JP2012203624A - Business information protection device and business information protection method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a business information protection device allowing enhancement of the information security of a business information system and easy management of the access rule for the system.SOLUTION: When a valid work is applied for registration, a registration determination part 131B adds an application number for uniquely identifying the work to the application. A work schedule information retention part 136 retains work schedule information formally registered by the registration determination part 131B. A log retention part 152 retains the application number added by the registration determination part 131B correlated with an access log of a work application content corresponding to the application number. A work validation part 151B compares the content of the access log of the log retention part 152 with work schedule information retained by the work schedule information retention part 136 corresponding to the application number correlated with the access log, thereby checking presence of an illegitimate access.

Description

  The present invention relates to a business information protection device, a business information protection method, and a program, and more particularly to a business information protection device, a business information protection method, and a program that can improve information security of a business information system.

  Business information systems that support the operation of companies and public facilities, so-called enterprise systems, are now the foundation of organizations of various sizes. The business information system supports complicated organization management by outputting higher value-added information after totaling, accumulating, analyzing and processing data obtained from node terminals and databases.

  Such a business information system requires various maintenance operations such as operation monitoring, failure handling, function expansion and function change even after operation. Normally, a client company that introduces a business information system entrusts this maintenance work to an external management company. An SE (System Engineer) of the management company often performs maintenance work by remotely logging in to the business information system.

  By the way, the SOX (Sarbanes-Oxley) law recently enacted in the United States strongly urges corporate managers and accounting auditors to guarantee the validity of public information. Following this, the Japanese version of the SOX method is scheduled to be introduced in Japan, and there is an urgent need to establish a system that can handle the Japanese version of the SOX method.

  In view of such a social background, Patent Document 1 proposes a technique related to an access rule that is subject to access approval by an administrator in addition to user authentication using an ID and a password.

JP 2004-213475 A

  The access rule described in Patent Document 1 is an effective technique for preventing unauthorized access to the business information system, but it is burdensome because the administrator needs to respond to the work application immediately. That is, it is important to establish an access rule that can easily prevent information leakage, but there is a problem that the user's burden needs to be considered in order to suppress the occurrence of human error.

  Moreover, the business information system introduced into a company is not always a single system. For example, a company may have a separate financial system and customer system, or they may be integrated into a higher system. Even in a company where such a plurality of business systems operate, it is necessary to have a mechanism for improving the information security of each business information system and easily managing the access rules.

  An object of the present invention is to provide a business information protection device capable of improving information security in a business information system.

  According to one aspect of the present invention, a regular user information holding unit that holds regular user information in which a regular user who can execute a predetermined process of the system is registered, and an application for execution of the predetermined process along with designation of a prospective user Application receiving means for receiving application information, schedule holding means for holding schedule information associating the requested predetermined process with the expected access person, and identifying the accessor when executing the predetermined process Execution request receiving means for receiving user identification information from the terminal, user authentication means for referring to the authorized user information to determine whether the accessor is registered as an authorized user, and referring to the schedule information Then, an application state determination means for determining whether or not a predetermined process for setting the access person as an access scheduled person has been applied, determination of the user authentication means, and the application Log information on access history from the terminal to the system and access control means for permitting access for the predetermined processing from the terminal to the system on condition that both judgments of the state judging means are affirmative The log recording means for recording as: the access indicated in the log information and the access for the predetermined process applied in the schedule information, and the schedule information in the access indicated in the log information And verification means for detecting as an unauthorized access an access that does not match the requested access for a predetermined process.

  An applicator notifying means for notifying an approver of a predetermined processing application, and an approval acquiring means for accepting an approval input from the approver, and the schedule holding means further includes the schedule As the information, the predetermined process requested and its approval state are stored in association with each other, and the application state determination unit can further determine whether or not the predetermined process requested has been approved.

  The application state determination means can further determine whether or not the execution date and time of the predetermined process is within the application period.

  Execution condition holding means for holding execution condition information in which an execution condition for a predetermined process is defined, and a predetermined process that has been applied on the condition that the requested process content matches the execution condition information. And an application registration determining means for registering to the application.

  The regular user information holding unit further holds promoted user information indicating a user who can acquire a special authority different from a normal user authority, and the application state determination unit is configured as an execution condition for a predetermined process applied. When the special authority is designated, it can be further determined whether or not the accessor is a user who can acquire the special authority.

  ADVANTAGE OF THE INVENTION According to this invention, the business information protection apparatus which enabled it to improve the information security in a business information system can be provided.

It is a block diagram which shows the structural example of the business information system which concerns on this embodiment. It is a block diagram which shows the function structural example of a business information protection apparatus. It is a figure which shows the example of the data structure of the execution condition information in an execution condition holding part. It is a figure which shows the example of the recording content of the access log hold | maintained at a log holding | maintenance part. It is a figure which shows the example of a display of a login screen. It is a figure which shows the example of a display of an access application screen. It is a figure which shows the example of a display of an access approval screen. It is a figure which shows the example of a display of an access application / approval level setting screen. It is a figure which shows the example of a display of an access log search screen. It is a figure which shows the example of a display of a search result screen. It is a flowchart explaining an access check process.

[Configuration of business information system]
FIG. 1 is a block diagram illustrating a configuration example of a business information system according to the present embodiment. In the business information system shown in the figure, the business information protection device 10 and the work terminal 20 are connected via the network 30, and the client environment 40 is connected to the network 30 via the business information protection device 10. Yes. A log management device 15 is also connected to the business information protection device 10.

  In the business information system shown in FIG. 1, the client environment 40 represents a business environment of a certain company A. Various business systems in the client environment 40 are appropriately subjected to maintenance work even after operation. Although this maintenance work may be performed in the client environment 40, most of the maintenance work is executed by remote access from the work terminal 20. Hereinafter, the user who performs the remote maintenance work is simply referred to as “worker”. The worker is usually an SE (Systems Engineer) of a management company that has signed a maintenance work contract with Company A. An operator operates the work terminal 20 to remotely log in to various business information systems in the client environment 40 via the network 30 and the business information protection device 10. The communication path between the work terminal 20 and the business information protection apparatus 10 is preferably a secure communication path by VPN (Virtual Private Network) or the like.

  In the following, the network 30 will be described on the premise of remote access via a public line such as the Internet or a local area network (LAN), but the business information protection device 10, the client environment 40, and the work terminal 20 are mutually exclusive lines. May be connected.

  Further, in the present specification, “client company” or “client company” means a company that performs organizational work by operating various business information systems and receives a service called maintenance work from the external work terminal 20. The term “client environment 40” shall be used.

