from the PCs (ODA) 600A and B. The ODM 400 also has an ODA function described later.

  The PC (ODA) 600A, B includes an operation information acquisition function for acquiring information on an information processing operation by the user of the PC (ODA) 600A, B, and information on a security policy violation by the user of the PC (ODA) 600A, B. A violation information acquisition function for acquiring processing operation information is provided.

  Information processing operations include system start and stop (Windows (registered trademark) start and shutdown), event log start and stop (event log start, event log stop, unexpected system shutdown), STOP error, Logon after hours (user logon, user logoff), logon failure (wrong user name or password, overtime, use of invalid account, use of expired account, use of unauthorized account, use of unauthorized logon type There are operations such as use of an expired password, NetLOGON in an environment where NetLOGON is not active, and account lockout (a prescribed number of password errors).

  Also, user accounts (user account creation, user account type change, user account enable, user account disable, user account delete, user account change, password change attempt, password setting), group (local, global) (security is Create a valid global group, delete a security-enabled global group, change a security-enabled global group, add a global group member, delete a global group member, create a security-enabled local group, and enable security Delete local group, change security enabled local group, add local group member, delete local group member, change general account database, Change of the main policy) there is an operation of such.

  User rights (user rights assignment, user rights deletion), audit settings (partial security log disappearance due to lack of resources, security log deletion, audit policy change), object access failure (object access), application There are operations such as an exception (application error), IIS logon error (WWW service logon failure, FTP service logon failure), system error (error log), and application error (error log).

  File access (new file creation, file change, file deletion, file name change, print screen, copy / paste by Windows (registered trademark) operation, Ctrl + c / Ctrl + v by keyboard operation, drag and drop by mouse operation) File printing), external path new connection (USB connection, USB disconnection, cross cable connection, cross cable disconnection, PDA connection, PDA disconnection), external path logon (cross cable connection terminal logon, cross cable connection terminal log off, Logon of connected PDA, logoff of connected PDA), external path external media output, new network connection, mail transmission, power ON, disk power ON, application installation, application uninstallation There is an operation such as initial start-up application termination.

  FIG. 2 is a block diagram showing a configuration of the personal computer 600 in the present embodiment. Referring to FIG. 2, a PC (ODA) 600 is a PC in which the same ODA as the PC (ODA) 600A, B described above is installed. The PC (ODA) 600 includes a control unit 610, a storage unit 620, an input unit 630, an output unit 640, and a communication unit 650. Further, the PC (ODA) 600 selectively includes an external storage device 660.

  The control unit 610 includes a CPU (Central Processing Unit) and its peripheral circuits. The control unit 610 executes a program stored in the storage unit 620, receives data from the storage unit 620, the input unit 630, the communication unit 650, and the external storage device 660, performs an operation on the data, and performs the storage unit 620 and output. To the communication unit 650 and the communication unit 650. In addition, the control unit 610 controls operations of the storage unit 620, the input unit 630, the output unit 640, and the communication unit 650.

  The storage unit 620 includes a semiconductor memory such as a RAM (Random Access Memory) and a ROM (Read Only Memory). The storage unit 620 stores application programs and data. Also, a part of the HDD may be used as a virtual storage unit.

  The input unit 630 includes a keyboard and a mouse. The input unit 630 is used by a user of the PC (ODA) 600 to input information necessary for the PC (ODA) 600. The output unit 640 includes a display, a speaker, and the like. The output unit 640 outputs information processed by the PC (ODA) 600.

  The communication unit 650 is an interface for connecting the PC (ODA) 600 to the network 500. The PC (ODA) 600 transmits / receives necessary information to / from another computer via the communication unit 650.

  The external storage device 660 reads the program and data recorded on the recording medium 661 into the PC (ODA) 600. Further, the external storage device 660 writes necessary information on the recording medium 661.

  Examples of the computer-readable recording medium 661 include a magnetic tape such as DDS (Digital Data Storage), a magnetic disk such as a floppy (registered trademark) disk, a hard disk, a CD-ROM (Compact Disk Read Only Memory), and a CD-R (Compact An optical disk such as a disk recordable (CD-RW), a compact disk rewriteable (DVD-ROM), a digital versatile disk read only memory (DVD-ROM), a digital versatile disk recordable (DVD-R), and a digital versatile disk random access memory (DVD-RAM); Magneto-optical disk such as MO (Magneto-Optical disk), IC (Integrated Circuit) card, memory card, mask ROM, EPROM (Erasable Programmable Read Only Memory), EEPROM (Electronically Erasable and Programmable Read Only Memory), flash memory Including non-volatile memory such as It is a recording medium. Further, the recording medium 661 may be a medium that carries the program in a fluid manner so that the program is downloaded from the network.

  Similar to PC (ODA) 600, each of IGM 100, ASM 200, SDM 300, ODM 400, and PC (ODA) 600A, B includes a control unit, a storage unit, and a communication unit. The ASM 200 and the PCs (ODA) 600A and B include an input unit and an output unit. The ASM 200 and the PCs (ODA) 600A and B are selectively provided with an external storage device. The IGM 100, SDM 300, and ODM 400 include an external storage device. Further, the IGM 100, the SDM 300, and the ODM 400 selectively include an input unit and an output unit.

  FIG. 3 is a flowchart showing a flow of information security management processing executed by the central defense manager (IGM) 100 in the present embodiment. Referring to FIG. 3, first, a policy formulation process is executed (step S (hereinafter abbreviated as “S”) 100). The policy formulation process is a process that supports creation of a security policy. The policy formulation process will be described later with reference to FIG.

  Next, an information security defense process is executed (S120). The information security defense process is a process for determining whether or not an information processing operation in the information security management system 1 is appropriate, and performing an abnormality occurrence process when it is determined that the information security operation is inappropriate. The information security defense process will be described later with reference to FIG.

  Next, it is determined whether or not it is time to diagnose information security (S170). If it is time for diagnosis, information security diagnosis processing is executed (S171). The information security diagnosis process is a process of diagnosing whether or not the security policy in the organization is incomplete based on the determination result of the information processing operation by the information security defense process. In the information security diagnosis process, if there is a defect in information security, a process for updating the security policy is also performed.

  In the information security diagnosis processing, specifically, scanning diagnosis, pseudo intrusion diagnosis, DoS (Denial of Services) diagnosis, Web application diagnosis, on-site diagnosis, and RAS (Remote Access Service) diagnosis are executed. . In scanning diagnosis, security vulnerabilities of network devices to be diagnosed are inspected by a general-purpose scanner. In the pseudo intrusion diagnosis, a pseudo intrusion investigation into the system is performed based on the diagnosis result by the scanning diagnosis. In the DoS diagnosis, the server durability is diagnosed by performing an attack for the purpose of illegally stopping the server to be diagnosed.

  In the Web application diagnosis, the vulnerability of the Web application is investigated and diagnosed. Web application diagnosis specifically includes site structure search, directory internal (file list) verification that browsing is not possible, data file access with a predictable file name, and authentication restrictions. Verification of pages, verification of direct access to restricted pages, verification of third-party information acquisition by ID (Identification Data) input, verification of whether external content can be output as frames and images, error page Cross-site scripting verification, cookie operation verification, third-party information tampering verification, several types of browser verification, illegal command execution verification within <script> tag, Referer: operation verification, special character input Command execution verification by SSI (Server Side Include) tag input Verification Mende execution, such as verification by the arguments containing blank line (blank) is performed.

  In on-site diagnosis, a general-purpose scanner is used to investigate security vulnerabilities in the network devices to be diagnosed from within the system network. In the RAS diagnosis, an intrusion diagnosis for the RAS server is executed.

  Then, it is determined whether or not it is time to audit information security (S180). If it is time to audit, information security audit processing is executed (S181). The information security audit process creates an audit report for the security policy in the organization based on the diagnosis result of the information security diagnosis process.

  In the information security audit process, an audit by the information security audit system, specifically, a security policy audit and a security function design audit are performed based on the diagnosis results obtained by the information security diagnosis process, and the accumulated logs are recorded. Based on this, a construction design audit and an actual construction audit are performed.

  Finally, it is determined whether or not the security policy needs to be reviewed based on the diagnosis result of the information security diagnosis process and the audit result of the information security audit process (S190). If it is determined that a review is necessary, the process returns to S100. On the other hand, if it is determined that the review is unnecessary, the process returns to S120.

  FIG. 4 is a flowchart showing the flow of policy formulation processing executed as a subroutine of information security management processing by the centralized defense manager 100 in the present embodiment. Referring to FIG. 4, in the policy formulation process, it is first determined whether or not a new security policy is created (S101). If it is determined that the file is newly created, the process proceeds to S102. On the other hand, if it is determined that it is not a new creation, the process proceeds to S108.

  Next, when the process proceeds to S102, the first checklist screen of the checklist including a plurality of questions regarding the security policy is displayed on the output unit (S102). Then, the check result is accepted (S103). Next, it is determined whether or not the entire check list has been completed (S104). If it is determined that all the checklists have not been completed, the next checklist screen is displayed (S105), and the process returns to S103. On the other hand, if it is determined that all the check lists have been completed, the process proceeds to S106.

  A plurality of questions are prepared in advance for each item of a plurality of security policies created in advance according to a format created based on the FISC safety measure standard, the ISMS certification standard of the ISMS conformity assessment system, and the like.

  FIG. 5 is a display screen diagram illustrating an example of a check list screen displayed in the policy development process. Referring to FIG. 5, items on the 18th check list are shown on the check list screen. The item of the 18th check list is a check list item for creating a security policy having contents related to the user ID and the user password.

  On the check list screen, the numbers and contents of a plurality of questions are displayed. Each question item is provided with a radio button which is a GUI (Graphical User Interface) button. Here, the radio buttons of the question items Nos. 2, 5, and 9 are selected. The selected state indicates that YES is selected for the questionnaire.

