PREVENTING CONFLICTS OF INTERESTS BETWEEN TWO OR MORE GROUPS

Abstract

To prevent conflicts of interest, an information management system is used to make sure two or more groups are kept apart so that information does not circulate freely between these groups. The system has policies to implement an “ethical wall” to separate users or groups of users. The user or groups of user may be organized in any arbitrary way, and may be in the same organization or different organizations. The two groups (or two or more users) will not be able to access information belonging to the other, and users in one group may not be able to pass information to the other group. The system may manage access to documents, e-mail, files, and other forms of information.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a diagram of distributed computing network connecting a server and clients.

FIG. 2 shows a more detailed diagram of a computer system which may be a client or server.

FIG. 3 shows a system block diagram of a computer system.

FIG. 4 shows a block diagram of a policy server that centrally manages policies that are used by workstations and servers according to a specific implementation of the invention.

FIG. 5 shows a block diagram of a number of workstations and document servers with policy enforcers installed and coexist within a system according to a specific implementation of the invention.

FIG. 6 shows a block diagram of minimal embodiments that utilize a number of workstations each with policy enforcers installed or a number of document servers each with policy enforcers installed according to a specific implementation of the invention.

FIG. 7 shows a block diagram of internal components of a policy server according to a specific implementation of the invention.

FIG. 8 shows a block diagram of the internal components of an intelligence server according to a specific implementation of the invention.

FIG. 9 shows a block diagram of an interceptor and a consequence applicator in a policy enforcement point (PEP) module according to a specific implementation of the invention.

FIG. 10 shows a block diagram of a policy enforcer that implements interception and enforcement functions using a PEP plug-in architecture according to a specific implementation of the invention.

FIG. 11 shows a block diagram of a policy enforcer installed on a workstation that controls access to files on the workstation according to the invention.

FIG. 12 shows a block diagram of a policy enforcer on a workstation enforcing access control to a nonfile system object according to the invention.

FIG. 13 shows a layer description of an implementation of a policy language system of the invention.

FIG. 14 shows the functional modes of an information system of the invention.

FIG. 15 shows an example of interactions between multiple policies and multiples policy abstractions and their interaction.

FIG. 16 shows an example of one policy and multiple policy abstractions, where one policy abstractions references other policy abstractions.

FIG. 17 shows accessing confidential document, seeking approval, with centralized decision.

FIG. 18 shows accessing confidential document, seeking approval, with distributed decision.

FIG. 19 shows blocking sending of a confidential document outside the company.

FIG. 20 shows encrypting a confidential document when copying to a removable device.

FIG. 21 shows sending of a confidential document between users who should observe separation of duties.

FIG. 22 shows an example of a deployment operation to a workstation of an information management system.

FIG. 23 shows an example of a deployment operation of rules associated with a user.

FIG. 24 shows an example of a push operation, pushing one set of rules to a workstation and another set of rules to a server.

FIGS. 25-50 show syntax diagrams for a specific implementation of a policy language, the Compliant Enterprise Active Control Policy Language (ACPL).

FIG. 51 provides a legend explaining the nodes used in FIGS. 25-50.

Claims

1. A method of managing information comprising: providing an organization comprising a first group and a second group, wherein the organization has an information management system comprising a policy server comprising one or more rules to manage information of the organization;within the first group of the organization, providing a first user and a first document managed by the information management system;when the first user attempts to access the first document, seeking approval from the policy server;if approved, permitting the first user to access the first document; andif not approved, blocking the first user from accessing the first document.

2. A method of managing information comprising: providing an organization comprising a first group and a second group, wherein the organization has an information management system comprising a policy server comprising one or more rules to manage information of the organization;within the first group of the organization, providing a first user and a first document managed by the information management system;storing a subset of the one or more rules of the policy server on a first device of the first user;when the first user attempts to access the first document, evaluating on the first device whether to approve access to the first document;if approved, permitting the first user to access the first document; andif not approved, blocking the first user from accessing the first document.

3. The method of claims 1 or 2 wherein when the access comprises the first user attempting to send the first document to a user in the second group, approval to access the first document will not be given.

4. The method of claims 1 or 2 further comprising: when a second user of the second group attempts to access any information on a server in the first group, blocking access to the information.

5. The method of claim 4 wherein the server is an FTP server.

6. The method of claim 4 wherein the server is a web server.

7. The method of claim 4 wherein the server is a file server.

8. The method of claims 1 or 2 further comprising: when an application program executing on a device of the second group attempts to access any information on a server in the first group, blocking access to the information.

9. The method of claims 1 or 2 further comprising: when an application program executing on a device of the second group attempts to access a server in the first group, blocking access to the server.

10. The method of claim 9 wherein the application program comprises at least one of instant messenger, file transfer protocol client application, or video conferencing client application.

11. The method of claims 1 or 2 further comprising: when an application program executing on a device of the second group attempts to access a device in the first group, blocking the access to the device in the first group.

12. The method of claims 1 or 2 further comprising: when an application program executing on a device of the second group attempts to access a document on a device in the first group, blocking the access to the document on the device of the first group.

13. The method of claims 1 or 2 further comprising: when an application program executing on a device of the second group attempts to access a device in the first group through a server, blocking the access to the server.

14. The method of claim 13 wherein the server is in the first group.

15. The method of claim 13 wherein the server is in the second group.

16. The method of claim 13 wherein the server is not in the first or second group.

17. The method of claims 1 or 2 further comprising: when an application program executing on a device of the second group attempts to access a device in the first group through a server, wherein the server is not in the first or second group, blocking the access to the device in the first group.

18. The method of claims 1 or 2 wherein approval is granted to the first user to access the first document and the method further comprises: when a second user of the second group attempts to access the first document, approval of the access to the first document is denied.

19. A method of managing information comprising: providing an organization comprising a first group and a second group, wherein the organization has an information management system comprising a policy server comprising one or more rules to manage information of the organization;within the first group of the organization, providing a first user and a first application program managed by the information management system;when the first user uses the first application program to connect to a second user, seeking approval from the policy server;if approved, permitting the first user to use the first application program to connect to the second user; andif not approved, blocking the first user from using the first application program to connect to the second user.

20. A method of managing information comprising: providing an organization comprising a first group and a second group, wherein the organization has an information management system comprising a policy server comprising one or more rules to manage information of the organization;within the first group of the organization, providing a first user and a first application program managed by the information management system;storing a subset of the one or more rules of the policy server on a first device of the first user;when the first user uses the first application program to connect to a second user, evaluating the subset of the one or more rules on the first device to determine whether to approve the connection from the first user to a second user;if approved, permitting the first user to use the first application program to connect to the second user; andif not approved, blocking the first user from using the first application program to connect to the second user.

21. The method of claims 19 or 20 wherein the first application comprises an instant messenger program.

22. The method of claims 19 or 20 wherein the second user is outside the organization.

23. The method of claims 19 or 20 wherein the second user is inside the organization, but not in the first or second groups.

24. The method of claims 19 or 20 wherein the second user is in second group.

25. A method of managing information comprising: providing an organization comprising a first group and a second group, wherein the organization has an information management system comprising a policy server comprising one or more rules to manage information of the organization;within the first group of the organization, providing a first user and a first application program managed by the information management system;storing a subset of the one or more rules of the policy server on a first device of the first user;when the first user uses the first application program to communicate to a second user, evaluating the subset of the one or more rules on the first device to determine whether to approve the communication from the first user to a second user;if approved, permitting the first user to use the first application program to connect to the second user; andif not approved, blocking the first user from using the first application program to communicate to the second user.