DETAILED ACTION
This Office action is responsive to the Amendment filed on 08/27/2025.
Claim 1 has been amended.
Claims 12-23 have been withdrawn.
Claims 1-11 are presented for examination.
Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-11 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Gaa-Frost et al. (US Patent Application Publication No. 2007/0157195 A1) listed in IDS dated 06/31/2021 hereinafter Gaa-Frost in view of Magdych et al. (US Patent No. 7,096,503 B1) hereinafter Magdych.
Regarding claim 1, Gaa-Frost discloses a method for risk assessment comprising:
identifying a target system (fig. 2, system 201) storing a software system (para 0021, The method 100 receives, at 101, configuration parameters characterizing an intended deployment of software and further characterizing a target computing system from which the software is to be deployed);
determining a plurality of parameters for the software system of the target system (para 0053, when a specific intended software deployment is specified, the Project Check may analyze system parameters specifically for that deployment);
selecting at least one of a testing or probing module for the target system based on the plurality of parameters (para 0041, the software provider 204 may have required the system administrator to run a tool to initially assess deployment risk associated with installing the ERP software 216 in the computing system 201. The tool may have implemented the method 100. For example, a configuration monitor 240 in the computing system may have automatically collected various configuration parameters associated with the computing system 201. The configuration monitor may have transmitted the various configuration parameters to a deployment risk calculator 248 in the second computing system 204 and para 0052, The Project Check UI also provides a control 407 that the user can select to initiate the Project Check. As shown, initiation of the "Automatic Data Collection" with the control 407 will cause the underlying system to collect various system information for use in the Project Check. As was described with reference to FIG. 1A, this information may include various hardware, software and operating system parameters that the Project Check may analyze in assessing initial deployment risk);
measuring, using the selected module, the plurality of parameters on a target system on a cloud server (Fig. 2, element 207) (para 0052, The Project Check UI also provides a control 407 that the user can select to initiate the Project Check. As shown, initiation of the "Automatic Data Collection" with the control 407 will cause the underlying system to collect various system information for use in the Project Check. As was described with reference to FIG. 1A, this information may include various hardware, software and operating system parameters that the Project Check may analyze in assessing initial deployment risk, and para 0045, The threshold deployment risk level may have been determined based on data (para 0025 and 0052, configuration parameters) the service provider had previously collected, analyzed and stored (e.g., in the database 255));
storing the measured parameters in a database (para 0045, The threshold deployment risk level may have been determined based on data (para 0025 and 0052, parameters) the service provider had previously collected, analyzed and stored (e.g., in the database 255)),
receiving data regarding the target system from the cloud server (para 0021, The method 100 receives, at 101, configuration parameters characterizing an intended deployment of software and further characterizing a target computing system from which the software is to be deployed and para 0034, If the calculated deployment risk level is higher than or equal to a threshold deployment risk level, the method 150 may continue receiving configuration input, at 154, and may continue configuring the enterprise software, at 152. At a later time, data characterizing the configuration state of the enterprise software may again be received, at 160, and the received data may be transmitted, at 163, to the second computing system for recalculation of the deployment risk and comparison, at 166, with the threshold risk level);
comparing the measured parameters with the received data (para 0045, The calculated deployment risk level may have been compared to a threshold deployment risk level and para 0034, At a later time, data characterizing the configuration state of the enterprise software may again be received, at 160, and the received data may be transmitted, at 163, to the second computing system for recalculation of the deployment risk and comparison, at 166, with the threshold risk level); and
identifying, based on the comparing, a defect as part of the risk assessment (para 0056, the Project Check may identify a faulty piece of hardware (e.g., a network router or a server memory card) that should be replaced prior to beginning to deploy new software. The Project Check may withhold the project key until it confirms that the faulty piece of hardware has been replaced), but does not explicitly disclose, however, Magdych discloses where the at least one testing or probing module is selected from a plurality of modules (claim 4, the risk-assessment modules are selected from the group and col. 4, lines 26-28, unique set of risk-assessment modules 404 may be selected based on specifications, platform, etc. of the particular local computer 212), that each is configured to evaluate a different information security risk affecting the software system, (col. 4, lines 15-25, these risk-assessment modules 404 refer to different functions that work in conjunction to perform a risk-assessment scan. In use, such risk-assessment modules 404 are capable of performing a specific function upon being executed by a command. Moreover, the risk-assessment modules 404 serve to perform a specific function on parameters that are specified by the command). Therefore, it would have been obvious to a person having ordinary skill in the art to modify the teachings of Gaa-Frost to include each is configured to evaluate a different information security risk affecting the software system as taught by Magdych in order to detect vulnerabilities on a local computer (Magdych, abstract).
Regarding claim 2, the combination of Gaa-Frost and Magdych discloses the method of claim 1, wherein the risk assessment is performed on at least one central server different from the cloud server storing the target system (Gaa-Frost fig. 2, element 204, para 0038-0039).
Regarding claim 3, the combination of Gaa-Frost and Magdych discloses the method of claim 1, wherein the module performing the measuring comprising a measurement input interface including a test input interface for receiving the data (Gaa-Frost para 0052-0054).
Regarding claim 4, the combination of Gaa-Frost and Magdych discloses the method of claim 3, wherein the data comprises test data from the test input interface (Gaa-Frost para 0052-0054).
Regarding claim 5, the combination of Gaa-Frost and Magdych discloses the method of claim 1, further comprising: generating correction instructions for correcting the parameters when the defect is identified (Gaa-Frost para 0028 and 0056).
Regarding claim 6, the combination of Gaa-Frost and Magdych discloses the method of claim 1, wherein the defect comprises a software risk in software of the target system (Gaa-Frost para 0056).
Regarding claim 7, the combination of Gaa-Frost and Magdych discloses the method of claim 6, wherein the software of the target system comprises at least one of Customer Relationship Management (CRM), Supplier Relationship Management (SRM), Supply Chain Management (SCM), Product Life-cycle Management (PLM), HumanCapital Management (HCM), Integration Platforms, Business Warehouse (BW), Business Intelligence (BI), or enterprise resource planning (ERP) (Gaa-Frost para 0038).
Regarding claim 8, the combination of Gaa-Frost and Magdych discloses the method of claim 7, wherein the software comprises at least one of SAP software, Oracle software, Microsoft software, Siebel software, JD Edwards software, Salesforce, Workday, or PeopleSoft software (Gaa-Frost para 0033 and 0053).
Regarding claim 9, the combination of Gaa-Frost and Magdych discloses the method of claim 6, wherein the parameters comprise settings or snapshots of a state of the software (Gaa-Frost para 0024).
Regarding claim 10, the combination of Gaa-Frost and Magdych discloses the method of claim 1, wherein the comparing and the identifying is performed on a second cloud server different from the cloud server (Gaa-Frost fig. 2, element 231, para 0062).
Regarding claim 11, the combination of Gaa-Frost and Magdych discloses the method of claim 1, wherein the comparing and the identifying is performed on-premises (Gaa-Frost para 0053 and 0056).
Response to Arguments
Applicant’s arguments (regarding amended limitation “where the at least one testing or probing module is selected from a plurality of modules, that each is configured to evaluate a different information security risk affecting the software system” as recited in independent claim 1) with respect to claims 1-11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-892).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BAOTRAN N TO whose telephone number is (571)272-8156. The examiner can normally be reached M-F: 7-3.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BAOTRAN N TO/ Primary Examiner, Art Unit 2435