  In addition, a return button and a forward button are displayed on the check list screen. If the return button is operated, the check result is accepted in S103, and the previous check list is displayed in S105. When the forward button is operated, the check result is accepted in S103, and the next check list is displayed in S105.

  Returning to FIG. 4, when the process proceeds to S106, a security policy is created according to the check result (S106). And a security policy is memorize | stored in policy DB (DataBase) according to the created security policy (S107), and it returns to a main routine.

  Policy DBs corresponding to security policies include a user policy DB and an asset policy DB. The created security policy is subdivided into management targets such as users and assets, and stored in the user policy DB and the asset policy DB so that each security policy data can be specified and accessed. The user policy DB and asset policy DB will be described later with reference to FIG.

  If the process proceeds to S108, the security policy is updated based on the diagnosis result of the information security diagnosis process of FIG. 3 and the audit result of the information security audit process (S108). The updated security policy is stored in the policy DB corresponding to the security policy (S109), and the process returns to the main routine.

  FIG. 6 is a flowchart showing a flow of information security defense processing executed as a subroutine of information security management processing by the centralized defense manager 100 in the present embodiment.

  Referring to FIG. 6, in the information security defense process, first, an SDM update policy reply process is executed (S125). Further, an ODM / ODA update policy reply process is executed (S130). The SDM update policy reply process and the ODM / ODA update policy reply process will be described in association with the information reply process in FIG.

  Next, SDM operation information storage processing is executed (S135), and SDM violation information storage processing is executed (S140). Thereby, the operation information and violation information in the SDM 300 are stored in the storage unit of the IGM 100 or the external storage device.

  Also, an ODM / ODA operation information saving process is executed (S145), and an ODM / ODA violation information saving process is executed (S150). Thereby, the operation information and violation information in each of the ODM 400 and the PC (ODA) 600 are stored in the storage unit or the external storage device of the IGM 100. Thereafter, the process returns to the main routine. The SDM operation information storage process, the SDM violation information storage process, the ODM / ODA operation information storage process, and the ODM / ODA violation information storage process will be described in association with the information storage process in FIG.

  Next, asset master reply processing is executed (S155). As a result, it is possible to notify the SDM 300 of the current asset registration status. The asset master reply process will be described in association with the information reply process in FIG. 9 described later.

  Then, an operation profile configuration process is executed (S160). Thereby, an operation pattern for each user or asset is learned, an operation profile is created based on the learning result, and a security policy is created or updated based on the operation profile. The operation profile configuration process will be described later with reference to FIG.

  FIG. 7 is a block diagram showing exchange of information among the central defense manager 100, the operation defense manager 400, and the operation defense agent in the present embodiment. Referring to FIG. 7, IGM 100 includes an IGM function unit 111, an asset policy DB 121, a user policy DB 122, an operation information DB 123, and a violation information DB 124.

  The ODM 400 includes an ODM function unit 411, an asset policy DB 421, a user policy DB 422, an operation information DB 423, and a violation information DB 424. The PC (ODA) 600 includes an ODA function unit 611, an asset policy DB 621, a user policy DB 622, an operation information DB 623, and a violation information DB 624.

  The IGM function unit 111 executes the information security management process described with reference to FIG. The ODM function unit 411 executes an operation defense management process described later with reference to FIG. The ODA function unit 611 executes an operation defense agent process described later with reference to FIG. The asset policy DBs 121, 421, and 621 are DBs that store security policies for each asset. The user policy DBs 122, 422, and 622 are DBs that store security policies for each user. The operation information DBs 123, 423, and 623 are DBs that store the contents of operation information for each user. Violation information DB124,424,624 is DB which memorize | stores the content of the violation information for every user.

  The security policy established by the IGM function unit 111 is divided into a security policy related to assets and a security policy related to users. The asset policy DB 121 and the user policy for each asset and each user, respectively. Stored in the DB 122.

  The ODM function unit 411 acquires the asset policy and the user policy regarding the ODM 400 and the PC (ODA) 600 belonging to the ODM 400 from the asset policy DB 121 and the user policy DB 122 of the IGM 100, and the asset policy DB 421 and the user policy of the ODM 400 Store in the DB 422.

  The ODA function unit 611 acquires an asset policy and a user policy related to the PC (ODA) 600 from the asset policy DB 421 and the user policy DB 422 of the ODM 400, and stores them in the asset policy DB 621 and the user policy DB 622 of the PC (ODA) 600. Remember.

  The ODA function unit 611 stores the contents of the operation information of the user of the PC (ODA) 600 and the contents of the violation information in the operation information DB 623 and the violation information DB 624, respectively. Then, the ODA function unit 611 transmits the operation information and violation information stored in the operation information DB 623 and the violation information DB 624 to the ODM 400, respectively.

  The ODM function unit 411 stores the operation information and violation information received from the PC (ODA) 600 in the operation information DB 423 and the violation information DB 424, respectively. Further, the contents of operation information and violation information in ODM 400 are stored in operation information DB 423 and violation information DB 424, respectively. Then, the ODM function unit 411 transmits the operation information and violation information stored in the operation information DB 423 and the violation information DB 624 to the IGM 100, respectively.

  The IGM function unit 111 stores the operation information and violation information received from the ODM 400 in the operation information DB 123 and the violation information DB 124, respectively.

  FIG. 8 is a block diagram showing the exchange of information between the central defense manager 100 and the segment defense manager 300 in the present embodiment. Referring to FIG. 8, SDM 300 includes an SDM function unit 311, an asset policy DB 321, an operation information DB 323, and a violation information DB 324.

  The SDM function unit 311 executes a segment defense process described later with reference to FIG. The asset policy DB 321 is a DB that stores a security policy for each asset. The operation information DB 323 is a DB that stores the contents of operation information for each asset. The violation information DB 324 is a DB that stores the content of violation information for each asset.

  The SDM function unit 311 acquires an asset policy related to the SDM 300 from the asset policy DB 121 of the IGM 100 and stores it in the asset policy DB 321 of the SDM 300. The SDM function unit 311 stores the contents of the operation information in the operation information DB 323. The SDM function unit 311 stores the content of violation information in the violation information DB 324. Then, the SDM function unit 311 transmits the operation information stored in the operation information DB 323 and the violation information stored in the violation information DB 324 to the IGM. The IGM function unit 111 stores the operation information and violation information received from the SDM 300 in the operation information DB 123 and the violation information DB 124, respectively.

  The asset policy, user policy, operation information, and violation information described with reference to FIGS. 7 and 8 are preferably stored encrypted. This makes it difficult for each user once stored in the DB to be tampered with by an unauthorized user.

  FIG. 9 is a flowchart showing the flow of information return processing and information acquisition request processing executed in the exchange of information among the central defense manager 100, the segment defense manager 300, the operation defense manager 400, and the operation defense agent in the present embodiment. is there.

  The information acquisition request process is a process for requesting an information request destination computer to acquire information. The information return process is a process of returning information to the information requesting computer. That is, the information acquisition request process and the information return process are processes for exchanging information.

  In the present embodiment, the information acquisition request process and the information return process are respectively executed by the SDM update policy acquisition request process executed by the SDM 300 described in S310 of FIG. 12 and the IGM 100 described in S125 of FIG. The SDM update policy reply process is used to exchange the update policy of the SDM 300 as information.

  Further, the information acquisition request process and the information return process are respectively an ODM / ODA update policy acquisition request process executed by the ODM 400 described in S410 of FIG. 16 and an ODM executed by the IGM 100 described in S130 of FIG. Used in ODA update policy reply processing, and exchanges an update policy between ODM 400 and ODA as information.

  Further, the information acquisition request process and the information return process are respectively executed by the ODA update policy acquisition request process executed by the PC (ODA) 600 described in S630 in FIG. 18 and the ODM 400 described in S415 in FIG. ODA update policy is used in response processing, and an ODA update policy is exchanged as information.

  In addition, the information acquisition request process and the information return process are respectively an ODM / ODA inventory acquisition request process executed by the SDM 300 described in S331 of FIG. 14 and an ODM.exe executed by the ODM 400 described in S425 of FIG. It is used in the ODA inventory reply process, and exchanges inventory between ODM 400 and ODA as information. The inventory refers to various assets (hardware assets, software assets, etc.) of clients (here, ODM 400 and PC (ODA) 600).

  Further, the information acquisition request process and the information return process are respectively executed by the ODA inventory acquisition request process executed in the ODM 400 described in S420 of FIG. 16 and the PC (ODA) 600 described in S635 of FIG. Used in ODA inventory reply processing, and exchanges ODA inventory as information.

  Further, the information acquisition request process and the information return process are respectively an asset master acquisition request process executed by the SDM 300 described in S332 of FIG. 14 and an asset master return process executed by the IGM 100 described in S155 of FIG. Used to communicate the asset master as information. The asset master is a data file of the asset ledger.

  Referring to FIG. 9, first, in the information acquisition request process, the information requesting computer determines whether there is an information acquisition request from the calling process of the information acquisition request process (S21). For example, it is determined whether or not the SDM update policy acquisition request process is called by the segment defense process of FIG. If it is determined that there is no information acquisition request, the process returns to the caller process. On the other hand, if it is determined that there is an information acquisition request, the information acquisition request information is transmitted to the information request destination computer (S22).

  Next, in the information return process, reception of the information acquisition request information from the information acquisition request source computer is confirmed by the information request destination computer (S11). Then, it is determined whether or not information acquisition request information has been received (S12). If it is determined that the information acquisition request information has not been received, the process returns to the main routine. On the other hand, if it is determined that the information acquisition request information has been received, the process proceeds to S13.

  Next, in the information return process, the request information indicated by the information acquisition request information is retrieved from the storage unit and the external storage device by the information request destination computer (S13). Then, it is determined whether there is request information (S14).

  If it is determined that there is request information, the request information is read and the read information is transmitted to the information requesting computer (S15). On the other hand, if it is determined that there is no request information, request information absence information indicating that there is no request information is transmitted to the information requesting computer (S16). After S15 or S16, the process returns to the main routine.