  The business information protection device 10 is a device that centrally accepts remote login requests from the work terminal 20 to the client environment 40, and is installed at a network security boundary. The business publication protection device 10 includes TELNET (Telecommunication network), SSH (Secure SHell), FTP (File Transfer Protocol), HTTP (HyperText Transfer Protocol), HTTPS (Hypertext Transfer Protocol Security), Windows (registered trademark) RDP (Remote Desktop). Protocol), access control of communication protocols such as CIFS (Common Internet File System), and auditing by log acquisition (details will be described later).

The business information protection apparatus 10 permits remote login from the work terminal 20 on condition that both of the following two-stage determinations are affirmative.
1. Whether the worker is a registered user (hereinafter referred to as “user authentication”)
2. Whether the worker has already applied for the maintenance work in advance (correctly) (hereinafter referred to as “application determination”)

  The business information protection device 10 includes a relay device 11, a user authentication device 12, an application management device 13, and an access right management device 14. The business information protection device 10 may be a single device that integrally includes the functions of the relay device 11, the user authentication device 12, the application management device 13, and the access right management device 14, but in this embodiment, Will be described as an aggregate of these three devices for the following reason.

  In general, an operator often logs in to a terminal server from his / her terminal and is allowed to access the business information system on the condition that user authentication is performed by the terminal server. In this embodiment, in addition to such a system (conventional system), by introducing a user authentication device 12, an application management device 13, and an access right management device 14, information security can be improved by application determination. I am trying. That is, the relay apparatus 11 shown in FIG. 1 may be an existing terminal server, and will be described below as a general PC (Personal Computer) terminal equipped with WINDOWS (registered trademark).

  When the relay device 11 is accessed via the network 30 from the work terminal 20, the relay device 11 checks the IP address, host name, etc. of the work terminal 20, and immediately disconnects if the connection is not permitted. , Do not allow connection. On the other hand, if the connection is permitted, the relay device 11 requests the user ID and password from the work terminal 20, and the user ID and password transmitted in response to the request are used as the user authentication device 12, The data is supplied to the application management apparatus 13 and the access right management apparatus 14, and a confirmation is requested.

  The user authentication device 12 executes “user authentication” on behalf of the relay device 11. First, the user of the work terminal 20 remotely logs in to the relay device 11 as in the conventional case. At this time, the user ID and password are transmitted to the relay apparatus 11 via the network 30. The user authentication device 12 receives the user ID and password from the relay device 11, executes user authentication, and returns the result to the relay device 11.

  The application management apparatus 13 receives the user ID and password from the relay apparatus 11 and executes “application determination”. Prior to remote login to the business information system, the worker must apply in advance for what kind of work is scheduled to be performed. The application management apparatus 13 centrally manages such work schedules, and upon receiving a remote login request from an operator, checks whether the worker has applied for some maintenance work in advance. . The condition for permitting access to the business information system is that the user authentication is successful and the work application has been completed.

  The access right management device 14 executes “access right authentication” in place of the relay device 11. That is, the access right management device 14 receives the user ID, password, and information indicating the access destination (IP address, host name, etc.) from the relay device 11, and whether the user is permitted to connect to the access destination (access Authentication is performed, and the result is returned to the relay device 11.

  Each of the relay device 11, the user authentication device 12, the application management device 13, and the access right management device 14 includes two servers, a primary system and a secondary system, and has a failover function. In other words, when a failure occurs in the primary server for some reason, the IP address of the primary server is added to the secondary server. Specifically, each of the primary server and the secondary server has a real IP and a virtual IP. When the secondary server monitors the primary server and detects an abnormality, Get the virtual IP of the system. The worker accesses the virtual IP. When an abnormality occurs, the worker automatically switches from accessing the primary server to the secondary server. Thereby, the worker can continue the service using the secondary server without being aware of the failure of the primary server.

As the main merit of the business information protection apparatus 10 of the present embodiment, the following five can be cited.
1. Since application determination is performed in addition to user authentication, the information security of the business information system is strengthened.
2. It is easy to introduce into a business information system that is already in operation.
3. The user's load related to application determination is reduced.
4). A plurality of types of business information systems can be centrally managed by a single business information protection device 10.
5. Access check is easy because the application contents and access log are linked.

  The log management device 15 acquires and manages the contents of access performed by the relay device 11. For example, “summary log” such as access date and time and IP address and “full-text log” of transmitted and received data are acquired and managed.

  The log management device 15 manages the work application content managed by the application management device 13 and the access log managed by the log management device 15, and can easily perform an access check. An access check is to investigate an access log and perform a log audit to determine whether or not access is being made as requested.

  When the user inputs a user ID and password for remote login to the client environment 40 by the worker, the work terminal 20 uses the user ID and password as a remote login request via the network 30. Send to.

  The client environment 40 includes three types of business information systems, a financial information system 41, a customer information system 42, and an inventory management system 43, and one or more approval terminals 44. The financial information system 41 is a system for managing the financial information of the company A. The customer information system 42 is a system for managing customer information of the company A. The inventory management system 43 is a system that manages the inventory status of the products of the company A. The approval terminal 44 is a general PC terminal equipped with a web browser. The approval terminal 44 does not necessarily belong to the client environment 40, and may be a portable terminal such as a notebook PC.

  FIG. 2 is a block diagram illustrating a functional configuration example of the business information protection device 10 and the log management device 15.

  Each block shown in FIG. 2 can be realized in hardware by an element such as a CPU of a computer or a mechanical device, and in software it is realized by a computer program or the like. The function block to be shown is shown. Therefore, these functional blocks can be realized in various forms by a combination of hardware and software.

A: Relay device 11
The login interface processing unit 111 of the relay device 11 receives a remote login request from the work terminal 20. This remote login request includes a user ID and a password. The relay device 11 transfers the received user ID and password for user authentication processing by the user authentication device 12, application determination processing by the application management device 13, and access right authentication processing by the access right management device 14. Further, when the login interface processing unit 111 acquires information (IP address, host name, etc.) indicating the access destination from the work terminal 20, the login interface processing unit 111 transfers the acquired information for access right authentication processing by the access right management device 14. . The login interface processing unit 111 receives the determination results from the user authentication device 12, the application management device 13, and the access right management device 14. Hereinafter, data for identifying a user, such as a user ID or password, is referred to as “user identification information”. As a modification, the user identification information may be biological information such as a fingerprint or an iris.

