System, method and medium for certifying and accrediting requirements compliance

US 20020069035A1
Filed: 02/28/2001
Published: 06/06/2002
Est. Priority Date: 08/09/2000
Status: Active Grant

First Claim

Patent Images

1. A computer-assisted method of assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the method comprising the steps of:

a) collecting information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the system operates;

b) selecting at least one predefined standard, regulation and/or requirement with which the system is to comply;

c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting and/or impacting the target system;

d) selecting at least one test procedure against which the system is tested to satisfy the at least one predefined standard, regulation and/or requirement;

e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one the test procedure; and

f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step f) (1).

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system, method and medium for assessing the risk of and/or determining the suitability of a system to comply with at least one predefined standard, regulation and/or requirement. In at least some embodiments of the present invention, the method comprises the steps of: 1) gathering information pertaining to the system, 2) selecting one or more requirements with which the system is to comply; 3) testing the system against the requirements; 4) performing risk assessment of the failed test procedures, and 5) generating certification documentation based on an assessment of the first four elements.

Citations

61 Claims

1. A computer-assisted method of assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the method comprising the steps of:
- a) collecting information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the system operates;
  
  b) selecting at least one predefined standard, regulation and/or requirement with which the system is to comply;
  
  c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting and/or impacting the target system;
  
  d) selecting at least one test procedure against which the system is tested to satisfy the at least one predefined standard, regulation and/or requirement;
  
  e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one the test procedure; and
  
  f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step f) (1).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method according to claim 1 wherein the information collected in said step a) comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches.
  - 3. The method according to claim 1 wherein said selecting step b) is initially performed by the computer.
  - 4. The method according to claim 3, further comprising the step of enabling a user to optionally input at least one standard, regulation and/or requirement.
  - 5. The method according to claim 3, further comprising the step of enabling a user to optionally edit at least one standard, regulation and/or requirement.
  - 6. The method according to claim 1 wherein said scores for said step c) comprise at least one of:
    - a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence;
      
      b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence;
      
      c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and
      
      d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence.
  - 7. The method according to claim 1 wherein said score of said step c) is generated in response to one or more user provided inputs.
  - 8. The method according to claim 7 wherein the user can modify and/or edit said score as determined in said step c).
  - 9. The method according to claim 1 wherein said step c) threat elements comprise at least one of natural disaster elements, system failure elements, environmental failure elements, unintentional human elements, and intentional human elements.
  - 10. The method according to claim 9 wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado and lighting elements.
  - 11. The method according to claim 9 wherein the system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure.
  - 12. The method according to claim 9 wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration.
  - 13. The method according to claim 9 wherein the human unintentional threat element comprises at least one of a software design error, a system design error, and an operator error.
  - 14. The method according to claim 9 wherein the human intentional threat elements comprise at least one of an authorized system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal.
  - 15. The method according to claim 1 wherein said step f) threat correlation indication comprises at least one of the following scores:
    - a) negligible, wherein negligible indicates that the threat is not applicable to the vulnerability;
      
      b) low, wherein low indicates that the threat has a low potential to exploit the vulnerability;
      
      c) medium, wherein medium indicates that the threat has a potential to exploit the vulnerability; and
      
      d) high, wherein high indicates that the threat has a relatively high potential to exploit the vulnerability.
  - 16. The method according to claim 15 wherein the risk assessment in said step f) is determined in accordance with the following steps:
    - a) for each element in the project threat profile and corresponding element in the threat correlation pattern;
      
      1) if a threat element as determined in said step c) is negligible and a corresponding element in the threat correlation indication as determined in said step f) is anything, then the overall risk of the element is negligible;
      
      2) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is low;
      
      3) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is low;
      
      4) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is low;
      
      5) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is medium;
      
      6) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is negligible;
      
      7) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is low;
      
      8) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is medium;
      
      9) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is medium;
      
      10) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is negligible;
      
      11) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is medium;
      
      12) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is high; and
      
      13) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is high; and
      
      b) selecting the risk profile for the failed test procedure as being the highest overall risk element.
  - 17. The method according to claim 16, further comprising the step of determining an overall system risk.
  - 18. The method according to claim 17 wherein the overall system risk is the highest overall risk element of each of one or more failed test procedures.
  - 19. The method according to claim 17, further comprising the step of printing a documentation package that will enable a determination to be made whether the test system complies with the at least one predefined standard, regulation and/or requirement selected in said step b).
  - 20. The method according to claim 19 wherein the documentation package includes a risk assessment for at least one failed test procedure.
  - 21. The method according to claim 19 wherein the documentation package includes an overall system risk.

22. In a general purpose computing system, a computer-assisted and user assisted method for assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the general purpose computing system interacting with a user and performing the steps of:
- a) collecting and/or receiving information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the system operates;
  
  b) selecting at least one predefined standard, regulation and/or requirement with which the system is to comply;
  
  c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting and/or impacting the target system;
  
  d) selecting at least one test procedure against which the target system is tested to satisfy the at least one predefined standard, regulation and/or requirement;
  
  e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one the test procedure; and
  
  f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step f) (1).
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 23. The general purpose computing system according to claim 22 wherein the information collected in said step a) comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches.
  - 24. The general purpose computing system according to claim 23, wherein the user can optionally input at least one standard, regulation and/or requirement.
  - 25. The general purpose computing system according to claim 23, wherein the user can optionally edit at least one standard, regulation and/or requirement.
  - 26. The general purpose computing system according to claim 22 wherein said scores for said step c) comprise at least one of:
    - a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence;
      
      b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence;
      