  In the information acquisition request process, the information requesting computer confirms the received information from the information requesting computer (S23), and determines whether there is received information including the requested information (S24). ).

  If it is determined that there is no reception information, the process returns to S23. On the other hand, if it is determined that there is received information and the requested information is included in the received information, the received information is stored in the storage unit or the external storage device (S25), and the process returns to the caller process. If it is determined that there is no received information and the requested information is not included in the received information, the process returns to the caller process. Note that the processing for exchanging information is not limited to the processing described with reference to FIG. 9, and may be other processing. .

  FIG. 10 is a flowchart showing the flow of information storage processing and information storage request processing executed in the exchange of information among the central defense manager 100, the segment defense manager 300, the operation defense manager 400, and the operation defense agent in the present embodiment. is there.

  The information storage request process is a process of requesting information storage from the information storage request destination computer. The information storage process is a process of storing information from a computer that is an information storage request source. That is, the information storage request process and the information storage process are processes for exchanging information.

  In the present embodiment, the information storage request process and the information storage process are respectively executed by the SDM operation information storage request process executed by the SDM 300 described in S320 of FIG. 12 and the IGM 100 described in S135 of FIG. Used in the SDM operation information storage process, and exchanges operation information in the SDM 300 as information.

  The information storage request process and the information storage process are respectively an SDM violation information storage request process executed by the SDM 300 described in S330 of FIG. 12 and an SDM violation information storage process executed by the IGM 100 described in S140 of FIG. The violation information in the SDM 300 is exchanged as information.

  The information storage request process and the information storage process are respectively an ODM / ODA operation information storage request process executed in the ODM 400 described in S440 of FIG. 16 and an ODM / ODA executed in the IGM 100 described in S145 of FIG. Used in the operation information storage process, exchanges operation information in the ODM 400 and ODA as information.

  The information storage request process and the information storage process are respectively an ODM / ODA violation information storage request process executed in the ODM 400 described in S445 of FIG. 16 and an ODM / ODA executed in the IGM 100 described in S150 of FIG. Violation information is used in the violation information storage process, and exchanges violation information in the ODM 400 and ODA as information.

  The information storage request process and the information storage process are respectively an ODA operation information storage request process executed by the PC (ODA) 600 described in S640 of FIG. 18 and an ODA executed by the ODM 400 described in S430 of FIG. Used in the operation information storage process, exchanges operation information in the PC (ODA) 600 as information.

  The information storage request process and the information storage process are respectively an ODA violation information storage request process executed by the PC (ODA) 600 described in S645 of FIG. 18 and an ODA executed by the ODM 400 described in S435 of FIG. Violation information in the PC (ODA) 600 is exchanged as information used in the violation information storage process.

  Referring to FIG. 10, first, in the information storage request process, the storage request source computer searches for storage request information requesting storage (S41). Then, it is determined whether there is storage request information (S42). If it is determined that there is no storage request information, the process returns to the calling process. On the other hand, if it is determined that there is storage request information, the storage request information is read and transmitted to the storage request destination computer (S43).

  Next, in the information storage process, the storage request destination computer confirms reception of the storage request information from the storage request source computer (S31). Then, it is determined whether or not storage request information has been received (S32). If it is determined that the storage request information has not been received, the process returns to the main routine. On the other hand, if it is determined that the storage request information has been received, the process proceeds to S33.

  Next, in the information storage process, the storage request information is encrypted by the storage request destination computer (S33) and stored in the storage unit or the external storage device (S34). Then, storage completion information indicating that the storage has been completed is transmitted to the storage requesting computer (S35), and the process returns to the main routine.

  In the information storage request process, the storage request source computer confirms the reception of the storage completion information (S44), and determines whether the storage completion information has been received (S45). If it is determined that the storage completion information has not been received, the process returns to S43. On the other hand, if it is determined that the storage completion information has been received, the process returns to the caller process. Note that the processing for exchanging information is not limited to the processing described with reference to FIG. 10, and may be other processing.

  FIG. 11 is a flowchart showing the flow of the operation profile configuration process executed as a subroutine of the information security management process by the centralized defense manager 100 in the present embodiment.

  Referring to FIG. 11, in the operation profile configuration process among the operation information for each asset and user stored in the operation information DB 123 in the SDM operation information storage process in S135 and the ODM / ODA operation information storage process in S145 of FIG. Unprocessed operation information is read (S161). Then, it is determined whether or not the read operation information is new operation information for the asset indicated by the operation information and the user (S162).

  If it is determined in S162 that the operation information is new, a new neuron is created (S163). A neuron refers to a neuron, but in this embodiment, the user name, user attribute, operation content, operation target, operation location, operation time, operation method, asset name, A node that indicates asset attributes, asset content, asset location, etc.

  Then, a new synapse is created between all existing neurons and a new neuron (S164), and then the process proceeds to S167. A synapse refers to a connection portion and a connection relationship between a certain neuron and another neuron. In this embodiment, a synapse refers to a link that connects a certain node to another node. Here, a new synapse is created between all existing neurons. However, the present invention is not limited to this, and a new synapse may be created between a plurality of existing neurons having a predetermined relationship. .

  On the other hand, if it is determined in S162 that the information is not new operation information, the level of the existing neuron corresponding to the operation information is increased by a predetermined amount (S165). Then, the level of the existing synapse between the existing neuron whose level is increased and another existing neuron is increased by a predetermined amount (S166). Thereafter, the process proceeds to S167.

  As a result, the IGM 100 learns the operation content, operation target, operation location, operation time, operation method, etc. of a certain user's information processing operation, that is, the information processing operation pattern for each user. Also, the IGM 100 learns the relationship between the operation subject of the information processing operation for a certain asset, the operation content, the asset location, etc., that is, the pattern of the information processing operation for each asset.

  Next, an operation profile for each user and asset is configured according to the level of each formed neuron and synapse (S167). Then, the user policy and the asset policy for each user and asset are updated according to the configured operation profile (S168), and the process returns to the main routine. That is, an operation that does not appear in the operation profile is registered as an abnormal operation in the user policy and the asset policy.

  For example, it is assumed that there is a synapse that connects a neuron indicating a file a and a neuron indicating a file reading operation as a pattern of an information processing operation of a user A. When the level of each neuron and synapse is equal to or higher than a predetermined level, “file read operation for file a” is registered as an operation profile of a certain user A. In such a case, an operation that does not appear in the operation profile, for example, a “delete operation for file a” is registered in the user policy as an abnormal operation. As a result, when user A deletes file a, the policy is violated.

  FIG. 12 is a flowchart showing the flow of segment defense processing executed by the segment defense manager 300 in the present embodiment. Referring to FIG. 12, in the segment defense process, first, an SDM update policy acquisition request process is executed (S310). The SDM update policy acquisition request process is the same as the information acquisition request process described with reference to FIG. By executing the SDM update policy acquisition request process, an asset policy related to the SDM 300 is acquired from the security policies updated by the IGM 100.

  Next, an SDM operation information storage request process is executed (S320). Also, SDM violation information storage request processing is executed (S330). The SDM operation information storage request process and the SDM violation information storage request process are the same processes as the information storage request process described with reference to FIG. By executing the SDM operation information storage request process and the SDM violation information storage request process, the operation information and violation information in the SDM 300 are stored in the IGM 100, respectively.

  Then, an information processing operation saving process is executed (S340). The information processing operation saving process is a process for saving the information processing operation in the SDM 300. The information processing operation saving process will be further described with reference to FIG.

  Next, a management terminal confirmation process is executed (S350). The management terminal confirmation process is a process for confirming whether an asset in the same segment as the SDM 300 violates the asset policy. The management terminal confirmation process will be further described with reference to FIG.

  Then, a suspicious connection detection process is executed (S360). The suspicious connection detection process is a process for detecting a connection from an abnormal terminal outside a suspicious segment. The suspicious connection detection process will be further described with reference to FIG. Thereafter, the process returns to S310, and the processes from S310 to S360 are repeated.

  FIG. 13 is a flowchart showing a flow of information processing operation storage processing executed by the segment defense manager 300, the operation defense manager 400, and the operation defense agent in the present embodiment.

  Referring to FIG. 13, in the information processing operation saving process, it is first determined whether or not there is an information processing operation (S551). If it is determined that there is no information processing operation, the process returns to the main routine. On the other hand, if it is determined that there is an information processing operation, the information processing operation is stored in the operation DB (S552), and the process returns to the main routine. Information processing operations are classified and stored for each asset or user related to the information processing operation.

  FIG. 14 is a flowchart showing a flow of management terminal confirmation processing executed as a subroutine of segment defense processing by the segment defense manager 300 in this embodiment.

  Referring to FIG. 14, in the management terminal confirmation process, first, an ODM / ODA inventory acquisition request process is executed (S331). The ODM / ODA inventory acquisition request process is the same process as the information acquisition request process described with reference to FIG. By executing the ODM / ODA inventory acquisition request process, the inventory of the ODM 400 and the PC (ODA) 600 in the same segment as the SDM 300 is acquired.

  Next, asset master acquisition request processing is executed (S332). The asset master acquisition request process is the same process as the information acquisition request process described with reference to FIG. By executing the asset master acquisition request process, the asset master relating to the ODM 400 and the PC (ODA) 600 in the same segment as the SDM 300 is acquired from the IGM 100.

  Then, the inventory of the ODM 400 and the PC (ODA) 600 in the same segment as the SDM 300 and the asset master are compared (S333), and it is determined whether there is an asset policy violation (S334). Examples of the asset policy violation include a violation that the asset in the asset master is not in the inventory and a violation that the asset that is not in the asset master is in the inventory.

  If it is determined that there is no asset policy violation, the process returns to the main routine. On the other hand, if it is determined that there is an asset policy violation, the violation information is encrypted (S335), stored in the storage unit of the SDM 300 or an external storage device (S336), and the process returns to the main routine.