  The relay device 11 may not be a single device. For example, the relay device 11 for the financial information system 41 and the relay device 11 for the customer information system 42 may be separate. Alternatively, the worker may access a target business information system via any relay device 11 among the plurality of relay devices 11. Providing a plurality of relay apparatuses 11 is preferable from the viewpoint of load distribution and availability. Similarly, a plurality of user authentication devices 12, application management devices 13, and access right management devices 14 may be provided from the viewpoint of load distribution and availability.

B: User authentication device 12
The user authentication device 12 includes a user authentication unit 121 and a regular user information holding unit 122. The user authentication unit 121 acquires the user ID and password from the login interface processing unit 111 when the login interface processing unit 111 of the relay device 11 receives a remote login request. Then, user authentication is performed by determining whether or not the transmission source user is registered in the regular user information holding unit 122 as a regular user. The regular user information holding unit 122 holds regular user information in which a user ID is associated with a password. A user registered in the regular user information is referred to as a “regular user”. The user authentication unit 121 executes user authentication not only for the worker but also for the approver, details of which will be described later. In addition, although the user information holding | maintenance part 122 is mounted in the inside of the user authentication apparatus 12, it is not restricted to this, For example, external apparatuses, such as a LDAP (Lightweight Directory Access Protocol) server, may be sufficient.

  Among the maintenance work for the business information system, there is a work that has a particularly large influence on the business information system, such as a release work. In order to perform this type of maintenance work, it is necessary to perform access with user authority equivalent to that of an administrator, not with normal user authority. However, from the viewpoint of improving the information security of the business information system, it is not preferable to easily give such a special user authority (hereinafter simply referred to as “special authority”). Although the detailed mechanism will be described later, the business information protection apparatus 10 can strictly manage users who can acquire this special authority (hereinafter referred to as “promotable users”). In addition to the regular user information, the regular user information holding unit 122 also holds promoted user information indicating a user who can be promoted. Registering in the promoted user information and becoming a user who can be promoted is called “promotion”, and deleting from the promoted user information and becoming a user who cannot be promoted is called “demotion”.

  The user authentication device 12 in this embodiment is a single device, and manages user identification information in an integrated manner. By executing user authentication connecting a plurality of business information systems and a plurality of parties with a single user authentication device 12, a user authentication policy (policy) can be easily managed.

C: Application management device 13
The application management apparatus 13 includes an application state management unit 131, an application state determination unit 132, an access interface processing unit 133, an execution condition holding unit 135, a work schedule holding unit 136, and a promotion processing unit 138.

  In order to access the business information system, the worker must apply for the execution of the maintenance work in advance. The application status management unit 131 is in charge of processing related to the application for this work. The application state management unit 131 includes a work application unit 131A, a registration determination unit 131B, an application notification unit 131C, and a work approval unit 131D.

  The worker transmits work application information to the application management apparatus 13 via the work terminal 20 before starting work. Work application information is a set of input data such as work purpose, work date and time, subject, and system name to be accessed. In addition to this, the applicant's email address, application date and time, the applicant's IP address, etc. Additional information other than the input data may be included. The work application information is transmitted from the work terminal 20, but is not limited thereto, and may be transmitted from an application terminal (not shown) different from the work terminal 20, for example.

  The work application unit 131 </ b> A receives work application information from the work terminal 20.

  The registration determination unit 131B determines whether the work application information received by the work application unit 131A is compatible with execution condition information (described later with reference to FIG. 3) registered in the execution condition holding unit 135. . If the registration determination unit 131B determines that the work application information does not match the execution condition information, the registration determination unit 131B rejects the application and notifies the worker of the work terminal 20 to that effect. If the registration determination unit 131B determines that the work application information matches the execution condition information, the registration determination unit 131B registers the applied work in the work schedule information of the work schedule holding unit 136. The work application registered in the work schedule information in this way is called “effective work application”. The contents of the work schedule information may be substantially equivalent to the contents of the work application information. That is, of the received work application information, only the work application information that satisfies the requirements as an effective work application is formally registered in the work schedule holding unit 136 as “work schedule information”.

  When a valid work application is made, the registration determination unit 131B gives an application number (work ID) for uniquely identifying the work. In the work schedule information, an application number, work schedule date and time, work contents, worker name, approval status, and the like are associated.

  There are not only maintenance work types that can start work as long as a valid work application is made, but also maintenance work types that cannot be started without approval. Such a definition may be made as a part of the execution condition information.

  Of the work schedule information registered in the work schedule holding unit 136, the work that has passed the scheduled work date and time is in the state of the application history issued in the past, and the application status of the rejected application is Recorded as “rejected”.

  When a valid work application is registered in the work schedule holding unit 136, the application notification unit 131C registers in the execution condition holding unit 135 whether or not the requested work content requires approval. Judgment is made with reference to the execution condition information. When the maintenance work is applied, the application notification unit 131C notifies the approver of the application number. Application notifying unit 131 </ b> C in the present embodiment transmits an e-mail indicating an application number to approval terminal 44. Upon receiving the notification, the approver operates an input unit (not shown) of the approval terminal 44, accesses the application management device 13 of the business information protection device 10 based on the application number, and inputs approval approval / disapproval.

  The work approval unit 131D receives approval approval from the approval terminal 44. When the approval is made, the work approval unit 131D changes the approval state in the work schedule information registered in the work schedule holding unit 136 from “unapproved” to “approved”. In the case of rejection, the work approval unit 131D notifies the worker that the application is rejected, and records the application status of the work schedule information registered in the work schedule holding unit 136 as “rejected”.

  The application state determination unit 132 executes application determination. When a remote login request is received from the worker, it is determined whether or not a work application has been made with reference to the user identification information acquired from the login interface processing unit 111 and the work schedule information registered in the work schedule holding unit 136 To do. The application state determination unit 132 also determines whether or not the reception date and time of the remote login request is within the requested work time.

  For example, when an application is made with a scheduled work time of “10:00 to 11:00”, even if a remote login request is made before 10:00 or after 11:00, the result of the application determination is “No” Remote login is not allowed.

  When both the user authentication and the application determination are affirmative determinations, the access interface processing unit 133 permits a communication path for accessing the client environment 40 from the work terminal 20. Of course, when a maintenance work requiring approval is applied, access is not permitted unless approved.

  The execution condition holding unit 135 holds an access rule for maintenance work as execution condition information. Maintenance tasks have various purposes, such as troubleshooting, investigation, operation monitoring, release work, and so on. The maintenance work is thus classified into a plurality of types (hereinafter simply referred to as “work types”). For example, there may be a case where release work such as adding a module to the business information system is permitted only during business hours. In such a case, the manager of the business information system sets execution conditions so that the release work can be executed only outside business hours. The data structure of the execution condition holding unit 135 will be described later with reference to FIG.

