CROSS FRAMEWORK VALIDATION OF COMPLIANCE, MATURITY AND SUBSEQUENT RISK NEEDED FOR; REMEDIATION, REPORTING AND DECISIONING

§101 §103

DETAILED ACTION Claims 1-20 are pending in the present application and are under examination on the merits. This communication is the first action on the merits (FAOM). Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement Applicant has not yet filed an IDS for this Application. As such, No IDS has been considered. Drawings The drawings filed on 1/24/2024 are acceptable as filed. Claim Rejections - 35 USC§ 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Here, under considerations of the broadest reasonable interpretation of the claimed invention, Examiner finds that the Applicant invented a method and system for cross framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning. Examiner formulates an abstract idea analysis, following the framework described in the MPEP, as follows: Step 1: The claims are directed to a statutory category, namely a "method" (claims 1-20). Step 2A - Prong 1: The claims are found to recite limitations that set forth the abstract idea(s), namely, regarding claim 1: A computerized advanced common controls framework (ACCF) method for all risk domains of cyber security as prescribed in each framework comprising: … obtaining a set of Control Frameworks (CFs) related to a risk identification, quantification, and mitigation engine delivery of the entity; creating an ACCF from the set of CFs, wherein the ACCF comprises a collection of CFs that when combined enable a commingling of individual controls; … applying the ACCF to perform an operational and compliance risk reporting. Dependent claims 2-20, recite the same or similar abstract idea(s) as independent claim 1 with merely a further narrowing of the abstract idea(s) to particular data characterization and/or additional data analyses performed as part of the abstract idea. The limitations in claims 1-20 above falling well-within the groupings of subject matter identified by the courts as being abstract concepts, specifically the claims are found to correspond to the category of: "Certain methods of organizing human activity- fundamental economic principles or practices (including hedging, insurance, mitigating risk); commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations); managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions)" as the limitations identified above are directed to cross framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning and thus is a method of organizing human activity including at least commercial or business interactions or relations and/or a management of user personal behavior; and/or "Mental processes - concepts performed in the human mind (including an observation, evaluation, judgement, opinion)" as the limitations identified above include mere data observations, evaluations, judgements, and/or opinions, e.g. cross framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning, which is capable of being performed mentally and/or using pen and paper. Step 2A - Prong 2: Claims 1-20 are found to clearly be directed to the abstract idea identified above because the claims, as a whole, fail to integrate the claimed judicial exception into a practical application, specifically the claims recite the additional elements of: " providing a risk identification, quantification, and mitigation engine delivery platform of an entity… with the risk identification, quantification, and mitigation engine delivery platform of an entity, " (claim 1) however the aforementioned elements merely amount to generic components of a general purpose computer used to "apply" the abstract idea (MPEP 2106.0S(f)) and thus fails to integrate the recited abstract idea into a practical application, furthermore the high-level recitation of receiving data from a generic "engine" is at most an attempt to limit the abstract to a particular field of use (MPEP 2106.0S(h), e.g.: "For instance, a data gathering step that is limited to a particular data source (such as the Internet) or a particular type of data (such as power grid data or XML tags) could be considered to be both insignificant extra-solution activity and a field of use limitation. See, e.g., Ultramercial, 772 F.3d at 716, 112 USPQ2d at 1755 (limiting use of abstract idea to the Internet); Electric Power, 830 F.3d at 1354, 119 USPQ2d at 1742 (limiting application of abstract idea to power grid data); Intellectual Ventures I LLC v. Erie lndem. Co., 850 F.3d 1315, 1328-29, 121 USPQ2d 1928, 1939 (Fed. Cir. 2017) (limiting use of abstract idea to use with XML tags).") and/or merely insignificant extra-solution activity (MPE 2106.05(g)) and thus further fails to integrate the abstract idea into a practical application; Step 2B: Claims 1-20 do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements as described above with respect to Step 2A Prong 2 merely amount to a general purpose computer that attempts to apply the abstract idea in a technological environment (MPEP 2106.0S(f)), including merely limiting the abstract idea to a particular field of use of cross framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning via an "engine", as explained above, and/or performs insignificant extra-solution activity, e.g. data gathering or output, (MPEP 2106.0S(g)), as identified above, which is further found under step 2B to be merely well-understood, routine, and conventional activities as evidenced by MPEP 2106.0S(d)(II) (describing conventional activities that include transmitting and receiving data over a network, electronic recordkeeping, storing and retrieving information from memory, electronically scanning or extracting data from a physical document, and a web browser's back and forward button functionality). Therefore, similarly the combination and arrangement of