  FIG. 15 is a flowchart showing the flow of suspicious connection monitoring processing executed as a subroutine of segment defense processing by the segment defense manager 300 in the present embodiment.

  Referring to FIG. 15, in the suspicious connection monitoring process, first, transmission outside the segment is monitored from ODM 400 and PC (ODA) 600 in the same segment as SDM 300 (S341). Then, it is determined whether or not the transmission is from an abnormal terminal such as a terminal not in the asset master or a terminal in violation of the asset policy (S342).

  If the transmission is not from an abnormal terminal, the determined information is transmitted outside the segment (S343), and the process returns to the main routine. On the other hand, if the transmission is from an abnormal terminal, the process returns to the main routine. That is, the information transmitted from the abnormal terminal is not transmitted outside the segment.

  FIG. 16 is a flowchart showing a flow of operation defense management processing executed by the operation defense manager 400 in the present embodiment. Referring to FIG. 16, in the operation defense management process, first, an ODM / ODA update policy acquisition request process is executed (S410). The ODM / ODA update policy acquisition request process is the same as the information acquisition request process described with reference to FIG. By executing the ODM / ODA update policy acquisition request processing, the asset policy and user policy related to the ODM 400 and the PC (ODA) 600 among the security policies updated by the IGM 100 are acquired.

  Then, the ODA update policy reply process is executed (S415). The ODA update policy reply process is the same process as the information reply process described with reference to FIG. By executing the ODA update policy reply process, the asset policy and user policy related to the acquired PC (ODA) 600 are returned in response to a request from the PC (ODA) 600.

  Next, an ODA inventory acquisition request process is executed (S420). The ODA inventory acquisition request process is the same as the information acquisition request process described with reference to FIG. By executing the ODA inventory acquisition request process, the inventory of the PC (ODA) 600 is acquired.

  Then, an ODM / ODA inventory reply process is executed (S425). The ODM / ODA inventory reply process is the same process as the information reply process described with reference to FIG. By executing the ODM / ODA inventory return process, the inventory acquired from the PC (ODA) 600 and the inventory of the ODM 400 are returned in response to a request from the SMD 300.

  Next, an ODA operation information saving process is executed (S430). Further, the ODA violation information saving process is executed (S435). The ODA operation information storage process and the ODA violation information storage process are the same processes as the information storage process described with reference to FIG. By executing the ODA operation information saving process and the ODA violation information saving process, the operation information and violation information requested to be saved by the PC (ODA) 600 are saved in the storage unit or the external storage device of the ODM 400, respectively.

  Next, ODM / ODA operation information storage request processing is executed (S440). Also, ODM / ODA violation information storage request processing is executed (S445). The ODM / ODA operation information storage request process and the ODM / ODA violation information storage request process are the same processes as the information storage request process described with reference to FIG. By executing the ODM / ODA operation information storage request process and the ODM / ODA violation information storage request process, the operation information and violation information in the ODM 400 and the PC (ODA) 600 are stored in the IGM 100, respectively.

  Next, an information processing operation saving process is executed (S450). The information processing operation saving process is a process for saving the information processing operation in the ODM 400. The information processing operation saving process has been described with reference to FIG.

  Then, an operation defense process is executed (S460). The operation protection process is a process for determining whether or not an information processing operation in the ODM 400 violates a security policy and performing a process for the policy violation. The operation defense process will be further described with reference to FIG. After S460, the process returns to S410, and the processes from S410 to S460 are repeated.

  FIG. 17 is a flowchart showing a flow of operation defense processing executed by the operation defense manager 400 and the operation defense agent in the present embodiment. The operation defense process is executed as a subroutine of the operation defense management process executed by the ODM 400 described in FIG. 16 and the operation defense agent process executed by the PC (ODA) 600 described in FIG.

  Referring to FIG. 17, in the operation defense process, first, an information processing operation stored in the operation DB of the storage unit or the external storage device is acquired (S501). Then, the acquired operation is compared with the user policy and the asset policy stored in the user policy DB and the asset policy DB, respectively (S502). Here, the user policy or asset policy to be compared is the user policy or asset policy that is applied to the executed user or asset, depending on which user or asset the acquired operation was executed on. It is.

  Next, as a result of the comparison, it is determined whether the acquired operation is a policy violation operation (S503). If it is determined that the operation is not a policy violation, the process returns to the main routine. On the other hand, if it is determined that the operation is a policy violation, the violation information that is the policy violation operation information is encrypted (S504), and the encrypted violation information is stored in the violation information DB (S505). . Then, a warning indicating a policy violation is displayed on the output unit (S506), and a violation reason input request text box for requesting the user to input the reason for the policy violation is displayed on the output unit (S507).

  Next, it is determined whether or not a reason for violation has been input in the violation reason input request text box (S508). If it is determined that it has not been input, S508 is repeated. If it is determined that it has been input, violation information is determined. And the input reason for violation is transmitted to the ASM 200 (S509).

  Then, reception information from the ASM 200 is confirmed (S511), and it is determined whether there is reception information (S512). If it is determined that there is no reception information, the process returns to S511. On the other hand, if it is determined that there is received information, it is determined whether the received information is release information for releasing the policy violation (S513). If it is determined that the information is cancellation information, the warning for policy violation is canceled (S514), and the process returns to the main routine. On the other hand, if it is determined that the information is not release information, the PC (ODA) 600 is forcibly terminated (S515).

  FIG. 18 is a flowchart showing a flow of operation defense agent processing executed by the operation defense agent in the present embodiment. The operation defense agent process is a process performed by the PC (ODA) 600.

  Referring to FIG. 18, in the operation defense agent process, a login process is first executed (S610). The login process is a process that is performed when the PC (ODA) 600 is started up. If the security policy is violated, the login process is not permitted and the PC (ODA) 600 is forcibly terminated. The login process will be further described with reference to FIG.

  Next, ODA update policy acquisition request processing is executed (S630). The ODA update policy acquisition request process is the same process as the information acquisition request process described with reference to FIG. By executing the ODA update policy acquisition request processing, the user policy and asset policy that are updated in the IGM 100 and stored in the user policy DB and the asset policy DB of the ODM 400 are related to the PC (ODA) 600. Policies and asset policies are obtained.

  Next, an ODA inventory return process is executed (S635). The ODA inventory reply process is the same process as the information reply process described with reference to FIG. By executing the ODA inventory return process, the inventory of the PC (ODA) 600 is stored in the storage unit of the ODM 400 or the external storage device.

  Next, an ODA operation information storage request process is executed (S640). Also, an ODA violation information storage request process is executed (S645). The ODA operation information storage request process and the ODA violation information storage request process are the same processes as the information storage request process described with reference to FIG. By executing the ODA operation information storage request process and the ODA violation information storage request process, the operation information and violation information in the PC (ODA) 600 are stored in the ODM 400.

  Next, an information processing operation saving process is executed (S650). The information processing operation saving process is a process for saving the information processing operation in the PC (ODA) 600. The information processing operation saving process has been described with reference to FIG.

  Then, policy authority display processing is executed (S660). The policy authority display process is a process for displaying the asset policy and the user policy stored in the asset policy DB 621 and the user policy DB 622 of the PC (ODA) 600 in the PC (ODA) 600.

  As a result, the policy information given to the user and the PC (ODA) 600 can be confirmed by the user, so that the policy information can be made known to the user, and the policy is You can check whether you have violated. The policy authority display process will be further described with reference to FIG.

  Next, an operation defense process is executed (S670). Since the operation defense process has been described with reference to FIG. 17, the description thereof will not be repeated.

  Next, a policy exception application process is executed (S680). The policy exception application process is a process for applying for the issuance of an exception security policy that allows an exceptionally policy violation operation when a user of the PC (ODA) 600 wants to perform a policy violation operation without being malicious. The policy exception application process will be further described with reference to FIG. After S680, the process returns to S620, and the processes from S620 to S680 are repeated.

  FIG. 19 is a flowchart showing a flow of a login process executed as a subroutine of the operation defense agent process by the operation defense agent in the present embodiment. The login process is a process performed by the PC (ODA) 600.

  Referring to FIG. 19, in the login process, first, the connection between the PC (ODA) 600 and the ODM 400 via the network is confirmed (S611). Then, it is determined whether or not the ODM 400 is connected (S612). If it is determined that the ODM 400 is connected, the process proceeds to S613. On the other hand, if it is determined that the ODM 400 is not connected, the process proceeds to S621.

  If the process proceeds to S613, ODA update policy acquisition request processing is executed (S613). Since the ODA update policy acquisition request processing has been described in S630 of FIG. 18, description thereof will not be repeated. By executing the ODA update policy acquisition request process, the latest user policy and asset policy related to the PC (ODA) 600 can be acquired.

  Then, it is determined whether or not the asset relating to the PC (ODA) 600 is in violation of the policy (S614). If it is determined that the asset is not in violation of the policy, it is determined whether the user of the PC (ODA) 600 is in violation of the policy (S615). If it is determined that the user is not in violation of the policy, the process proceeds to S616. On the other hand, if it is determined in S614 that the asset is in violation of the policy, and if it is determined in S615 that the user is in violation of the policy, the process proceeds to S624.

  When the process proceeds to S616, it is determined whether or not the important check mode has been set at the previous activation. The important check mode is a mode in which operation information stored when the ODM is not connected is checked at the time of activation when the ODM 400 is not connected at the time of activation but is connected to the ODM 400 at the next activation.

  If it is determined that the important check mode is not set, the process proceeds to S618. On the other hand, when it is determined that the important check mode is set, the operation defense process described with reference to FIG. 17 is performed on the operation information when the ODM 400 is disconnected (S617). Thereafter, the process proceeds to S618. If the process proceeds to S618, the normal check mode is set at the next connection. The normal check mode is a mode in which a special check is not performed at the time of activation when the ODM 400 is connected at the time of activation and is connected to the ODM 400 at the next activation. Thereafter, the process returns to the main routine.