  The work schedule holding unit 136 holds the work schedule information that is officially registered by the registration determination unit 131B of the application state management unit 131 and that satisfies the requirements as an effective work application.

  The promotion processing unit 138 reads work schedule information from the work schedule holding unit 136 every predetermined time, and determines whether there is a user to be promoted or a user to be demoted.

  The application management device 13 in the present embodiment is a single device, and performs application determination centrally. By executing application determination regarding a plurality of business information systems with a single application management device 13, it is easy to manage execution conditions and work schedule information.

  FIG. 3 is a diagram illustrating an example of a data structure of execution condition information in the execution condition holding unit 135.

  The execution condition information is an access rule defined by the manager of each business information system. The rule ID column 135A indicates an ID for uniquely identifying an access rule (hereinafter referred to as “rule ID”). A rule ID is assigned when an access rule is registered. The date field 135B indicates the application date of the access rule. The time column 135C indicates the application time of the access rule. For example, the access rule of the rule ID “1” is applied on the business day of the company A and in the time zone of “6:00 to 16:00”. The work type column 135D indicates the work type of the maintenance work to which the access rule is applied. The approval necessary / unnecessary column 135E indicates whether or not approval is required to execute the corresponding work.

  In the example of FIG. 3, for example, the access rule with the rule ID “1” is applied for the “failure handling” of the work type “01” in “6:00 to 16:00” of “business day”. And maintenance work for the purpose of “investigation” of work type “02”, and these do not require approval. In other words, when performing maintenance work for the purpose of handling a failure with the business day “6:00 to 16:00” as the scheduled work date and time, the worker only has to make a work application indicating that in advance and approve it. Is unnecessary. The access rule with the rule ID “2” is applied to maintenance work for the purpose of “operation monitoring” of the work type “03” in “6:00 to 16:00” of “business days”, Maintenance work for the purpose of “release work” of type “04”, which requires approval. That is, when performing maintenance work for “operation monitoring” and “release work” at “6:00 to 16:00” on the business day, access is made unless approval is made as well as work application. Can not.

For example, it is assumed that the worker A makes a remote access request at the date and time T in “6:00 to 16:00” on business days. At this time, the result of the application determination based on the execution condition information shown in the example of FIG. 3 is as follows.
1. If the application for the work including the date and time T as the scheduled work time has not been made, a negative determination is made.
2. If a failure handling work including the date and time T as the scheduled work time has been applied, an affirmative determination is made.
3. When the operation monitoring work including the date and time T as the scheduled work time has been applied, the application state determination unit 132 refers to the work schedule holding unit 136 and makes an affirmative determination if the requested operation monitoring work has been approved. In the case of unapproved or rejected, a negative determination is made.

  Note that the registration determination unit 131B automatically rejects such an application when the same worker has applied for different work on the same date and time. Therefore, the worker cannot apply for both failure handling work and operation monitoring work for the date T.

  The execution condition holding unit 135 may hold different execution condition information for each business information system. In the present embodiment, the execution condition holding unit 135 is common to the financial information system 41, the customer information system 42, and the inventory management system 43. It is assumed that this is integrated execution condition information defining access rules. In the present embodiment, it is assumed that special authority is required to execute the “release work” of the work type “04”, but the special authority is not required for other work.

D: Access right management device 14
The access right management device 14 includes an access right authentication unit 141 and an access right information holding unit 142. When the login interface processing unit 111 of the relay apparatus 11 accepts a remote login request, the access right authentication unit 141 receives the user ID and password from the login interface processing unit 111 and information indicating the access destination (IP address, host name, etc.) And determines whether or not the transmission source user is permitted to connect to the access destination (has access right) based on the access application status registered in the access right information holding unit 142 . The access right information holding unit 142 holds an access application status associated with information indicating a user ID and an access destination.

E: Log management device 15
The log management unit 151 manages an access log from the work terminal 20 to the client environment 40. The log management unit 151 includes a log recording unit 151A and a work verification unit 151B. The log recording unit 151A records the execution of the remote login request, commands and data transmitted and received between the work terminal 20 and the business information system, and the execution date and time as an access log. At the time of recording, the log recording unit 151A associates the application number assigned by the registration determination unit 131B of the application state management unit 131 with the access log of the work application content corresponding to the application number. In addition, the log recording unit 151A also records a log of denial history such as authentication failure, non-application, no access right, and the like.

  The work verification unit 151B obtains the contents of the access log held by the log holding unit 152 and the work schedule information registered in the work schedule holding unit 136 corresponding to the application number associated with the access log. Compare and check for unauthorized access.

  For example, when a file rewriting process is executed when a work application for “operation monitoring” is made, the work verification unit 151B refers to the access log held in the log holding unit 152. Thus, such unauthorized access is detected. The work verification unit 151B notifies the approval terminal 44 that there has been unauthorized access or access that is suspected of unauthorized access. Alternatively, the access interface processing unit 133 may forcibly prohibit remote access when unauthorized access is detected.

  The log holding unit 152 associates and holds the application number assigned by the registration determination unit 131B of the application state management unit 131 and the access log of the work application content corresponding to the application number. The contents recorded in the access log held by the log holding unit 152 will be described later with reference to FIG.

  FIG. 4 is a diagram illustrating an example of recorded contents of the access log held by the log holding unit 152.

  The log holding unit 152 includes a summary log recording area 152A and a full text log recording area 152B, and holds two types of logs, a summary log and a full text log. The summary log includes the start and end times of access, the use terminal, the IP address and host name of the access destination server, the use ID, and the connection time. The full-text log includes the contents of actual execution / operation of commands.

  In the case of the example of FIG. 4, the main log contents are held for each protocol in the summary log recording area 152A and the full text log recording area 152B. For example, in the case of the “TELNET” protocol, the access start date / time, port, connection source IP address, user ID, connection destination IP address, and connection time are recorded in the summary log recording area 152A, and the full text log recording area 152B. Received data is recorded.

  The recorded contents of the access log shown above are held in the log holding unit 152 in association with the application number. In addition, the access log acquired by WindowsRDP is recorded in a moving image format.

  FIG. 5 is a diagram illustrating a display example of a login screen.

