DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/08/2025 was filed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 8,396,890 B2 to Lim in view of Pub.No.: US 2015/0127416 A1 to Showalter et al(hereafter referenced as Showalter).
Regarding claim 1, Lim discloses “ a method comprising: receiving security practices information from a vendor computing system (server system [Fig.1/item 122]) and computing services interaction information from a client computing system (Client system [Fig.1/item 113]), wherein the security practices information characterizes security measures in place at the vendor computing system(policy server rules [Fig.4/item 401]) and the computing services interaction information characterizes data for transmission from the client computing system to the vendor computing system”(policy enforcer [Fig.9]).
Lim does not explicitly disclose “determining a risk profile for the vendor computing system by using a processor to estimate a first dimensional risk factor for a first security dimension associated with the security practices information”; transmitting a risk profile message to the client computing system, wherein the risk profile message is client-specific to the client computing system and depends on information to be transmitted from the client computing system to the vendor computing system; and
detecting a change in security practices information at the vendor computing
system, wherein a first weight to a first dimensional risk factor corresponding to a first
security dimension associated with security practices information is adjusted at the
processor based on the change in security practices information.
However, Showalter in an analogous art discloses “determining a risk profile for the vendor computing system by using a processor to estimate a first dimensional risk factor for a first security dimension associated with the security practices information” (method can also include scoring the application, using the one or more processors, by processing the scoring values in a multi-dimensional risk assessment system including an operational risk model Showalter [par.0009]) ; transmitting a risk profile message to the client computing system, wherein the risk profile message is client-specific to the client computing system and depends on information to be transmitted from the client computing system to the vendor computing system”(Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]) ; “and detecting a change in security practices information at the vendor computing system, wherein a first weight to a first dimensional risk factor corresponding to a first security dimension associated with security practices information is adjusted at the processor based on the change in security practices information.”(manufacture defect risk assessment system Showalter [Fig.1/item 102]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Lim’s system to detect behavioral patterns with Showalter’s risk assessment process in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Lim teaches a system which detect behavioral patterns, Showalter discloses a risk assessment process and both are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined disclose “wherein an updated risk profile message is transmitted to the client computing system, the updated risk profile message including an updated risk profile” (transmit rules Lim[Fig.4]).
Regarding claim 3 in view of claim 2, the references combined disclose “wherein determining the risk profile comprises analyzing a third-party assessment of security measures at the vendor computing system” (i.e. policy server analyzes client system Lim[Fig.17]).
Regarding claim 4 in view of claim 3, the references combined disclose “wherein the third-party assessment of security measures comprises third-party audit information” (i.e. policy server analyzes client system Lim[Fig.17]).
Regarding claim 5 in view of claim 1, the references combined disclose “wherein the risk profile is determined by estimating a plurality of dimensional risk factors for a plurality of security dimensions” (Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]).
Regarding claim 6 in view of claim 5, the references combined disclose “wherein a plurality of weights to a plurality of dimensional risk factors corresponding to a plurality of security dimensions are adjusted based on the change in security practices information” (Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]).
Regarding claim 7 in view of claim 6, the references combined disclose “wherein the first dimensional risk factor reflects a reported security practice associated with the first security dimension” (Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]), “the first dimensional risk factor reflecting a level of assurance associated with the reported security practice”(manufacturing defect risk assessment system Showalter [Fig.1/item 102]), “and wherein determining the risk profile comprises calculating a weighted average of the plurality of dimensional risk factors”(comprehensive risk profile system Showalter [Fig.4/402]).
Regarding claim 8 in view of claim 7, the references combined disclose “wherein determining the estimate of the information security risk comprises determining a weighting value for each of the dimensional risk factors based on the computing services interaction information, the weighting reflecting a relative importance of the dimensional risk factor to the estimate of an information security risk.” (Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]).
Regarding claim 9 in view of claim 8, the references combined disclose “wherein determining the risk profile comprises applying natural language processing to free-form text information to determine a respective dimensional risk level.” (Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]).
Regarding claim 10 in view of claim 9, the references combined disclose “wherein the computing services interaction information includes a data sensitivity level associated with the transmitted data.” (highly sensitive level Lim[Fig.16/item 1502]).
Regarding claim 11 in view of claim 10, the references combined disclose “wherein determining the risk profile comprises matching the third-party assessment with the free-form text information using natural language processing” (select variables for Use in Risk Model Showalter[Fig.2/item 210]).
Regarding claim 12 in view of claim 8, the references combined disclose “wherein the security practices information comprises information characterizing a user authentication procedure and an encryption algorithm employed at a first computing device”(encrypt and log confidential document Lim[Fig.20/item 1909]).
Regarding claim 13 in view of claim 8, the references combined disclose “wherein the risk profile is determined in part based on automated security analysis performed by transmitting a security practice detection message to a first computing device, the security practice detection message being designed to test the security measures in place at the first computing device.”(obligation action includes logging an action or sending a notification message to an administrator. An obligation can depend (or not depend) on the ALLOW and DENY state Lim[Col.28/line 50-53]).