  If the process proceeds to S621, it is determined whether or not the asset relating to the PC (ODA) 600 violates the existing asset policy acquired last time (S621). If it is determined that the asset does not violate the existing policy, it is determined whether or not the user of the PC (ODA) 600 violates the existing user policy acquired last time (S622). If it is determined that the user is not in violation of the existing policy, the process proceeds to S623. On the other hand, if it is determined in S621 that the asset is in violation of the existing policy, and if it is determined in S622 that the user is in violation of the existing policy, the process proceeds to S624.

  When the process proceeds to S623, the important check mode is set at the next connection. As a result, when connected to the ODM 400 at the next activation, the apparatus is activated in the important check mode. After S623, the process returns to the main routine.

  When the process proceeds to S624, the contents of the policy violation are encrypted (S624), stored as the violation information in the violation information DB 624 (S625), and the PC (ODA) 600 is forcibly terminated (S626). As a result, the PC (ODA) 600 cannot be used when the security policy is violated at the time of activation.

  For example, a rule-based system is used as the program for determining whether or not there is a policy violation in S503, S614, S615, S621, and S622. The rule base system consists of a rule base that expresses a lot of knowledge by rules and an inference part (inference engine) for applying this knowledge to actual problems. It is an artificial intelligence system to perform. As described above, the rule base for determining whether or not the policy is violated is that the security policy data is a plurality of security contents that are displayed in advance for each of a plurality of items ready-made according to a standardized format. Since it is created on the basis of selection result data in which choices are selected one by one, there is an advantage that it is easy to create automatically by a computer.

  FIG. 20 is a flowchart showing a flow of policy authority display processing executed as a subroutine of operation defense agent processing by the operation defense agent in the present embodiment. The policy authority display process is a process executed by the PC (ODA) 600.

  Referring to FIG. 20, a policy authority display request is first confirmed by policy authority display processing (S651). The policy authority display request is a request to display the asset policy and the user policy stored in the asset policy DB 621 and the user policy DB 622 of the PC (ODA) 600 input from the input unit by the user.

  Then, it is determined whether or not there is a policy authority display request (S652). If it is determined that there is no policy authority display request, the process returns to the main routine. On the other hand, if it is determined that there is a policy authority display request, the policy authority is displayed on the output unit of the PC (ODA) 600 (S653). After S653, the process returns to the main routine.

  FIG. 21 is a flowchart showing the flow of policy exception application processing executed as a subroutine of operation defense agent processing by the operation defense agent in the present embodiment. The policy exception application process is a process executed by the PC (ODA) 600.

  Referring to FIG. 21, the policy exception application process first confirms a policy exception application request (S671). The policy exception application request is a request for applying for an exception of the security policy input from the input unit by the user.

  Next, it is determined whether or not there is a policy exception application request (S672). If it is determined that there is no policy exception application request, the process returns to the main routine. On the other hand, if it is determined that there is a policy exception application request, a policy exception content input request text box for requesting the user to input the content of the policy exception application is displayed on the output unit (S673).

  Then, it is determined whether or not the contents of the policy exception application have been input (S674). If it is determined that it has not been input, S674 is repeated. On the other hand, if it is determined that it has been input, the contents of the input policy exception application are transmitted to the ASM 200 (S675).

  Next, information received from the ASM 200 is confirmed (S676). Then, it is determined whether there is received information (S677). If it is determined that there is no reception information, the process returns to S676. On the other hand, if it is determined that there is received information, it is determined whether the received information is an exception policy (S678).

  If it is determined that the received information is an exception policy, the exception policy is saved in the asset policy DB 621 or the user policy DB 622 of the PC (ODA) 600 in a DB corresponding to the exception policy (S679). On the other hand, if it is determined that the received information is not an exception policy, the fact that the approval for the exception policy application has been rejected is displayed on the output unit of the PC (ODA) 600 (S681). After S679 or S681, the process returns to the main routine.

  FIG. 22 is a flowchart showing the flow of the centralized monitoring monitor process executed by the centralized monitoring monitor 200 in the present embodiment. Referring to FIG. 22, in the centralized monitoring process, first, a violation information display process is executed (S210). The violation information display process is a process of displaying policy violations in the SDM 300, the ODM 400, and the PC (ODA) 600. The violation information display process will be further described with reference to FIG.

  Next, policy violation reason approval processing is executed (S220). The policy violation reason approval process is a process of transmitting to the PC (ODA) 600 an administrator's judgment on the reason for the policy violation from the PC (ODA) 600. The policy violation reason approval process will be further described with reference to FIG.

  Next, a policy exception application approval process is executed (S230). The policy exception application approval process is a process of transmitting an administrator's judgment for a policy exception application from the PC (ODA) 600 to the PC (ODA) 600. The policy exception application approval process will be further described with reference to FIG. After S230, the process returns to S210, and the processes from S210 to S230 are repeated.

  FIG. 23 is a flowchart showing a flow of violation information display processing executed as a subroutine of centralized monitoring monitor processing by the centralized monitoring monitor 200 in the present embodiment. Referring to FIG. 23, in the violation information display process, it is first determined whether or not a certain period has elapsed since the previous violation information display process was executed (S211). If it is determined that the fixed period has not elapsed, the process returns to the main routine. On the other hand, if it is determined that a certain period has elapsed, the process proceeds to S212.

  If the process proceeds to S212, the violation information stored in the violation information DB 124 of the IGM 100 is read out after the last display (S212). Then, the read violation information is displayed on the output unit of the ASM 200 (S213). Thereafter, the process returns to the main routine.

  FIG. 24 is a flowchart showing the flow of the policy violation reason approval process executed as a subroutine of the centralized monitoring monitor process by the centralized monitoring monitor 200 in this embodiment. Referring to FIG. 24, in the policy violation reason approval process, firstly, reception of violation information and policy violation reason from ODM 400 or PC (ODA) 600 is confirmed (S221). Then, it is determined whether or not the violation information and the policy violation reason are received (S222).

  If it is determined that it has not been received, the process returns to the main routine. On the other hand, if it is determined that it has been received, a screen for the administrator to approve the reason for policy violation is displayed on the output unit of the ASM 200 (S223). Then, it is determined whether or not the administrator approves the policy violation reason from the input unit of the ASM 200 (S224).

  If approval is input, release information for releasing the policy violation is transmitted to the PC (ODA) 600 (S225). On the other hand, if it is input that the information is not approved, approval rejection information indicating that the policy violation is rejected is transmitted to the PC (ODA) 600 (S226). After S225 or S226, the process returns to the main routine.

  FIG. 25 is a flowchart showing the flow of policy exception application approval processing executed as a subroutine of centralized monitoring monitor processing by the centralized monitoring monitor 200 in the present embodiment. Referring to FIG. 25, in the policy exception application approval process, first, reception of the contents of the policy exception application is confirmed (S231). Then, it is determined whether or not the content of the policy exception application has been received (S232).

  If it is determined that it has not been received, the process returns to the main routine. On the other hand, if it is determined that it has been received, a screen for the administrator to approve the policy exception application is displayed on the output unit of the ASM 200 (S233). Then, it is determined whether or not the administrator approves the policy exception application from the input unit of the ASM 200 (S234).

  If approval is input, an exception policy corresponding to the content of the policy exception application is transmitted to the PC (ODA) 600 (S235). On the other hand, if it is input that the approval is not accepted, approval rejection information indicating that the approval of the policy exception application is rejected is transmitted to the PC (ODA) 600 (S236). After S235 or S236, the process returns to the main routine.

  FIG. 26 is a block diagram showing an outline of an in-house information security management system as a first example of the information security management system 1 of the present embodiment. Referring to FIG. 26, an in-house intranet 10 in which an in-house information security management system is introduced includes a system operation network (operation management segment) 11, an external server network (DMZ (DeMilitarized Zone)) 12, an in-house A network (internal network segment) 13, an internal server network (internal server segment) 14, and a backbone network (backbone network segment) 15 are included.

  The operation management segment 11, DMZ 12, in-house network segment 13, internal server segment 14, and backbone network segment 15 are connected to the Internet 504 via any one of the firewalls 800 </ b> A to 800 </ b> F and the router 850. .

  Furthermore, the operation management segment 11, DMZ 12, in-house network segment 13, internal server segment 14, and backbone network segment 15 are connected to each other via the backbone of the in-house intranet 10.

  In particular, for the operation management segment 11, the internal network segment 13, the internal server segment 14, and the backbone network segment 15 other than the DMZ 12, in order to more firmly prevent unauthorized entry into the network in the organization from the outside, It is connected to the Internet 504 through a two-stage firewall.

  The in-house intranet 10 includes a VPN (Virtual Private Network) device 900. The VPN device 900 uses the Internet 504 as if it is an in-house dedicated LAN, and communicates with an external server + VPN device 950 and external PC + VPN software 980A, B connected to the Internet 504. That is, the external server + VPN device 950, the external PC + VPN software 980A and B, and the VPN device 900 are connected by a virtual LAN.

  The operation management segment 11 includes an operation management server 700A having a backup log DB and PCs (ODA) 600C, D, and E. The operation management segment 11 includes an IGM 100A including an event log DB (operation DB and violation DB), an ASM 200A, an SDM 300A, and an ODM 400A for information security management. Further, ODA is installed in the PC (ODA) 600C, D, E of the operation management segment 11 for security management.

  The DMZ 12 includes a DNS (Domain Name Server) server 700B and a Mail server 700C in a honeypot segment in which security is set to be weak to divert an attack on an important server and grasp an attacker's behavior. The non-segment includes DNS server 700D and Mail server 700E. For information security management, the DMZ 12 includes an SDM 300B in a segment that is a honeypot, and an SDM 300C in a segment that is not a honeypot.