  The login screen 50 shown in FIG. 5 is displayed on the work terminal 20 when a remote login request is made from the work terminal 20 to the relay apparatus 11. When receiving the remote login request, the relay device 11 displays the login window 51 in the login screen 50 of the work terminal 20. That is, the login interface processing unit 111 of the relay device 11 provides the user interface screen of the work terminal 20. A user of the work terminal 20 inputs a user ID and a password on a login window 51 displayed in the login screen 50. The user interface seen from the user is the same as that provided by the conventional terminal server, but the input user identification information is authenticated by the user authentication device 12, the application management device 13, and the access right management device 14, respectively. Supplied for access right authentication.

  FIG. 6 is a diagram illustrating a display example of the access application screen.

  The access application screen 60 shown in FIG. 6 is displayed on the work terminal 20 when the worker accesses the application management apparatus 13 from the work terminal 20 for work application. That is, when accessed from the work terminal 20, the work application unit 131A of the application state management unit 131 causes the work terminal 20 to display the access application screen 60 as a web page.

  In the applicant name area 61, the name of a user who applies for work is input. When an applicant other than himself / herself works, the applicant inputs the name of the user who will actually perform the work. In the subject area 62, the subject of the work to be applied is input. From the system classification area 63, the type of the target business information system is selected. Here, the financial information system 64 is selected. The access interface processing unit 133 may perform control so as to prohibit the user's access to other than the selected business information system at the application date and time.

  The system name area 64 indicates the name of the business information system, and the work type area 65 indicates the work type. The content input area 66 is an area for freely describing work contents and the like. The attached file area 67 is an area for attaching an electronic file such as a procedure manual to be used. The scheduled access date / time area 68 indicates the scheduled work date / time. The worker clicks the application button 69 after inputting data in each item shown on the application screen 60. Then, the work terminal 20 transmits the input data to the application management apparatus 13 as work application information.

  When applying for access, work application information can be attached by attaching an electronic file that contains the procedure name to be used in addition to the applicant name, subject, system classification, system name, work type, contents, and scheduled access date and time. At the same time, it is possible to centrally manage the accompanying electronic files.

  FIG. 7 is a diagram illustrating a display example of the access approval screen.

  The access approval screen 70 shown in FIG. 7 is displayed on the approval terminal 44 when a work application requiring approval is made. That is, the registration determination unit 131B of the application state management unit 131 notifies the approval terminal 44 of the application number when a work application requiring approval is made. When the approver designates the application number and accesses the application management apparatus 13, the work approval unit 131D causes the approval terminal 44 to display the access approval screen 70 as a web page.

  The application information area 71 shows the application content input on the access application screen 60. The approver name area 72 is an area for inputting an approver name. The approval requester name area 73 is an area for inputting the name of the user who requested the approval. For example, when the user B having the authorization authority requests the user C to approve, the user C makes an approval judgment on behalf of the user B. This is a measure for dealing with a special situation such as when the user B is on vacation.

  The communication column 74 is a column for describing a message for the work applicant, and may describe the reason for rejecting the application or a description for adding conditions and orders to the work content when approving the application. The approval button 75 is an approval button, and the rejection button 76 is a rejection button. When any of the approval button 75 and the reject button 76 is clicked, the input content and data indicating approval / disapproval are transmitted to the application management apparatus 13. The work approval unit 131D transmits this data to the work terminal 20 by e-mail, for example.

  When a maintenance work requiring special authority is applied, such as “Release work”, the promoted user information is updated based on approval / disapproval and execution condition information. For example, it is assumed that a release work has been applied for a time zone in the business day “6:00 to 16:00” as the scheduled work time. Once approved, the applicant will be promoted only on the date and time of application. For example, it is assumed that the user A has applied for a release work using “10:00:00 to 11:00” of “September 28, 2006”, which is a business day, as the scheduled work date. When this work is approved, the user A becomes a user who can be promoted for the period indicated as the scheduled work date and time. In other words, when it reaches 10:00 on September 28, 2006, the promotion processing unit 138 promotes the user A and registers it in the promoted user information in the regular user information holding unit 122. Further, when it reaches 11:00 on September 28 or when the release work is completed, the user A is demoted and the user A is deleted from the promoted user information. Thus, in this embodiment, the special authority is an authority with a time limit.

  The special authority here may be a so-called root authority or an administrator authority. That is, a user who can be promoted may be a user who can acquire root authority by, for example, a so-called “su command” of UNIX (registered trademark) after logging in with his / her user ID.

  In addition to the application / approval process, whether or not to grant special authority may be managed by another access policy. For example, the work of the worker B is performed on condition that the release work is applied by the worker B, the work is approved by the approver C, and another authorizer D grants the special authority to the worker B. You may allow it. In this way, by separating the manager with the important authority of “special authority” from the work approver, the information security of the business information protection apparatus 10 can be further enhanced.

  The promotion processing unit 138 may promote a predetermined user when a predetermined condition is satisfied regardless of the work application. For example, when the user B is a disaster response specialist, when the promotion processing unit 138 detects the occurrence of an earthquake, the user B may be promoted for a predetermined time. In such an emergency, an access rule that omits the work application procedure may be used. That is, the promotion condition of the user D may be that the seismometer provided in the business information protection device 10 measures a shake greater than or equal to a predetermined value.

  As another example, it may be determined that a computer virus is detected in the business information system as a promotion condition for a predetermined user. Alternatively, when the user C having special authority accesses beyond the scope of the work application, the user C may be demoted. In other words, promotion or demotion processing may be executed with the occurrence of a predetermined event in the business information protection apparatus 10 or the client environment 40 as a promotion / demotion condition. The person in charge of management can also set promotion / demotion conditions for the promotion processing unit 138 from the outside. For this reason, even in the case of an emergency as described above, an appropriate user can be promptly promoted with a time limit.

  FIG. 8 is a diagram illustrating a display example of the access application / approval level setting screen.

  The access application / approval level setting screen 80 shown in FIG. 8 is displayed on the approval terminal 44 when the administrator presets the access approval level of the work application information. The administrator can set whether or not prior application or approval is required on the access application / approval level setting screen 80 for each port in the server setting.

  The protocol / port number area 81 indicates a port number for each protocol. The service activation area 82 is an area for setting whether to automatically activate a provided service such as a user interface when accessed. The full text log acquisition area 83 is an area for setting whether or not to acquire a full text log of work contents. The access approval level area 84 is an area for setting an approval level as to whether or not prior application or approval is required.

  On the access application / approval level setting screen 80, not only can the approval level be set for each protocol / port number, but also the summary log retention period, full-text log retention period, access application / screen operation log retention period, and server The state can also be set. This makes it possible to frequently delete unnecessary access logs from a huge amount of access logs held by the log holding unit 152.

