It is preferable that personal computers (PCs) and server apparatuses (file server and authorization server) connected to a network in an office or the like are operated according to information security policy decided on an office-by-office basis. Information security policy refers to a basic policy concerning the information security of an entire company, and comprises a collection of policy items for the use of information, prevention of intrusion from outside, and leakage of information.
Apparatuses connected to an office network include not only PCs and server apparatuses, but also peripheral apparatuses, such as multifunction peripherals and printers. Recent multifunction peripherals not only simply print or transmit images but also store image data to thereby provide a file server function to PCs and play roles similar to those of server apparatuses existing on the network.
To maintain a safe and secure office environment, similarly to the PCs and server apparatuses, multifunction peripherals as well are demanded to comply with the information security policy. What is meant by “to comply with the information security policy”, is, for the purpose of prevention of malicious access to multifunction peripherals installed in an office and information leakage, that each multifunction peripheral has restrictions provided on operations thereof from the viewpoint of security, including a restriction of being absolutely required to go through user authentication before the multifunction peripheral is permitted to be operated and a restriction of being absolutely required to encrypt a communication path used by the multifunction peripheral.
For causing PCs and server apparatuses to comply with the information security policy, there is employed a method of distributing OS (operating system)-dependent settings to the PCs and server apparatuses. For example, an OS-dependent setting concerning the encryption of a communication path includes e.g. “permit non SSL connection”, and PCs are managed such that PCs of any PC venders are uniformly caused to comply with the information security policy.
On the other hand, multifunction peripherals have different items of settings between venders, and hence it is impossible to employ a method for uniformly causing the multifunction peripherals to comply with the information security policy by distributing the settings as in the case of PCs and server apparatuses. Therefore, an administrator is required to configure, after becoming familiar with a large number of operation settings (hereafter referred to as “user modes”) of each of multifunction peripherals, the settings of the multifunction peripherals, on a multifunction peripheral-by-multifunction peripheral basis, such that they are made compliant with the information security policy. This demands the administrator to expend enormous efforts. For example, the setting of a user mode in which encryption of a communication path is performed can be “use SSL” for a multifunction peripheral manufactured by A company, while for a multifunction peripheral manufactured by B company, the same can be “encrypt HTTP communication”. Conventionally, this makes it impossible to cause the multifunction peripherals to uniformly comply with the information security policy, and hence, after becoming familiar with user mode settings of multifunction peripherals of various venders, the administrator works to configure the settings of multifunction peripherals on a multifunction peripheral-by-multifunction peripheral basis to make them compliant with the information security policy. Further, unless the settings are properly configured, it practically permits operations not complying with the information security policy, which can be a threat to security of the office.
To eliminate this inconvenience, there has been proposed a system in which an administrator performs inputs complying with the information security policy to thereby create and distribute user modes for a plurality of multifunction peripherals (see e.g. the following PTL 1). The administrator answers questions displayed on a configuration screen on the PC, in compliance with the information security policy. The system having received the answers from the administrator creates, based on the answers, settings which are not dependent on multifunction peripherals (hereinafter referred to as “security policy data”), and converts the created security policy data to respective user modes which are dependent on multifunction peripherals to which associated user modes are to be distributed, respectively. By thus distributing the user modes, the system places different multifunction peripherals in respective states complying with the information security policy, without knowledge of the multifunction peripherals.