  The in-house network segment 13 includes a department server 700F having a personal information DB, a customer information DB, and a personnel information DB, and PC (ODA) 600F, G, and H. The in-house network segment 13 includes an SDM 300D, an ODM 400B, and a PC (ODA) 600F, G, and H on which ODA is installed for information security management.

  The internal server segment 14 includes a DNS server 700G, an application program (APP) server 700H, a DB server 700I, a Web server 700J, and a Mail server 700K including a MailBOX. The internal server segment 14 includes an SDM 300E for information security management.

  The backbone network segment 15 includes a host computer 700L and PCs (ODA) 600I and J. The backbone network segment 15 includes an SDM 300F, an ODM 400C, and a PC (ODA) 600I, J on which ODA is installed for information security management.

  As described above, the in-house intranet 10 includes the IGM 100A, ASM 200A, SDM 300A to F, ODM 400A to C, and ODA installed in the PC (ODA) 600C to 600J as the in-house information security management system. As described in the embodiment, it is possible to monitor whether the asset or information processing operation in the company intranet 10 violates the security policy, whether the information processing operation is not a suspicious operation, or the like.

  Also, depending on the configuration of each segment, if the PC (ODA) with ODA installed is not in the segment, only SDM is placed, or if the PC (ODA) with ODA installed is in the segment, SDM and ODM can be arranged, or several segments can be managed together by SDM or ODM.

  FIG. 27 is a block diagram showing an outline of an application service provider (hereinafter referred to as “ASP”)-provided information security management system as a second example of the information security management system of the present embodiment.

  Referring to FIG. 27, the ASP system 20 in which the ASP-provided information security management system is introduced includes an in-ASP information processing system 21, an A in-house information processing system 22, a B in-house information processing system 23, and a C in-house information. A processing system 24, a D in-house information processing system 25, and an E in-house information processing system 26 are included.

  The ASP information processing system 21, the A company information processing system 22, the B company information processing system 23, the C company information processing system 24, the D company information processing system 25, and the E company information processing system 26 are connected via the Internet 505. Connected.

  The ASP information processing system 21 includes an IGM 100B and an ASM 200B. The in-house information processing system 22 includes an SDM 300G, an ODM 400D, and PCs (ODA) 600K and L on which ODA is installed. The B in-house information processing system 23 includes an SDM 300H. The in-house information processing system 24 includes an ODM 400E and PCs (ODA) 600M and N. The D internal information processing system 25 includes an SDM 300I and PCs (ODA) 600P and Q. The in-house information processing system 26 includes PCs (ODA) 600R and S.

  As described in the above-described embodiment, a security policy is transmitted from the IGM 100B to the SDMs 300G to I, the ODMs 400D and E, and the PCs (ODA) 600K to S according to the respective assets and users. In addition, operation information and violation information in SDM 300G to I, ODM 400D and E, and PC (ODA) 600K to S are transmitted to IGM 100B.

  By configuring the ASP system 20 in this way, the ASP can provide each organization with information security management tasks such as security policy formulation, information security defense, information security diagnosis, and information security audit. . In addition, each organization can outsource complicated information security operations to the ASP.

  Also, depending on the circumstances of each organization, each organization can use either the ODM or SDM functions of the ASP-provided information security management system, use only the SDM functions, or use the ODM or ODA functions. Or just use it.

  Next, main effects obtained by this embodiment will be described together.

  As described with reference to FIG. 1, the information security management system 1 according to the present embodiment includes a plurality of software assets, hardware assets, and other assets for the purpose of protecting information in an organization configured to carry out business purposes. Manage management targets such as users (including administrators).

  7 and 8, the information security management system 1 is security policy data that an organization should comply with, based on the ISMS certification standard and the FISC safety measure standard of the ISMS conformity assessment system. Security policy storage units such as asset policy DBs 121, 321, 421, and 621 and user policy DBs 122, 422, and 622 that store security policy data that is an information protection system created according to a standardized format including.

  In addition, as described in S350 and S360 in FIG. 12, S460 in FIG. 16, and S670 in FIG. 18, the information security management system 1 has the appropriate information processing operation in the SDM 300, ODM 400, and PC (ODA) 600. It includes a suitability determination unit that determines whether or not. Specifically, the suitability determination unit determines whether the information processing operation conforms to the security policy based on the security policy data stored in the security policy storage unit.

  In addition, the information security management system 1 performs processing when an abnormality occurs when the suitability determination unit determines that it is inappropriate. As processing at the time of occurrence of abnormality, there is processing for notifying a host computer, an administrator, and a user that it is inappropriate.

  For example, as described in S330 of FIG. 7, FIG. 8, FIG. 12, S445 of FIG. 16, and S645 of FIG. There is a process of transmitting violation information from the (ODA) 600 to the IGM 100.

  In addition, as described in S506 to S509 in FIG. 17, as a process of notifying that it is inappropriate, a warning is displayed to the user of the PC (ODA) 600 and an input of the reason for violation is requested. There is a process of sending the reason to the ASM 200.

  In addition, as the process of notifying that it is improper, as described in S221 to S226 in FIG. 24, the administrator inputs an input as to whether or not to approve the reason for violation received from the PC (ODA) 600. There is a process to ask for.

  Further, as the processing at the time of occurrence of abnormality, for example, as described in S140 and S150 in FIGS. 7, 8, and 6, S336 in FIG. 14, S435 in FIG. 16, S505 in FIG. 17, and S625 in FIG. In the IGM 100, the SDM 300, the ODM 400, and the PC (ODA) 600, there is a process of storing violation information in the violation information DBs 124, 324, 424, and 624.

  Further, the abnormality occurrence process includes a process of forcibly terminating the PC (ODA) 600 as described in S515 in FIG. 17 and S626 in FIG.

  In addition, as described with reference to FIGS. 2, 3, 12, 16, and 18, the suitability determination unit has a standardized format based on the ISMS certification standard and the FISC safety measure standard of the ISMS conformity evaluation system. The IGM 100, SDM300, ODM400, and PC (ODA) 600 that store programs for determining suitability such as information security management processing, segment defense processing, operation defense management processing, and operation defense agent processing, which are created to correspond to each other. And a control unit of the IGM 100, the SDM 300, the ODM 400, and the PC (ODA) 600 that performs the suitability determination process according to the suitability determination program stored in the storage unit.

  In this way, since the security policy is created according to a standardized format, a computer program that uses the security policy as a criterion for compliance by creating a program for determining compliance according to that format. In addition, it is possible to determine suitability by a suitability judging program that can be created relatively easily in accordance with a standardized format.

  Further, as described in S350 in FIGS. 11 and 12, S460 in FIG. 16, and S670 in FIG. 18, the suitability determination unit determines whether the information processing operation conforms to the security policy. Is determined based on the security policy data stored in the storage system, and an operation pattern that is frequently repeated from past information processing operations is learned, and abnormality determination is performed based on the learning result.

  As a result, it is possible to determine an information processing operation using the security policy as a criterion for suitability, and to determine an abnormality of the information processing operation based on a past information processing operation.

  As described with reference to FIG. 1, the SDM 300, the ODM 400, and the PC (ODA) 600 on which information processing operations are performed are connected to the network 501 in the organization. Further, as described in S135 and S145 in FIG. 6, S340 in FIG. 12, S450 in FIG. 16, and S650 in FIG. 18, the contents of past information processing operations are performed for each asset and information processing operation. Each user is classified and stored in the operation information DB.

  Further, as described in S350 in FIGS. 11 and 12, S460 in FIG. 16, and S670 in FIG. 18, the suitability determination unit repeats for each asset and each user from the operation information stored in the operation information DB 123. An operation pattern having a high frequency is learned, and abnormality determination is performed based on the learning result.

  As a result, it is possible to determine the abnormality of the information processing operation related to the SDM 300, ODM 400, and PC (ODA) 600 connected to the network 501, and to determine the abnormality of the information processing operation for each user or for each asset. Can do.

  Further, as described in S107 of FIG. 4, the security policy storage unit stores security policy data that is subdivided into management targets such as a plurality of users and assets according to the contents of the security policy data. Data and security policy data for each asset are stored so that they can be identified and accessed.

  In addition, as described in S502 of FIG. 17, the suitability determination unit applies to the management target executed according to which management target information processing operation to be determined is executed in the security policy data. The suitability is determined based on the security policy data for each user or the security policy data for each asset.

  As described above, since the security policy is created according to a standardized format, it is possible to determine the suitability of a relatively simple information processing operation using the security policy as a suitability determination criterion.

  In addition, the security policy data is subdivided into a plurality of management targets according to the content, and the usage applied to the executed management target according to which management target information processing operation to be judged for suitability is executed. Since it is determined whether or not it is appropriate based on the security policy data for each user or the security policy data for each asset, it can be efficiently limited to the security policy data for each user or the security policy data for each asset suitable for the management target. Therefore, it is possible to prevent waste as much as possible from performing the suitability determination based on the security policy data unrelated to the management target.

  In addition, as described with reference to FIG. 1, a PC (ODA) 600 on which an information processing operation is performed is connected to a network 501 in the organization.

  Further, as described with reference to FIGS. 7 and 8, the PC (ODA) 600 is for each user corresponding to a management target such as a user or an asset among the security policy data for each user or the security policy data for each asset. A subdivision security policy storage unit such as an asset policy DB 621 for storing security policy data or security policy data for each asset and a user policy DB 622 is included.

  Further, as described in S611 and S612 of FIG. 19, the PC (ODA) 600 determines that the PC (ODA) 600 is disconnected from the network 501.

  Further, as described in S502 and S503 in FIG. 17 and S621 and S622 in FIG. 19, the PC (ODA) 600 passes through the PC (ODA) 600 during the disconnection period in which it is determined that the PC is disconnected. It is determined that the information processing operation performed is inappropriate based on the security policy data for each user or the security policy data for each asset stored in the subdivision security policy storage unit.

  Further, as described in S611, S612, and S616 of FIG. 19, the PC (ODA) 600 determines that the PC (ODA) 600 is reconnected to the network 501 in the organization.