the above identified additional elements when analyzed under Step 2B also fails to necessitate a conclusion that the claims amount to significantly more than the abstract idea directed to cross framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning. Claims 1-20 are accordingly rejected under 35 USC§ 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea(s)) without significantly more. Note: The analysis above applies to all statutory categories of invention. As such, the presentment of any claim otherwise styled as a machine or manufacture, for example, would be subject to the same analysis For further authority and guidance, see: MPEP § 2106 https://www.uspto.gov/patents/laws/examination-policy/subject-matter-eligibility Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-14 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication Number 2020/0387843 to Wandall et al. (hereafter referred to as Wandall) in view of U.S. Patent Application Publication Number 2021/0319374 to Wandall et al (hereafter referred to as Wandall II). As per claim 1, Wandall teaches: A computerized advanced common controls framework (ACCF) method for all risk domains of cyber security as prescribed in each framework comprising (Paragraph Number [0005] teaches an example of mapping multiple governance, risk and compliance (GRC) mandates against each other in order to identify “common controls” is provided by the United Compliance Framework (UCF). UCF maintains a database of mandate “authority documents”, mandate citations, common controls and a defined terms dictionary. The UCF allows a user to input mandates of interest and to map the mandates on a one to one, one to many and many to many basis in order to produce a hierarchical list of common controls among the selected mandates. These common controls are linked to roles, assets, records, activities, events and audit questions. This list and related reports help UCF users identify overlaps among mandates, identify and remedy gaps in the user organization's GRC program and support a compliance audit program). providing a risk identification, quantification, and mitigation engine delivery platform of an entity (Paragraph Number [0033] teaches block diagrams of dynamically adaptable risk assessment and communication system modules, in which various embodiments of the present disclosure may be implemented. FIG. 3A provides a high-level block diagram of the dynamically adaptable risk assessment and communication system 300 including multiple interacting modules 320, 340, 360 and 380 in which various embodiments of the present disclosure may be implemented. FIGS. 3B-3E provide more detailed block diagrams of each of the interacting modules 320, 340, 360 and 380 of the dynamically adaptable risk assessment and communication system 300 described with reference to FIG. 3A. In addition, corresponding flow diagrams for the overall system and for each of the multiple interacting modules are described below with reference to FIGS. 4A-4E. This dynamically adaptable risk assessment and communication system 300 includes interconnected rules engines and databases such as described herein. This system assists in determining whether certain laws, regulations, standards and other rules may be applicable to a given entity and that entity's organization and processes, providing an assessment of the risks involved in storing, using and sharing certain data and data types, and communication of that applicability determination and risk assessment. This communication facilitates collaboration among multiple users in a structured but adaptable way, to create a more efficient, computer-enabled means of assessing the applicability and risks of data processes involving personal data including a lifecycle (e.g., acquisition, storage, use, sharing and removal) of certain data and data types. In the present embodiment, personal data is referring to any data that may warrant protection, such as for privacy and/or security purposes, and is not confined to the definitions of “personal data” or “personal information” set forth in a particular law). obtaining a set of Control Frameworks (CFs) related to a risk identification, quantification, and mitigation engine delivery of the entity (Paragraph Number [0038] teaches risk assessment identification rules 326 are rules utilized by risk assessment identification engine 311 with data process model 307 to identify whether there may be a sufficiently high risk of possible risk of an adverse impact to individuals as a result of the data processing such that further examination of that entity's data processes and controls is needed to ascertain whether that risk can be sufficiently mitigated in accordance with applicable laws, regulations or rules. For example, if a large amount of EU customer data is processed, then there may be a high risk to the rights of individuals in accordance with the GDPR such that further examination may be performed on the relevant data processes and controls for that entity. This risk assessment is performed utilizing the entity profile and a model of the entity's data processes including data flows and survey results. Also in the present embodiment, risk assessment examination rules 328 are rules utilized by risk assessment examination engine 313 with data model 307 and additional input by user 1 to examine the entity's data processes and controls to examine further the data processing risk to individuals. This further examination can include mitigation of the risks such as through the use of process controls and other risk mitigation techniques as well as acceptance of all or a portion of the risks as a result of a risk-benefit analysis, confirmation of insurance coverage, protections through contract (e.g., indemnifications by third parties), etc.). with the risk