Regarding claim 14, Lim discloses “a system comprising: an input interface configured to receive security practices information from a vendor computing system(server system [Fig.1/item 122]) and computing services interaction information from a client computing system(Client system [Fig.1/item 113]),, wherein the security practices information characterizes security measures in place at the vendor computing system (policy server rules [Fig.4/item 401]) and the computing services interaction information characterizes data for transmission from the client computing system to the vendor computing system(policy enforcer [Fig.9]).
Lim does not explicitly disclose “a processor configured to determine a risk profile for the vendor computing system by using a processor to estimate a first dimensional risk factor for a first security dimension associated with the security practices information; and an output interface configured to transmit a risk profile message to the client computing system, wherein the risk profile message is client-specific to the client computing system and depends on information to be transmitted from the client computing system to the vendor computing system, wherein a first weight to a first dimensional risk factor corresponding to a first security dimension associated with security practices information is adjusted at the processor based on the change in security practices information when a change in security practices information at the vendor computing system is detected.
However, Showalter in an analogous art discloses “Lim does not explicitly disclose “a processor configured to determine a risk profile for the vendor computing system by using a processor to estimate a first dimensional risk factor for a first security dimension associated with the security practices information(method can also include scoring the application, using the one or more processors, by processing the scoring values in a multi-dimensional risk assessment system including an operational risk model Showalter [par.0009]); and an output interface configured to transmit a risk profile message to the client computing system, wherein the risk profile message is client-specific to the client computing system and depends on information to be transmitted from the client computing system to the vendor computing system(Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]), wherein a first weight to a first dimensional risk factor corresponding to a first security dimension associated with security practices information is adjusted at the processor based on the change in security practices information when a change in security practices information at the vendor computing system is detected” (manufacture defect risk assessment system Showalter [Fig.1/item 102]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Lim’s system to detect behavioral patterns with Showalter’s risk assessment process in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Lim teaches a system which detect behavioral patterns, Showalter discloses a risk assessment process and both are from the same field of endeavor.
Regarding claim 15 in view of claim 14, the references combined disclose “wherein an updated risk profile message is transmitted to the client computing system, the updated risk profile message including an updated risk profile” (transmit rules Lim[Fig.4]).
Regarding claim 16 in view of claim 14, the references combined disclose “wherein determining the risk profile comprises analyzing a third-party assessment of security measures at the vendor computing system” (i.e. policy server analyzes client system Lim[Fig.17]).
Regarding claim 17 in view of claim 16, the references combined disclose “wherein the third-party assessment of security measures comprises third-party audit information” (i.e. policy server analyzes client system Lim[Fig.17]).
Regarding claim 18 in view of claim 14, the references combined disclose “wherein the risk profile is determined by estimating a plurality of dimensional risk factors for a plurality of security dimensions” (Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]).
Regarding claim 19 in view of claim 18, the references combined disclose “wherein a plurality of weights to a plurality of dimensional risk factors corresponding to a plurality of security dimensions are adjusted based on the change in security practices information” (Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]).
Regarding claim 20, Lim discloses “a non-transitory computer readable medium comprising: computer code for receiving security practices information from a vendor computing system(server system [Fig.1/item 122]) and computing services interaction information from a client computing system(Client system [Fig.1/item 113]),, wherein the security practices information characterizes security measures in place at the vendor computing system(policy server rules [Fig.4/item 401]) and the computing services interaction information characterizes data for transmission from the client computing system to the vendor computing system(policy enforcer [Fig.9]).
Lim does not explicitly disclose “computer code for determining a risk profile for the vendor computing system by using a processor to estimate a first dimensional risk factor for a first security dimension associated with the security practices information; computer code for transmitting a risk profile message to the client computing system, wherein the risk profile message is client-specific to the client computing system and depends on information to be transmitted from the client computing system to the vendor computing system; and computer code for detecting a change in security practices information at the vendor computing system, wherein a first weight to a first dimensional risk factor corresponding to a first security dimension associated with security practices information is adjusted at the processor based on the change in security practices information.
However, Showalter in an analogous art discloses “computer code for determining a risk profile for the vendor computing system by using a processor to estimate a first dimensional risk factor for a first security dimension associated with the security practices information(method can also include scoring the application, using the one or more processors, by processing the scoring values in a multi-dimensional risk assessment system including an operational risk model Showalter [par.0009]); computer code for transmitting a risk profile message to the client computing system, wherein the risk profile message is client-specific to the client computing system and depends on information to be transmitted from the client computing system to the vendor computing system; and computer code for detecting a change in security practices information at the vendor computing system(Score application by sending extracted scoring data through multi-dimensional risk assessment system Showalter [Fig.8/item 808]), wherein a first weight to a first dimensional risk factor corresponding to a first security dimension associated with security practices information is adjusted at the processor based on the change in security practices information” (manufacture defect risk assessment system Showalter [Fig.1/item 102]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Lim’s system to detect behavioral patterns with Showalter’s risk assessment process in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Lim teaches a system which detect behavioral patterns, Showalter discloses a risk assessment process and both are from the same field of endeavor
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL D ANDERSON/Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433