  Further, as described in S617 of FIG. 19, when it is determined that the PC (ODA) 600 is reconnected, the information processing operation during the disconnection period is determined when the PC (ODA) 600 is determined to be reconnected. If it violates the security policy, the violation information is transmitted to the ODM 400, so that the inappropriate information that specifies that the determination that it is inappropriate during the separation period has been made is sent. Output to the network 501 in the organization.

  Thereby, it is determined that the information processing operation performed through the PC (ODA) 600 during the disconnection period in which the PC (ODA) 600 connected to the network 501 is disconnected from the network 501 is inappropriate. Can be detected and processing can be performed when an abnormality occurs.

  Further, as described in S170 to S181 of FIG. 3, the information security management system 1 determines whether or not there is a defect in the security policy that is the information protection system in the organization based on the determination result by the suitability determination unit. It further includes an information security diagnosis function for diagnosis, and an information security audit function for creating an audit report for a security policy in the organization based on a diagnosis result by the information security diagnosis function.

  As a result, the information security management system 1 can diagnose the security policy in the machine based on the determination result of the information processing operation, and create an audit report on the security policy in the organization based on the diagnosis result. be able to.

  Further, as described in S108 and S109 of FIG. 4, the information security management system 1 updates the security policy data based on the diagnosis result and the audit result. Also, as described in S125 and S130 in FIG. 6, S310 in FIGS. 7, 8, and 12, S410 and S415 in FIG. 16, S630 in FIG. 18, and S613 in FIG. Updated automatically.

  As described above, even when the entire security policy data is subdivided into a plurality of management targets by the information security management system 1, when updating the security policy data, the security policy data for each user or each asset subdivided is subdivided. It is not necessary to update each security policy data one by one, and by updating the security policy data that is not subdivided, the updated security policy data part is subdivided into a plurality of management targets. Depending on whether the security policy data for each asset is supported, the corresponding security policy data for each user or security policy data for each asset is updated and the security policy data is updated. To be automatically updated to the contents of the portion, it can be significantly prevented complication of the security policy data update.

  Further, as described in S100 of FIG. 3 and FIG. 4, the policy formulation function of the IGM 100 supports creation of a security policy composed of a plurality of items that the organization should comply with. In addition, as described in S109 of FIG. 4, the security policy data is subdivided into portions to be applied according to management targets such as a plurality of users and assets according to the contents of the items.

  In addition, as described in S102 and S104 of FIG. 4 and FIG. 5, the policy formulation function of the IGM 100 is ready-made according to a pre-standardized format based on the FISC safety measure standard, BS7799, ISMS certification standard, and the like. A plurality of questions prepared in advance are presented for each of a plurality of items.

  Further, as described in S103 of FIG. 4, a selection result indicating which of the presented question items has been selected is accepted. Further, as described in S106 of FIG. 4, an organizational security policy is created according to the accepted selection result.

  In this way, since the security policy is ready-made according to a standardized format, it is possible to make a determination by a computer using the security policy as a criterion for compliance by creating a program for determining compliance according to the format. It becomes possible, and the suitability determination can be performed by a suitability determination program that can be created relatively easily.

  Next, modifications and feature points of the embodiment described above are listed below.

  In the present embodiment, IGM 100, ASM 200, SDM 300, and ODM 400 are configured by separate computers. However, the present invention is not limited to this, and the IGM 100, ASM 200, SDM 300, and ODM 400 may be configured by one or a plurality of computers. For example, IGM100, ASM200, SDM300, and ODM400 may be included in one computer, IGM100 and ASM200 may be included in one computer, and SDM300 and ODM400 may be included in another computer. It may be included.

  In this embodiment, each PC (ODA) 600A, B, ODM 400, or SDM 300 determines whether or not the security policy is violated. However, the present invention is not limited to this, and the PC (ODA) 600A, B, Operation information in the ODM 400 or SDM 300 may be transmitted to the IGM 100, and the IGM 100 may determine whether the operation violates the security policy.

  In the information security management system according to the present embodiment, information processing operation patterns that are frequently repeated from past information processing operations are learned, security policy data is updated based on the learning results, and the updated security Based on the policy data, when the current information processing operation deviates from the past information processing operation, the abnormality determination is performed.

  However, the present invention is not limited to this, and an information processing operation pattern that is frequently repeated from past information processing operations is learned, and the current information processing operation differs from the past information processing operations based on the learning result. In such a case, any abnormality determination may be performed. For example, when an information processing operation pattern that is frequently repeated from past information processing operations is learned, and the degree of deviation of the current information processing operation from the past information processing operation exceeds a predetermined value based on the learning result In addition, an abnormality determination may be performed.

  In other words, the security policy determination unit that performs the determination based on the security policy, and the degree of deviation of the current information processing operation from the past information processing operation exceeds a predetermined value based on the learning result, not based on the security policy. If there is, a divergence determination unit that performs abnormality determination may be provided separately.

  Further, as in the information security management system according to the present embodiment, the information processing operation pattern frequently repeated from the past information processing operation is learned, the security policy data is updated based on the learning result, and the update is performed. Information security diagnosis function and information security even when the abnormality determination is performed when the current information processing operation is deviated from the past information processing operation based on the security policy data thus determined. The audit function may perform diagnosis or audit for only the security policy data from the beginning without performing diagnosis or audit for the security policy data based on the learning result.

  Furthermore, the learning result security policy data updated based on the learning result described above can be distinguished from the original security policy data formulated by the policy formulation process shown in FIG. 4, and based on the initial security policy data. In the case of abnormality determination, for example, processing at the time of abnormality is performed immediately by one abnormality determination, while in the case of abnormality determination based on the learning result security policy data, for example, abnormality determination is performed three times in succession. It is also possible to change the weights of both security policy data at the time of abnormality determination, such as when processing at the time of abnormality is performed for the first time.

  In addition, when updating the security policy data based on the learning result, the initial security policy data is not deleted or changed, and a new learning result security policy data is generated or the generated learning result security policy data is updated. It may be limited to update processing that does not enter the initial security policy, such as deletion or change within the range.

  In addition, when entering the initial security policy data and updating the data based on the learning result, the IGM 100 notifies the security manager to that effect and changes the condition on the condition that the consent is accepted. Also good.

  The invention of the information security management system 1 in the present embodiment can be regarded as an invention of one information security management apparatus. Further, a program executed on each computer for managing information security in the information security management system 1 can be regarded as an invention of the information security management program. Furthermore, the method for managing information security in the information security management system 1 can be regarded as an invention of the information security management method. In addition, the IGM 100, ASM 200, SDM 300, ODM 400, and PC (ODA) 600 in the information security management system 1 can each be regarded as an apparatus invention. The information security management process, centralized management monitor process, segment defense process, operation defense management process, and operation defense agent process executed in the IGM 100, ASM 200, SDM 300, ODM 400, and PC (ODA) 600 are executed by the program. It can be understood as an invention.

  The embodiment disclosed this time is to be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

It is a figure showing the outline of the information security management system in one of the embodiments of the invention. It is a block diagram which shows the structure of the personal computer in this Embodiment. It is a flowchart which shows the flow of the information security management process performed by the concentration defense manager in this Embodiment. It is a flowchart which shows the flow of the policy formulation process performed as a subroutine of an information security management process by the central defense manager in this Embodiment. It is a display screen figure which shows an example of the check list screen displayed by policy formulation processing. It is a flowchart which shows the flow of the information security defense process performed as a subroutine of an information security management process by the central defense manager in this Embodiment. It is a block diagram which shows the exchange of information with the central defense manager in this Embodiment, an operation defense manager, and an operation defense agent. It is a block diagram which shows exchange of information with the central defense manager and segment defense manager in this Embodiment. It is a flowchart which shows the flow of the information return process and information acquisition request process which are performed in the exchange of information with the central defense manager, the segment defense manager, the operation defense manager, and the operation defense agent in this Embodiment. It is a flowchart which shows the flow of the information preservation | save process and information preservation | save request | requirement process which are performed in the exchange of information with the central defense manager in this Embodiment, a segment defense manager, an operation defense manager, and an operation defense agent. It is a flowchart which shows the flow of the operation profile structure process performed as a subroutine of an information security management process by the central defense manager in this Embodiment. It is a flowchart which shows the flow of the segment defense process performed by the segment defense manager in this Embodiment. It is a flowchart which shows the flow of the information processing operation preservation | save process performed by the segment defense manager in this Embodiment, an operation defense manager, and an operation defense agent. It is a flowchart which shows the flow of the management terminal confirmation process performed as a subroutine of a segment defense process by the segment defense manager in this Embodiment. It is a flowchart which shows the flow of the suspicious connection monitoring process performed as a subroutine of a segment defense process by the segment defense manager in this Embodiment. It is a flowchart which shows the flow of the operation defense management process performed by the operation defense manager in this Embodiment. It is a flowchart which shows the flow of the operation defense process performed by the operation defense manager and the operation defense agent in this Embodiment. It is a flowchart which shows the flow of the operation defense agent process performed by the operation defense agent in this Embodiment. It is a flowchart which shows the flow of the login process performed as a subroutine of an operation defense agent process by the operation defense agent in this Embodiment. It is a flowchart which shows the flow of the policy authority display process performed as a subroutine of the operation defense agent process by the operation defense agent in this Embodiment. It is a flowchart which shows the flow of the policy exception application process performed as a subroutine of the operation defense agent process by the operation defense agent in this Embodiment. It is a flowchart which shows the flow of the centralized monitoring monitor process performed by the centralized monitoring in this Embodiment. It is a flowchart which shows the flow of the violation information display process performed as a subroutine of the centralized monitoring monitor process by the centralized monitoring in this Embodiment. It is a flowchart which shows the flow of the policy violation reason approval process performed as a subroutine of a centralized monitoring monitor process by the centralized monitoring monitor in this Embodiment. It is a flowchart which shows the flow of the policy exception application approval process performed as a subroutine of the centralized monitoring monitor process by the centralized monitoring in this Embodiment. It is a block diagram which shows the outline of the internal information security management system as a 1st Example of the information security management system of this Embodiment. It is a block diagram which shows the outline of the application service provider provision type information security management system as a 2nd Example of the information security management system of this Embodiment.