identification, quantification, and mitigation engine delivery platform of an entity (Paragraph Number [0038] teaches risk assessment identification rules 326 are rules utilized by risk assessment identification engine 311 with data process model 307 to identify whether there may be a sufficiently high risk of possible risk of an adverse impact to individuals as a result of the data processing such that further examination of that entity's data processes and controls is needed to ascertain whether that risk can be sufficiently mitigated in accordance with applicable laws, regulations or rules. For example, if a large amount of EU customer data is processed, then there may be a high risk to the rights of individuals in accordance with the GDPR such that further examination may be performed on the relevant data processes and controls for that entity. This risk assessment is performed utilizing the entity profile and a model of the entity's data processes including data flows and survey results. Also in the present embodiment, risk assessment examination rules 328 are rules utilized by risk assessment examination engine 313 with data model 307 and additional input by user 1 to examine the entity's data processes and controls to examine further the data processing risk to individuals. This further examination can include mitigation of the risks such as through the use of process controls and other risk mitigation techniques as well as acceptance of all or a portion of the risks as a result of a risk-benefit analysis, confirmation of insurance coverage, protections through contract (e.g., indemnifications by third parties), etc.). Wandall teaches a framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning but does not explicitly teach commingling individual controls of sets of control frameworks which is taught by the following citations from Wandall II: creating an ACCF from the set of CFs, wherein the ACCF comprises a collection of CFs that when combined enable a commingling of individual controls (Paragraph Number [0036] teaches the common controls framework and the common practices framework, including subunits thereof, are indexed 342 and 344 to the laws and regulations. This allows for an easier determination of compliance with those laws and regulations. Then in step 345, the indexed frameworks of common controls and common practices are converged through cross-mapping into a combinatorial common controls and practices framework 346. This combinatorial framework may be two separate frameworks that are cross-indexed with each other or a single framework that encompasses both controls and practices. In addition, system knowledge base 347 is generated including a set of queries 348 and a set of rules 349. Queries 348 may be utilized for applying the combinatorial common controls and practices framework to an entity and documenting the results thereof. Queries 348 may be applied automatically against a user profile or user documented processes and/or manually with a user through a user interface, such as described below with reference to FIG. 3C. Rules 349 are generated for utilizing the query documentation and generating reports showing risk management and compliance with the selected standards, such as described below with reference to FIG. 3C. Combinatorial controls and practices framework 346, queries 348 and rules 349 are dynamic in that they can be modified over time, such as when additional laws or best practices are identified and utilized in selected standard 324). applying the ACCF to perform an operational and compliance risk reporting. (Paragraph Number [0036] teaches the common controls framework and the common practices framework, including subunits thereof, are indexed 342 and 344 to the laws and regulations. This allows for an easier determination of compliance with those laws and regulations. Then in step 345, the indexed frameworks of common controls and common practices are converged through cross-mapping into a combinatorial common controls and practices framework 346. This combinatorial framework may be two separate frameworks that are cross-indexed with each other or a single framework that encompasses both controls and practices. In addition, system knowledge base 347 is generated including a set of queries 348 and a set of rules 349. Queries 348 may be utilized for applying the combinatorial common controls and practices framework to an entity and documenting the results thereof. Queries 348 may be applied automatically against a user profile or user documented processes and/or manually with a user through a user interface, such as described below with reference to FIG. 3C. Rules 349 are generated for utilizing the query documentation and generating reports showing risk management and compliance with the selected standards, such as described below with reference to FIG. 3C. Combinatorial controls and practices framework 346, queries 348 and rules 349 are dynamic in that they can be modified over time, such as when additional laws or best practices are identified and utilized in selected standard 324). Both Wandall and Wandall II are directed to control frameworks. Wandall discloses framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning. Wandall II improves upon Wandall by disclosing commingling individual controls of sets of control frameworks. One of ordinary skill in the art would be motivated to further include utilizing commingling individual controls of sets of control frameworks, to create a robust control framework that consists of multiple interacting rule sets that enhance an overall framework. Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method of framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning in Wandall to further utilize commingling individual controls of sets of control frameworks as disclosed in Wandall II, since the claimed invention is merely a combination of old elements, and in combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. As per claim 2, the combination of Wandall and Wandall II teaches each of the limitations of claim 1. In addition, Wandall teaches: wherein a CF is defined by an industry source, a legal source, a statutory source, a regulator source, or a geo-requirement source. (Paragraph Number [0033] teaches block diagrams of dynamically adaptable risk assessment and communication system modules, in which various embodiments of the present disclosure may be implemented. FIG. 3A provides a high-level block diagram of the dynamically adaptable risk assessment and communication system 300 including multiple interacting modules 320, 340, 360 and 380 in which various embodiments of the present disclosure may be implemented. FIGS. 3B-3E provide more detailed block diagrams of each of the interacting modules 320, 340, 360 and 380 of the dynamically adaptable risk assessment and communication system 300 described with reference to FIG. 3A. In addition, corresponding flow diagrams for the overall system and for each of the multiple interacting modules are described below with reference to FIGS. 4A-4E. This dynamically adaptable risk assessment and communication system 300 includes interconnected rules engines and databases such as described herein. This system assists in determining whether certain laws, regulations, standards and other rules may be applicable to a given entity and that entity's organization and processes, providing an assessment of the risks involved in storing, using and sharing certain data and data types, and communication of that applicability determination and risk assessment. This communication facilitates collaboration among multiple users in a structured but adaptable way, to create a more efficient, computer-enabled means of assessing the applicability and risks of data processes involving personal data including a lifecycle (e.g., acquisition, storage, use, sharing and removal) of certain data and data types. In the present embodiment, personal data is referring to any data that may warrant protection, such as for privacy and/or security purposes, and is not confined to the definitions of “personal data” or “personal information” set forth in a particular law. (Examiner asserts that this teaches at least utilizing a legal source)). As per claim 3, the combination of Wandall and Wandall II teaches each of the limitations of claims 1 and 2. In addition, Wandall teaches: wherein each CF covers a specific governance, risk or compliance topic enumerated with a number of specific controls to provide coverage with an intended topic (Paragraph Number [0038] teaches risk assessment identification rules 326 are rules utilized by risk assessment identification engine 311 with data process model 307 to identify whether there may be a sufficiently high risk of possible risk of an adverse impact to individuals as a result of the data processing such that further examination of that entity's data processes and controls is needed to ascertain whether that risk can be sufficiently mitigated in accordance with applicable laws, regulations or rules. For example, if a large amount of EU customer data is processed, then there may be a high risk to the rights of individuals in accordance with the GDPR such that further examination may be performed on the relevant data processes and controls for that entity. This risk assessment is performed utilizing the entity profile and a model of the entity's data processes including data flows and survey results. Also in the present embodiment, risk assessment examination rules 328 are rules utilized by risk assessment examination engine 313 with data model 307 and additional input by user 1 to examine the entity's data processes and controls to examine further the data processing risk to individuals. This further examination can include mitigation of the risks such as through the use of process controls and other risk mitigation techniques as well as acceptance of all or a portion of the risks as a result of a risk-benefit analysis, confirmation of insurance coverage, protections through contract (e.g., indemnifications by third parties), etc.). As per claim 4, the combination of Wandall and Wandall II teaches each of the limitations of claims 1, 2, and 3. Wandall teaches a framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning but does not explicitly teach commingling individual controls of sets of control frameworks which is taught by the following citations from Wandall II: wherein a root CF provides efficacy one-to-one control alignment, one-to-many control alignment or a many-to-many control alignment. (Paragraph Number [0036] teaches the common controls framework and the common practices framework, including subunits thereof, are indexed 342 and 344 to the laws and regulations. This allows for an easier determination of compliance with those laws and regulations. Then in step 345, the indexed frameworks of common controls and common practices are converged through cross-mapping into a combinatorial common controls and practices framework 346. This combinatorial framework may be two separate frameworks that are cross-indexed with each other or a single framework that encompasses both controls and practices. In addition, system knowledge base 347 is generated including a set of queries 348 and a set of rules 349. Queries 348 may be utilized for applying the combinatorial common controls and practices framework to an entity and documenting the results thereof. Queries 348 may be applied automatically against a user profile or user documented processes and/or manually with a user through a user interface, such as described below with reference to FIG. 3C. Rules 349 are