  In the case of the example of FIG. 8, the 23rd port of the TELNET communication protocol is set to require prior application and approval. On the other hand, the port 223 of the TELNET communication protocol is set to a state where neither application nor approval is required for access. As described above, “preliminary application and approval” can be set for a port that is normally used, or only “preliminary application” can be set assuming that there is no approver in an emergency.

  FIG. 9 is a diagram illustrating a display example of the access log search screen.

  The access log search screen 90 shown in FIG. 9 is displayed on the approval terminal 44 when the approver performs an access check (log audit). The approver sets a search condition for an access log to be searched on the access log search screen 90 in order to confirm whether or not the permitted access is performed in accordance with the work contents requested in advance. . The search button 91 is a button for executing an access log search under a set search condition. When the search button 91 is clicked, data indicating the search condition is transmitted to the log management device 15. The log management unit 151 (the work verification unit 151B) of the log management device 15 extracts the access log registered in the log holding unit 152 based on the data indicating the search condition, and the work schedule of the application management device 13 The work schedule information registered in the holding unit 136 is extracted.

  FIG. 10 is a diagram illustrating a display example of the search result screen.

  The search result screen 100 shown in FIG. 10 is displayed on the approval terminal 44 when the search button 91 on the access log search screen 90 is clicked. That is, the access log satisfying the search conditions set on the access log search screen 90 by the approver is searched by the application management device 13 and the log management device 15, and the search result (access log and work schedule information) is the approval terminal 44. And displayed as a summary on the search result screen 100 as a list.

  The file icon 101 is a button for downloading specific work contents. When the file icon 101 is clicked, the specific contents of the execution command are acquired and displayed as a text file. A file command 102 is a button for downloading application contents. When the file icon 102 is clicked, specific application contents are acquired and displayed. That is, since the approver can easily compare the access log and the application contents, the log audit can be efficiently performed.

  In addition, if a prohibited command or the like that is considered unnecessary according to the application contents is registered in advance as a keyword, the number of record lines and records including the keyword can be extracted. For example, when applying for “general ID work” for the access classification at the time of access application, if the access is based on the general ID, a command for acquiring a privilege ID is not necessary, but a command for adding a user is originally I know it will not be issued. Therefore, “SU-” (a command for acquiring a privilege ID) and “useradd” (a command for adding a user) that are prohibited or unnecessary for “general ID work” are used as keywords in advance. Register with. As a result, an access log including a prohibited command that is considered unnecessary according to the application contents can be extracted and provided to the approver, so that unauthorized use can be found efficiently.

  In addition, if the mail notification function is used, an e-mail can be notified to the administrator when an operation matching the keyword is performed. In this way, log auditing can be performed efficiently simply by performing an access check.

  Here, the search result is displayed so that the access log and the application content can be compared. However, the work verification unit 151B of the log management unit 151 uses the application management device based on the data indicating the search condition. The work schedule information registered in the 13 work schedule holding parts 136 and the access log registered in the log holding part 152 are compared with each other in the work schedule information in the access indicated by the log information. Access that does not match the applied maintenance work access can also be detected as unauthorized access.

[About work application processing]
Here, the work application process performed by the worker of the work terminal 20 will be described. The worker first inputs a user ID and password on the login screen 50 shown in FIG. 5 displayed on the work terminal 20. The work terminal 20 directly accesses the application management apparatus 13 together with the input user identification information without passing through the relay apparatus 11. The application management device 13 transfers the user identification information to the user authentication device 12. The user authentication unit 121 of the user authentication device 12 performs user authentication with reference to the regular user information in the regular user information holding unit 122, and when the authentication fails, the subsequent processing is not executed.

  When the authentication is successful, the user authentication device 12 notifies the application management device 13 that the authentication is successful. The work application unit 131A of the application management apparatus 13 transmits application screen data to the work terminal 20. The work terminal 20 displays an access application screen 60 shown in FIG. The user inputs data on the access application screen 60, and the input data is transmitted to the application management apparatus 13 as work application information.

  The registration determination unit 131B of the application management device 13 compares the requested work content with the execution condition information of the execution condition holding unit 135, and determines whether registration is possible. If it is not a valid work application, the registration determination unit 131B rejects the application, notifies the work terminal 20 of the rejection, and the subsequent processing is not executed. On the other hand, if it is determined that the application is a valid work application, the registration determination unit 131B registers the applied maintenance work in the work schedule information of the work schedule holding unit 136. If the work requires approval, the application notifying unit 131C transmits an e-mail requesting approval to the approval terminal 44.

  Through the above processing, only the work application information that satisfies the requirements as an effective work application among the work application information is formally registered in the work schedule holding unit 136 as “work schedule information”.

[About work approval processing]
Next, a process for approving work contents applied by the work application process will be described. The approval terminal 44 accesses the application management apparatus 13 after receiving an electronic mail indicating that the application has been issued. The approver inputs the user ID and password on the login screen 50 shown in FIG. 5 at an arbitrary timing. The approver also specifies the application number when inputting the user ID and password. The approval terminal 44 transmits the input user ID and password of the approver to the user authentication device 12. The user authentication unit 121 of the user authentication device 12 acquires the user ID and password from the approval terminal 44 and refers to the authorized user information registered in the authorized user information holding unit 122 to perform user authentication of the approver. . If user authentication fails, the subsequent processing is not executed.

  When the authentication is successful, the work approval unit 131D of the application management apparatus 13 searches the work application information registered in the work schedule holding unit 136 based on the application number acquired from the approval terminal 44. The work approval unit 131D of the application management apparatus 13 transmits HTML (HyperText Markup Language) data for the access approval screen 70 to the approval terminal 44 based on the searched work application information. The terminal 44 for approval displays the access approval screen 70 (FIG. 7) regarding the work designated by the application number. When the approver confirms the access approval screen 70 and clicks the approval button 75 or the reject button 76, the input data is transmitted to the application management apparatus 13. The work approval unit 131D of the application management apparatus 13 updates the work schedule information in the work schedule holding unit 136 according to whether approval is allowed. The work approval unit 131D notifies the work terminal 20 of approval / disapproval.

  With the above processing, the work that has been effectively applied is approved. When the approver accesses the application management apparatus 13, the application management apparatus 13 displays a list of work applications awaiting approval, and the approver selects a work application to be approved from among the user applications. Also good. It is also possible to approve or reject a plurality of work applications at once.