Explanation of symbols

  1 Information Security Management System, 100 Centralized Defense Manager (IGM), 200 Centralized Monitoring Monitor (ASM), 300 Segment Defense Manager (SDM), 400 Operational Protection Manager (ODM), 600, 600A, 600B Personal Computer (PC (ODA)) ).

Claims (12)

An information protection method in which a computer manages a plurality of management targets for defense of information in an organization configured to carry out a business purpose,
A security policy creation support step for supporting creation of a security policy consisting of a plurality of items to be observed by the organization;
A subdivision step of subdividing the data of the security policy into parts to be applied to the plurality of management targets according to the contents of the items;
A suitability determining step for determining whether or not the information processing operation is appropriate;
An informing step for notifying improperness when it is determined by the adequacy determining step that improperness;
Based on the determination result of the suitability determination step, a diagnosis step of diagnosing whether or not the information protection system in the organization is deficient;
An audit report creating step for creating an audit report on the information protection system in the organization based on the diagnosis result of the diagnosis step;
A security policy update step for updating data of a security policy that is not subdivided other than the subdivision security policy data according to a diagnosis result of the diagnostic step;
Depending on which of the divided security policy data subdivided by the plurality of management objects the security policy data portion updated by the security policy update step corresponds to the subdivided security policy data, A subdivided security policy data automatic updating step that automatically updates the contents of the updated security policy data part,
The security policy creation support step includes:
An option presenting step for presenting a plurality of security content options prepared in advance for each of the plurality of items ready-made according to a standardized format;
A selection result receiving step for receiving a selection result indicating which one of the plurality of options presented in the option presenting step is selected;
Creating a security policy for the organization according to the selection result received by the selection result reception step,
The suitability determining step includes:
Determining whether or not the information processing operation conforms to the security policy according to a suitability determination program created so as to correspond to the standardized format in the security policy. A security policy determination step for determining based on the data of the assigned security policy;
When a high-frequency information processing operation pattern that is frequently repeated from past information processing operations is learned, and based on the learning result, the degree of deviation of the current information processing operation from the past information processing operation exceeds a predetermined value Including a deviation determination step for performing abnormality determination,
The security policy determination step includes
Based on the divided security policy data applied to the executed management target according to which management target information processing operation to be determined is performed among the divided security policy data subdivided in the subdividing step. An information protection method including a subdivision determination step for determining. An information security management device for managing a plurality of management targets for the defense of information in an organization configured to carry out a business purpose,
Security policy data storage means for storing security policy data to be adhered to by the organization;
Suitability determination means for determining whether an information processing operation conforms to the security policy based on security policy data stored in the security policy data storage means;
An abnormality processing means for performing processing when an abnormality occurs when it is determined by the suitability determination means that the information is inappropriate.
The security policy data storage means stores security policy data created in accordance with a standardized format,
The suitability determining means includes
A memory storing a program for determining suitability that is created to correspond to the standardized format;
And a central processing unit that performs suitability determination processing according to the suitability determination program stored in the memory. An information security management device for managing a plurality of management targets for the defense of information in an organization configured to carry out a business purpose,
Security policy data storage means for storing security policy data to be adhered to by the organization;
Suitability determination means for determining whether the information processing operation is appropriate;
An abnormality processing means for performing processing when an abnormality occurs when it is determined by the suitability determination means that the information is inappropriate.
The suitability determining means includes
Security policy determination means for determining whether the information processing operation conforms to the security policy based on security policy data stored in the security policy data storage means;
When a high-frequency information processing operation pattern that is frequently repeated from past information processing operations is learned, and the current information processing operation differs from the past information processing operation based on the learning result, abnormality determination is performed. An information security management device, comprising: The information processing terminal on which the information processing operation is performed is connected to the network in the organization,
The deviation determination means includes
An operation content storage means for each operator that classifies and stores the contents of past information processing operations for each person who performed the information processing operations;
A management object operation content storage means for classifying and storing past information processing operation contents for each management object;
A deviation determination unit for each operator that learns the high-frequency information processing operation pattern for each operator from the information stored in the operation content storage unit for each operator and performs abnormality determination based on the learning result;
A management target deviation determining unit that learns the high-frequency information processing operation pattern for each management target from the information stored in the operation target storage unit for each management target and performs abnormality determination based on the learning result. The information security management device according to claim 3. An information security management system for managing a plurality of management targets for defense of information in an organization configured to carry out a business purpose,
Security policy data storage means for storing security policy data to be complied with by the organization, the security policy data being created according to a standardized format;
Suitability determination means for determining whether an information processing operation conforms to the security policy based on security policy data stored in the security policy data storage means;
An abnormality processing means for performing processing when an abnormality occurs when it is determined by the suitability determination means that the information is inappropriate.
The security policy data storage means stores the security policy data so as to specify and access subdivided security policy data subdivided for the plurality of management targets according to the contents thereof,
The suitability determining means includes
Sub-propriety for determining suitability based on sub-security policy data applied to the executed management object according to which management object the information processing operation to be determined is executed among the security policy data An information security management system including a determination unit. An information processing terminal on which the information processing operation is performed is
Connected to the network in the organization,
A means for configuring a part of the security policy data storage means, and a management target sub-security policy data storage means for storing sub-security policy data corresponding to the management target in the sub-security policy data;
Detachment determining means for determining that the information processing terminal is disconnected from the network in the organization;
It is stored in the management target subdivision security policy data storage means that the information processing operation performed through the information processing terminal during the detachment period is improper when it is determined that the separation is determined by the separation determination means. Detachment determining means for determining based on the data of the subdivided security policy,
Reconnection determination means for determining that the information processing terminal is reconnected to the network in the organization;
When it is determined that the reconnection is determined by the reconnection determination means, the inappropriate information specifying that the disconnection determination means is determined to be inappropriate is output to the network in the organization. The information security management system according to claim 5, further comprising: a determination result output unit during separation. A diagnostic unit for diagnosing whether or not the security policy in the organization is incomplete based on a determination result by the suitability determination unit;
The information security management system according to claim 5, further comprising: an audit report creating unit that creates an audit report for a security policy in the organization based on a diagnosis result by the diagnosis unit. Security policy update means for updating security policy data that is not subdivided other than the subdivision security policy data;
Depending on which of the divided security policy data subdivided for each of the plurality of management objects corresponds to the security policy data portion updated by the security policy updating means, the corresponding subdivided security policy data is The information security management system according to claim 7, further comprising subdivided security policy data automatic updating means that automatically updates the contents of the updated security policy data part. Security policy data storage means for storing security policy data to be complied with by an organization configured to carry out a business purpose, the security policy data being created in accordance with a standardized format, An information security management program executed by an information processing terminal that manages a plurality of management targets for defense of information in an organization,
A suitability determining step for determining whether or not the information processing operation is appropriate;
An abnormality processing step for performing processing when an abnormality occurs when it is determined that it is inappropriate by the suitability determination step,
The suitability determining step includes:
Determining whether or not the information processing operation conforms to the security policy in accordance with a suitability determination program created so as to correspond to the standardized format in the security policy. An information security management program comprising a security policy determination step for determining based on security policy data stored in a policy data storage means. Security policy data storage means for storing security policy data to be complied with by an organization configured to carry out a business purpose, the security policy data being created in accordance with a standardized format, An information security management program executed by an information processing terminal that manages a plurality of management targets for defense of information in an organization,
A suitability determination step of determining whether an information processing operation conforms to the security policy based on security policy data stored in the security policy data storage unit;
An abnormality processing step for performing processing when an abnormality occurs when it is determined that it is inappropriate by the suitability determination step,
The security policy data storage means stores the security policy data so as to specify and access subdivided security policy data subdivided for the plurality of management targets according to the contents thereof,
The suitability determining step includes:
Of the security policy data stored in the security policy data storage means, subdivided security policy data applied to the management target executed according to which management target information processing operation to be determined is executed An information security management program including a subdivision determination step for determining suitability on the basis of the subdivision security policy data accessed. An information processing terminal comprising security policy data storage means for storing security policy data to be complied by an organization configured to carry out a business purpose, and managing a plurality of management targets for defense of information in the organization An information security management program to be executed,
A suitability determining step for determining whether or not the information processing operation is appropriate;
An abnormality processing step for performing processing when an abnormality occurs when it is determined that it is inappropriate by the suitability determination step,
The suitability determining step includes:
A security policy determination step of determining whether the information processing operation conforms to the security policy based on security policy data stored in the security policy storage means;
When a high-frequency information processing operation pattern that is frequently repeated from past information processing operations is learned, and the current information processing operation differs from the past information processing operation based on the learning result, abnormality determination is performed. An information security management program including a divergence determination step to be performed. Security policy data storage means for storing security policy data subdivided for the plurality of management objects according to the contents of security policy data to be complied with by an organization configured to carry out the business purpose, An information security management program executed by an information processing terminal connected to a network in the organization for managing a plurality of management targets for defense of information in the organization,
Detachment determining step for determining that the information processing terminal is disconnected from the network in the organization;
It is stored in the subdivided security policy data storage means that the information processing operation performed through the information processing terminal during the disconnection period is inappropriate due to the determination of the disconnection in the disconnection determination step. In-detachment determination step for determining based on the data of the subdivision security policy,
A reconnection determination step of determining that the information processing terminal has been reconnected to the network in the organization;
When it is determined that the reconnection is determined in the reconnection determination step, inappropriate information specifying that the determination is made that the connection is incorrect is output to the network in the organization. An information security management program comprising: a judgment result output step during separation.

Images