generated for utilizing the query documentation and generating reports showing risk management and compliance with the selected standards, such as described below with reference to FIG. 3C. Combinatorial controls and practices framework 346, queries 348 and rules 349 are dynamic in that they can be modified over time, such as when additional laws or best practices are identified and utilized in selected standard 324). One of ordinary skill in the art would be motivated to combine these references as described in regard to claim 1. As per claim 5, the combination of Wandall and Wandall II teaches each of the limitations of claim 1. In addition, Wandall teaches: wherein the step of applying the ACCF to perform an operational and compliance risk reporting further comprises: applying a regional or a national regulation as a part of the ACCF to perform the operational and compliance risk reporting (Paragraph Number [0034] teaches assess the applicability and risks of data processes for other data that warrants protection besides personal data, such as security data managed by entities. Security data can include data relating to national security, infrastructure security, and other privacy and security-related issues. In alternative embodiments utilized to assess the applicability and risks of data processes for security data, the focus may be on risks to the security data managed by these entities for infrastructure entities and government agencies, rather than on risks to the rights to personal data of individuals. Paragraph Number [0063] teaches each data object may have associated attributes such as location (e.g., country, state or other legal jurisdictions), type of entity, type of system (e.g., database, website), data subject (e.g., employee), data type (e.g., financial, health, location and other personal information), data elements (e.g., social security number), etc. Each data flow may have associated attributes such as the type of action (e.g., collect, process, transmit or store information related to a node), data types (e.g., health information, financial information, etc.), data elements (e.g., social security number, customer address), data volume, etc.). As per claim 6, the combination of Wandall and Wandall II teaches each of the limitations of claims 1 and 5. In addition, Wandall teaches: wherein the step of applying the ACCF to perform an operational and compliance risk reporting further comprises: applying a contractual obligation and a statutory requirement as a part of the ACCF to perform the operational and compliance risk reporting (Paragraph Number [0037] teaches entity profile based applicability rules 322 are rules utilized by entity profile applicability engine 305 against knowledge base 303 to determine the possible applicability of one or more coded standards to an entity based on that entity's general profile. For example, if an entity does business in the State of California and derives revenue from selling consumer's personal information, then the CCPA (California Consumer Privacy Act) may apply to that entity. Further analysis of that entity's data processes may be needed to make a final determination of applicability. If a determination of possible applicability is made based on these entity profile based applicability rules, then in this example a user may model the data processes with a California nexus to make a final determination of CCPA applicability. A similar determination of applicability can be made based on an entity's profile with other coded standards resulting in possibly modeling that entity's data processes which have a nexus to the applicable law, regulation or rules. Paragraph Number [0058] teaches there may be queries and/or surveys regarding process controls which may mitigate certain risks, risk-benefit analyses to assess the value of the use of certain data against the risks involved with utilizing that data, confirmation of certain types of insurance coverage and protections through contract (e.g., indemnifications by third parties) relevant to the data at risk, and other factors which may mitigate or affect the acceptance of certain risks). As per claim 7, the combination of Wandall and Wandall II teaches each of the limitations of claims 1, 5, and 6. In addition, Wandall teaches: wherein the step of applying the ACCF to perform an operational and compliance risk reporting further comprises: applying a statutory obligation as a part of the ACCF to perform the operational and compliance risk reporting (Paragraph Number [0037] teaches entity profile based applicability rules 322 are rules utilized by entity profile applicability engine 305 against knowledge base 303 to determine the possible applicability of one or more coded standards to an entity based on that entity's general profile. For example, if an entity does business in the State of California and derives revenue from selling consumer's personal information, then the CCPA (California Consumer Privacy Act) may apply to that entity. Further analysis of that entity's data processes may be needed to make a final determination of applicability. If a determination of possible applicability is made based on these entity profile based applicability rules, then in this example a user may model the data processes with a California nexus to make a final determination of CCPA applicability. A similar determination of applicability can be made based on an entity's profile with other coded standards resulting in possibly modeling that entity's data processes which have a nexus to the applicable law, regulation or rules). As per claim 8, the combination of Wandall and Wandall II teaches each of the limitations of claim 1. In addition, Wandall teaches: implementing a capability improvement comprising a simplified risk signal analysis with a reduction or an