[About remote login processing]
Next, remote login processing to the business information system will be described. The worker first accesses the relay device 11 from the work terminal 20. The relay device 11 confirms the IP address of the accessed work terminal 20, determines whether or not to permit the connection, and disconnects the connection if not permitted. On the other hand, when the connection from the work terminal 20 is permitted, the relay apparatus 11 requests the user identification information (user ID and password) from the work terminal 20 in a form suitable for the protocol. The work terminal 20 displays a login screen 50 (FIG. 5) and accepts input of a user ID and a password from the worker. The work terminal 20 transmits the input user ID and password to the relay device 11.

  The relay device 11 supplies the user ID and password received from the work terminal 20 to the user authentication device 12, the application management device 13, and the access right management device 14. The user authentication unit 121 of the user authentication device 12 acquires the user ID and password from the relay device 11 and refers to the regular user information registered in the regular user information holding unit 122 to perform user authentication of the worker. If user authentication fails, the subsequent processing is not executed.

When the authentication is successful, the relay device 11 requests the work terminal 20 to input an access destination. The work terminal 20 receives an input of an access destination from the worker, and transmits information (IP address, host name, etc.) indicating the access destination to the relay device 11. The relay device 11 supplies information indicating the access destination received from the work terminal 20 to the access right management device 14. The access right authentication unit 141 of the access right management device 14 refers to the access application status registered in the access right information holding unit 142 based on the information indicating the access destination, and determines the access right of the user to the access destination. Check. If the access right authenticating unit 141 determines that the access is inappropriate, the access right authenticating unit 141 rejects the user's access to the access destination. On the other hand, if it is determined that the access is appropriate, the user is permitted to access the access destination.
If all the determinations are affirmative, the worker can access the business information system that is the target of the maintenance work.

  Through the above processing, when remote login is performed to the business information system, if it is determined that the access is unauthorized, the login fails and access can be prohibited.

[About promotion / demotion judgment processing]
Next, user promotion / demotion processing executed by the promotion processing unit 138 will be described. The promotion processing unit 138 of the application management apparatus 13 reads the work schedule information from the work schedule holding unit 136 and determines whether there is a user to be promoted. For example, it is assumed that the user A has applied for and approved the release work with “10: 0 to 11:00” of “September 28, 2006” which is a business day as the scheduled work date and time. In this case, when it reaches 10:00 on September 28, 2006, the promotion processing unit 138 promotes the user A. The promotion processing unit 138 transmits user identification information of a user who can be promoted to the user authentication device 12, and registers the user A in the promoted user information of the regular user information holding unit 122.

  Further, the promotion processing unit 138 determines whether there is a user to be demoted from the work schedule information. In the case of the above-described example, when it reaches 11:00 on September 28, 2006, the user A is demoted. The promotion processing unit 138 transmits the user identification information of the user to be demoted to the user authentication device 12, and deletes the user A from the promoted user information in the regular user information holding unit 122.

  The application management apparatus 13 periodically updates the promoted user information by repeatedly executing the above-described processing every predetermined time (for example, every minute).

  As described above, the information security of the business information system can be further improved by the special authority with time restriction. The user may explicitly request the special authority after logging in remotely, but the promotion processing unit 138 may determine the conditions under which the promotion is permitted based on a predetermined promotion condition. .

  The details of the above-described work application process, work approval process, log-in process to the business information system, and promotion / demotion determination process are known techniques as described in Japanese Patent Application Laid-Open No. 2008-117361.

[About access check processing]
Next, the access check process will be described with reference to the flowchart of FIG. The approver uses an input unit (not shown) of the approval terminal 44 to check whether or not the permitted access is performed according to the work requested in advance. Instructs execution of (log audit).

  In step S1, the approval terminal 44 displays the access log search screen 90 shown in FIG. 9 based on an instruction from the approver. The approver sets search conditions for an access log to be searched on the access log search screen 90. In step S <b> 2, the approval terminal 44 receives an input of an access log search condition set by the approver. When the search button 91 is clicked, the approval terminal 44 transmits search condition data for the access log that has been accepted to the log management device 15 in step S3.

  In step S4, when the work verification unit 151B of the log management device 15 receives the search condition data from the approval terminal 44, the work verification unit 151B corresponds to the application number included in the search condition data from the work schedule holding unit 136 of the application management device 13. The work schedule information is read, the access log linked to the application number is read from the log holding unit 152, the two are matched, and it is checked whether unauthorized access has been made. For example, as described above, when a work application for the purpose of “operation monitoring” is made and a file rewrite process is executed, unauthorized access is made. In step S5, the work verification unit 151B reads the access log that matches the search condition from the log holding unit 152, and notifies the approval terminal 44 of the access check result.

  In step S <b> 6, the approval terminal 44 displays the search result screen 100 shown in FIG. 10 based on the access check result received from the log management device 15. In addition, if a prohibited command that seems unnecessary according to the application contents has been registered in advance as a keyword, and an access log that matches the keyword is searched, the number of records and records that match the searched keyword Can be emailed to the administrator.

[Effects of the embodiment of the invention]
As described above, in this embodiment, since application determination is performed in addition to user authentication, it is configured to easily prevent unauthorized access. In the case of only user authentication, leakage of user identification information tends to be directly connected to information leakage from the business information system. However, since the business information protection apparatus 10 further requests a work application procedure, leakage of user identification information is unlikely to be directly connected to unauthorized access. This is because even if an unauthorized user illegally obtains user identification information, psychological suppression is likely to be applied to access the business information system until a false work application is made.

  In addition, a mechanism for restricting access to the client environment 40 is also realized for the SE of a legitimate management company. As described above, since application and approval of work are recorded as a log, a subsequent access check is facilitated. For this reason, there is an advantage that the client company can easily prove the compliance of its own system. With such a feature, the business information protection device 10 can contribute to “strengthening internal controls” required by the SOX.

  When the requested work content does not match the execution condition information, the registration determination unit 131B may notify the approval terminal 44 that a suspicious application has been made, or may temporarily invalidate the user identification information. . By such a work application check of the registration determination unit 131B, an unauthorized work application can be automatically rejected. Furthermore, since it is possible to define not only an application but also a maintenance work that requires approval, information security can be further improved.

  Even when performing maintenance work that requires special authority, by setting a time limit on the special authority, the business information protection apparatus 10 can centrally manage which user is given the special authority at what timing.

  Usually, the maintenance schedule is often fixed in advance. According to the present embodiment, security management of the business information system can be realized in a manner that does not place an excessive psychological burden on the worker and the approver, by the operation of prior work application and approval at an arbitrary timing.