alignment of a plurality of framework controls (Paragraph Number [0035] teaches with reference to FIG. 3A, dynamically adaptable risk assessment and communication system 300 includes multiple interacting modules 320, 340, 360 and 380. These interacting modules include a rules management module 320, an entity profile management module 340, a data process modeling management module 360 and a risk assessment management module 380. At the center of these modules, for the present embodiment, are a set of applicability and risk assessment engines 305, 310, 311 and 313 which automatically apply a dynamic set of applicability and risk assessment rules 301 against a developing and dynamic knowledge base 303 and a data process model 307 (generated by data process modeling engine 306) to provide a set of risk assessment outputs 312. A task manager 314 may be utilized to assist in generating and managing various tasks needed for updating knowledge base 303, generating data process model 307, and for obtaining additional information needed for performing applicability determinations and risk assessments such as described herein. In addition, each module references a user 302, 304, 308 and 315 interacting with the elements of that module. However, a single user may interact with the elements of multiple modules. In addition, more than one user may interact with the elements of a single module). As per claim 9, the combination of Wandall and Wandall II teaches each of the limitations of claims 1 and 8. In addition, Wandall teaches: wherein the capability improvement comprises a robust modeling with a plurality of hi-fidelity decisional making analytics (Paragraph Number [0040] teaches with reference to FIG. 3D, data process modeling management module 360 includes entity profile applicability engine 305, data process modeling engine 306 and data process model 307 which are managed by user 3 308 through user 3 GUI 366. Entity profile applicability engine 305 may utilize entity profile based applicability rule in rules database 301 applied against an entity profile in knowledge base 303 to determine the possible applicability of certain coded standards to the entity. Based on this determination, user 3 through user 3 GUI 366 may utilize data process modeling engine 306 to generate or update selected data process models 307 describing various aspects of the entity and its data process flows. This can include the results of a survey 362 and some data process maps 364. Paragraph Number [0051] teaches a flow diagram directed to the operation of data process modeling management module 360 to generate, update and manage data process model 307 in which various embodiments of the present disclosure may be implemented. In a first step 460, user 3 logs into data process modeling management module 360 through GUI 366. This includes verifying the identity and access rights of user 3 to perform the following steps. User 3 may also be referred to herein as a data process modeling user. Although a single user GUI is shown in this module, multiple GUIs may be utilized for various aspects of data process modeling management module 360). As per claim 10, the combination of Wandall and Wandall II teaches each of the limitations of claim 1. In addition, Wandall teaches: optimizing a controls environment of the risk identification, quantification, and mitigation engine delivery platform of an entity during an application of the ACCF by: using a baseline set of control requirements and associated controls of the of the ACCF (Paragraph Number [0040] teaches with reference to FIG. 3D, data process modeling management module 360 includes entity profile applicability engine 305, data process modeling engine 306 and data process model 307 which are managed by user 3 308 through user 3 GUI 366. Entity profile applicability engine 305 may utilize entity profile based applicability rule in rules database 301 applied against an entity profile in knowledge base 303 to determine the possible applicability of certain coded standards to the entity. Based on this determination, user 3 through user 3 GUI 366 may utilize data process modeling engine 306 to generate or update selected data process models 307 describing various aspects of the entity and its data process flows. This can include the results of a survey 362 and some data process maps 364. Once data process model 307 has been generated or updated, it may be utilized by entity process applicability engine 310 with rules 301 to determine whether certain coded standards are applicable to the data process flows on the entity. Then risk identification assessment engine 311 identifies whether the data process flows as mapped in data process model 307 are at high risk for being non-compliant with the applicable coded standards. If so, then risk examination engine 313 performs a further examination of those data process flows and relevant process controls to determine whether the associated risks are mitigated or justified.). As per claim 11, the combination of Wandall and Wandall II teaches each of the limitations of claims 1 and 10. In addition, Wandall teaches: updating the ACCF to ensure the entity remains aware of any changes to any compliance frameworks in use (Paragraph Number [0047] teaches in step 426, user 1 may update knowledge base 303 including entity profile 342 as needed to include information needed to implement the new or updated rules from step 424. In addition, user 1 may also update any queries or other process steps described herein, including updating the various GUIs and task manager 314, to obtain the information needed to implement the new or updated rules for storage and use as described herein. Then in step 428, user 1 may also update the engines that implement these rules as needed, including entity profile applicability engine 