  The business information protection device 10 can also record an access log. In addition, the log management unit 151 can check whether a flaw has occurred between the contents of the application for work and the contents of the actual work. For this reason, it is possible to easily check whether unauthorized access has occurred after the access has been permitted.

In this way, the business information protection device 10
1. User authentication 2. Judgment of compatibility between execution conditions and requested work content. Application determination at remote login request 4. 4. Comparison of remote login request date / time and requested work schedule date / time Judgment regarding special authority It protects business information systems from multiple viewpoints of unauthorized access detection based on access logs.

  Further, the business information protection device 10 can centrally manage access to a plurality of business information systems. This makes it easy to apply a uniform access policy to a plurality of business information systems. Furthermore, there is also an advantage that it can be realized only by adding the business information protection device 10 to the business information system that is already in operation.

  In the above description, “maintenance work” has been described as an example. However, the present invention is not limited to this, and can be applied, for example, when an employee accesses from outside.

  The series of processes described above can be executed by hardware or can be executed by software. When a series of processing is executed by software, a program constituting the software executes various functions by installing a computer incorporated in dedicated hardware or various programs. For example, it is installed from a program recording medium in a general-purpose personal computer or the like.

  The present invention is not limited to the above-described embodiment as it is, and in the implementation stage, the component may be modified and embodied without departing from the spirit of the invention, or a plurality of components disclosed in the above-described embodiment. Various inventions can be formed by appropriately combining the above. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine the component covering different embodiment suitably.

DESCRIPTION OF SYMBOLS 10 Business information protection apparatus 11 Relay apparatus 12 Login interface process part 12 User authentication apparatus 13 Application management apparatus 20 Work terminal 40 Client environment 41 Financial information system 42 Customer information system 43 Inventory management system 44 Approval terminal 121 User authentication part 122 Regular User information holding unit 131 Application state management unit 131A Work application unit 131B Registration determination unit 131C Application notification unit 131D Work approval unit 132 Application state determination unit 133 Access interface processing unit 135 Execution condition holding unit 136 Work schedule holding unit 138 Promotion processing unit 151 Log management unit 152 Log holding unit 151A Log recording unit 151B Work verification unit

Claims (8)

Authorized user information holding means for holding authorized user information registered with authorized users capable of executing predetermined processing of the system;
Application receiving means for receiving application information for applying for execution of the predetermined process together with designation of a prospective access person;
Schedule holding means for holding schedule information associating the predetermined processing applied with the scheduled access person;
Execution request receiving means for receiving, from the terminal, user identification information for identifying an accessor when executing the predetermined process;
User authentication means for referring to the regular user information to determine whether the accessor is registered as a regular user;
With reference to the schedule information, application state determination means for determining whether or not a predetermined process for setting the access person as an access scheduled person has been applied,
On the condition that both the determination of the user authentication unit and the determination of the application state determination unit are affirmative determination, an access control unit that permits access for predetermined processing from the terminal to the system;
Log recording means for recording an access history from the terminal to the system as log information;
By comparing the access indicated in the log information with the access for the predetermined process applied for in the schedule information, the access indicated in the log information for the predetermined process applied for in the schedule information A business information protection apparatus comprising: verification means for detecting, as unauthorized access, an access that does not match the access of the user. An application notification means for notifying an approver of a predetermined processing application, the processing details of the application,
And an approval acquisition means for receiving an approval input from the approver,
The schedule holding means further holds, as the schedule information, a predetermined process requested and its approval state in association with each other,
The business information protection apparatus according to claim 1, wherein the application state determination unit further determines whether or not the predetermined process requested has been approved. The business information protection device according to claim 1, wherein the application status determination unit further determines whether or not an execution date and time of a predetermined process is within an applied period. Execution condition holding means for holding execution condition information in which execution conditions of a predetermined process are defined;
The application registration determining means for registering the predetermined process applied to the schedule information on condition that the applied processing content is consistent with the execution condition information. The business information protection device according to any one of the above. The regular user information holding means further holds promoted user information indicating a user who can acquire special authority different from normal user authority,
The application status determination means further determines whether or not the accessor is a user who can acquire the special authority when the special authority is specified as an execution condition for the predetermined process for which the application has been made. The business information protection device according to claim 4. A promotion condition setting means for accepting an input of a promotion condition setting indicating a special authority acquisition condition;
6. The business information protection apparatus according to claim 5, further comprising a promotion registration unit that registers a user who is a target of the promotion condition in the promoted user information when the promotion condition is satisfied. A regular user information holding step for holding regular user information in which a regular user who can execute a predetermined process of the system is registered;
An application receiving step for receiving application information for applying for execution of the predetermined process together with designation of a prospective access person;
A schedule holding step for holding schedule information associating the predetermined process applied with the scheduled access person;
An execution request receiving step of receiving, from the terminal, user identification information for identifying an accessor when executing the predetermined process;
A user authentication step of determining whether or not the accessor is registered as a regular user with reference to the regular user information;
With reference to the schedule information, an application state determination step for determining whether or not a predetermined process with the access person as an access schedule person has been applied,
On the condition that both the determination in the user authentication step and the determination in the application state determination step are affirmative determination, an access control step for permitting access for predetermined processing from the terminal to the system;
A log recording step of recording an access history from the terminal to the system as log information;
By comparing the access indicated in the log information with the access for the predetermined process applied for in the schedule information, the access indicated in the log information for the predetermined process applied for in the schedule information And a verification step of detecting as an unauthorized access an access that does not match the access of the business information. A regular user information holding step for holding regular user information in which a regular user who can execute a predetermined process of the system is registered;
An application receiving step for receiving application information for applying for execution of the predetermined process together with designation of a prospective access person;
A schedule holding step for holding schedule information associating the predetermined process applied with the scheduled access person;
An execution request receiving step of receiving, from the terminal, user identification information for identifying an accessor when executing the predetermined process;
A user authentication step of determining whether or not the accessor is registered as a regular user with reference to the regular user information;
With reference to the schedule information, an application state determination step for determining whether or not a predetermined process with the access person as an access schedule person has been applied,
On the condition that both the determination in the user authentication step and the determination in the application state determination step are affirmative determination, an access control step for permitting access for predetermined processing from the terminal to the system;
A log recording step of recording an access history from the terminal to the system as log information;
By comparing the access indicated in the log information with the access for the predetermined process applied for in the schedule information, the access indicated in the log information for the predetermined process applied for in the schedule information A program that causes a computer to execute a process including a verification step of detecting an access that does not match the access of the user as an unauthorized access.

Images