305, entity process applicability engine 310, risk assessment identification engine 311 and risk assessment examination engine 313. Furthermore, in step 430 user 1 may also update risk assessment outputs 312 to communicate the various information needed to fully utilize the new or updated rules of step 424. Alternative embodiments may utilize other users to implement these various changes when a new or updated rule is provided for updating rules 301. In step 432, an audit trail is maintained or updated of the information provided in the steps above. This audit trail may be stored in knowledge base 303 as audit trail 347. This audit trail can include pointers to or copies of the rules added or modified as well as an identification of the user that provided the rules that were added or modified). As per claim 12, the combination of Wandall and Wandall II teaches each of the limitations of claims 1, 10, and 11. In addition, Wandall teaches: wherein the common control meets multiple compliance requirements of the entity such that the entity gains efficiencies in performing an audit engagement (Paragraph Number [0005] teaches mapping multiple governance, risk and compliance (GRC) mandates against each other in order to identify “common controls” is provided by the United Compliance Framework (UCF). UCF maintains a database of mandate “authority documents”, mandate citations, common controls and a defined terms dictionary. The UCF allows a user to input mandates of interest and to map the mandates on a one to one, one to many and many to many basis in order to produce a hierarchical list of common controls among the selected mandates. These common controls are linked to roles, assets, records, activities, events and audit questions. This list and related reports help UCF users identify overlaps among mandates, identify and remedy gaps in the user organization's GRC program and support a compliance audit program. Paragraph Number [0047] teaches user 1 may update knowledge base 303 including entity profile 342 as needed to include information needed to implement the new or updated rules from step 424. In addition, user 1 may also update any queries or other process steps described herein, including updating the various GUIs and task manager 314, to obtain the information needed to implement the new or updated rules for storage and use as described herein. Then in step 428, user 1 may also update the engines that implement these rules as needed, including entity profile applicability engine 305, entity process applicability engine 310, risk assessment identification engine 311 and risk assessment examination engine 313. Furthermore, in step 430 user 1 may also update risk assessment outputs 312 to communicate the various information needed to fully utilize the new or updated rules of step 424. Alternative embodiments may utilize other users to implement these various changes when a new or updated rule is provided for updating rules 301. In step 432, an audit trail is maintained or updated of the information provided in the steps above. This audit trail may be stored in knowledge base 303 as audit trail 347. This audit trail can include pointers to or copies of the rules added or modified as well as an identification of the user that provided the rules that were added or modified). As per claim 13, the combination of Wandall and Wandall II teaches each of the limitations of claim 1. In addition, Wandall teaches: wherein the ACCF enables the extracting of specific controls for a specific view, wherein the specific view comprises region view, a business unit view, a compliance requirement , a specific business function (Paragraph Number [0062] teaches a GUI (graphical user interface) for generating a data process model 600 in which various embodiments of the present disclosure may be implemented. A data process model can include the results of a survey 605 and a data process map generator 610 where nodes (shown as blocks) graphically represent data objects and edges (shown as arrows) graphically represent data paths that are the connections or pathways between the various nodes. Nodes can represent various types of data objects such as data subjects, company entities, systems, third parties (e.g., vendors and/or partners), data recipients, etc. Edges can represent various types of data flows such as sending and receiving data between nodes as well as operations on data. In an alternative embodiment, operations on data may be represented by nodes instead of edges. Paragraph Number [0063] teaches each data object may have associated attributes such as location (e.g., country, state or other legal jurisdictions), type of entity, type of system (e.g., database, website), data subject (e.g., employee), data type (e.g., financial, health, location and other personal information), data elements (e.g., social security number), etc. Each data flow may have associated attributes such as the type of action (e.g., collect, process, transmit or store information related to a node), data types (e.g., health information, financial information, etc.), data elements (e.g., social security number, customer address), data volume, etc. In combination, nodes and edges are interconnected to represent data flowing between data objects. For example, edges can connect an organization node to a system node that organization uses to collect, process, transmit and/or store personal information relating to a set of data subjects to a set of data recipients to whom personal information about the set of data subjects is disclosed or transferred (e.g., health information to insurance companies). Edges can also connect data subjects, organizations, data recipients and/or vendors represented by nodes with specific countries/jurisdictions. For example, an organization represented by a node may collect personal information from data subjects represented with an edge whereby the data subjects have a location attribute of France in the European Union. As a result, the GDPR may apply because personal information from France is being collected by the organization). As per claim 14, the combination of Wandall and Wandall II teaches each of the limitations of claims 1 and 13. In addition, Wandall teaches: wherein a specified business function or technical requirement is identified (Paragraph Number [0063] teaches each data object may have associated attributes such as location (e.g., country, state or other legal jurisdictions), type of entity, type of system (e.g., database, website), data subject (e.g., employee), data type (e.g., financial, health, location and other personal information), data elements (e.g., social security number), etc. Each data flow may have associated attributes such as the type of action (e.g., collect, process, transmit or store information related to a node), data types (e.g., health information, financial information, etc.), data elements (e.g., social security number, customer address), data volume, etc. In combination, nodes and edges are interconnected to represent data flowing between data objects. For example, edges can connect an organization node to a system node that organization uses to collect, process, transmit and/or store personal information relating to a set of data subjects to a set of data recipients to whom personal information about the set of data subjects is disclosed or transferred (e.g., health information to insurance companies). Edges can also connect data subjects, organizations, data recipients and/or vendors represented by nodes with specific countries/jurisdictions. For example, an organization represented by a node may collect personal information from data subjects represented with an edge whereby the data subjects have a location attribute of France in the European Union. As a result, the GDPR may apply because personal information from France is being collected by the organization). Claims 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication Number 2020/0387843 to Wandall et al. (hereafter referred to as Wandall) in view of U.S. Patent Application Publication Number 2021/0319374 to Wandall et al (hereafter referred to as Wandall II) and in further view of U.S. Patent Application Publication Number 2022/0207443 to Sarkar (hereafter referred to as Sarkar). As per claim 15, the combination of Wandall and Wandall II teaches each of the limitations of claims 1, 13, and 14. Wandall teaches a framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning but does not explicitly teach identifying specific controls and linking them to specific frameworks to meet specific requirements which is taught by the following citations from Sarkar: wherein a corresponding carve-out is used to include only a specified controls used for the specified business function (Paragraph Number [0085] teaches risk identification, quantification, and mitigation engine delivery platform 200 can provide the ability to track the effectiveness of the controls. Risk identification, quantification, and mitigation engine delivery platform 200 can provide the ability to capture status of control effectiveness at the central dashboard to enable the prioritization of decision actions enabled by AI scoring engine (e.g. AI/ML engine 908, etc.). Risk identification, quantification, and mitigation engine delivery platform 200 can provide the ability to track the appropriate stakeholders based on the controls effectiveness for actionable accountability). Both the combination of Wandall and Wandall II and Sarkar are directed to control frameworks. The combination of Wandall and Wandall II discloses framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning. Sarkar improves upon the combination of Wandall and Wandall II by disclosing identifying specific controls and linking them to specific frameworks to meet specific requirements. One of ordinary skill in the art would be motivated to further include identifying specific controls and linking them to specific frameworks to meet specific requirements, to efficiently meet requirements for control frameworks and flag repeatedly used frameworks to configure a profile. Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method of framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning in the combination of Wandall and Wandall II to further utilize identifying specific controls and linking them to specific frameworks to meet specific requirements as disclosed in Sarkar, since the claimed invention is merely a combination of old elements, and in combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. As per claim 16, the combination of Wandall, Wandall II, and Sarkar teaches each of the limitations of claims 1 and 13-15. Wandall teaches a framework validation of compliance, maturity and subsequent risk needed for remediation, reporting and decisioning but does not explicitly teach identifying specific controls and linking them to specific frameworks to meet specific requirements which is taught by the following citations from Sarkar: wherein the carve-out is curated into a curated carve-out using the ACCF to analyze the information from the aligned controls surrounding or comprising the requirement. (Paragraph Number [0101] teaches process 500 can implement risk scenario testing. In one example, risks that are being assessed may have some dependencies and triggers that may cause exponential exposures. It is noted that dependencies can exist between the risks once discovered. Accordingly, weights can be assigned to exposures based on the type of dependency. Exposures can be much higher based on additive, hierarchical or transitive dependencies. Process 500 calculates th