      c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and
      
      d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence.
  - 27. The general purpose computing system according to claim 22 wherein said score of said step c) is generated in response to one or more user provided inputs.
  - 28. The general purpose computing system according to claim 27 wherein the user can modify and/or edit said score as determined in said step c).
  - 29. The general purpose computing system according to claim 22 wherein said step c) threat elements comprise at least one of natural disaster elements, system failure elements, environmental failure elements, unintentional human elements, and intentional human elements.
  - 30. The general purpose computing system according to claim 29 wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado and lighting elements.
  - 31. The general purpose computing system according to claim 29 wherein the system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure.
  - 32. The general purpose computing system according to claim 29 wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration.
  - 33. The general purpose computing system according to claim 29 wherein the human unintentional threat element comprises at least one of a software design error, a system design error, and an operator error.
  - 34. The general purpose computing system according to claim 29 wherein the human intentional threat elements comprise at least one of an authorized system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal.
  - 35. The general purpose computing system according to claim 22 wherein said step f) threat correlation indication comprises at least one of the following scores:
    - a) negligible, wherein negligible indicates that the threat element is not applicable to the vulnerability;
      
      b) low, wherein low indicates that the threat element has a low potential to exploit the vulnerability;
      
      c) medium, wherein medium indicates that the threat element has a potential to exploit the vulnerability; and
      
      d) high, wherein high indicates that the threat element has a relatively high potential to exploit the vulnerability.
  - 36. The general purpose computing system according to claim 35 wherein the risk assessment in said step f) is determined in accordance with the following steps:
    - a) for each element in the project threat profile and corresponding element in the threat correlation pattern;
      
      1) if a threat element as determined in said step c) is negligible and a corresponding element in the threat correlation indication as determined in said step f) is anything, then the overall risk of the element is negligible;
      
      2) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is low;
      
      3) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is low;
      
      4) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is low;
      
      5) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is medium;
      
      6) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is negligible;
      
      7) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is low;
      
      8) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is medium;
      
      9) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is medium;
      
      10) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is negligible;
      
      11) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is medium;
      
      12) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is high; and
      
      13) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is high; and
      
      b) selecting the risk profile for the failed test procedure as being the highest overall risk element.
  - 37. The general purpose computing system according to claim 36, further comprising the step of determining an overall system risk.
  - 38. The general purpose computing system according to claim 37 wherein the overall system risk is the highest overall risk element of each of one or more failed test procedures.
  - 39. The general purpose computing system according to claim 37, wherein the general purpose computing system prints a documentation package that will enable a determination to be made whether the test system complies with the at least one predefined standard, regulation and/or requirement selected in said step b).
  - 40. The general purpose computing system according to claim 39 wherein the documentation package includes a risk assessment for at least one failed test procedure.
  - 41. The general purpose computing system according to claim 39 wherein the documentation package includes an overall system risk.

42. A computer program medium storing computer instructions therein for instructing a computer to perform a computer-implemented and user assisted process for assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the program medium comprising:
- a recording medium readable by the computer; and
  
  the computer instructions stored on said recording medium instructing the computer to perform the computer-implemented and user assisted process, the instructions including;
  
  a) collecting and/or receiving information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the system operates;
  
  b) selecting at least one predefined standard, regulation and/or requirement with which the system is to comply;
  
  c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat elements affecting and/or impacting the system;
  
  d) selecting at least one test procedure against which the system is tested to satisfy the at least one predefined standard, regulation and/or requirement;
  
  e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one the test procedure; and
  
  f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each threat element generated in said step c) with said threat correlation indication of said step f)(1).
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 43. The computer program medium according to claim 42 wherein the information collected in said instruction a) comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches.
  - 44. The computer program medium according to claim 43, further comprising instructions that enable the user to optionally input at least one standard, regulation and/or requirement.
  - 45. The computer program medium according to claim 43, further comprising instructions that enable the user to optionally edit at least one standard, regulation and/or requirement.
  - 46. The computer program medium according to claim 42 wherein said scores for said step c) comprise at least one of:
    - a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence;
      
      b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence;
      
      c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and
      
      d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence.
  - 47. The computer program medium according to claim 42 wherein said score of said step c) is generated in response to one or more user provided inputs.
  - 48. The computer program medium according to claim 47 wherein the user can modify and/or edit said score as determined in said step c).
  - 49. The computer program medium according to claim 42 wherein said instruction c) threat elements comprise at least one of natural disaster elements, system failure elements, environmental failure elements, unintentional human elements, and intentional human elements.
  - 50. The computer program medium according to claim 49 wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado and lighting elements.
  - 51. The computer program medium according to claim 49 wherein the system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure.
  - 52. The computer program medium according to claim 49 wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration.
  - 53. The computer program medium according to claim 49 wherein the human unintentional threat elements comprise at least one of a software design error, a system design error, and an operator error.
  - 54. The computer program medium according to claim 49 wherein the human intentional threat elements comprise at least one of an authorized system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal.
  - 55. The computer program medium according to claim 42 wherein said instruction f) threat correlation indication comprises at least one of the following scores:
    - a) negligible, wherein negligible indicates that the threat element is not applicable to the vulnerability;
      
      b) low, wherein low indicates that the threat element has a low potential to exploit the vulnerability;
      
      c) medium, wherein medium indicates that the threat element has a potential to exploit the vulnerability; and
      
      d) high, wherein high indicates that the threat element has a relatively high potential to exploit the vulnerability.
  - 56. The computer program medium according to claim 55 wherein the risk profile in said instruction f) is determined in accordance with the following steps:
    - a) for each element in the project threat profile and corresponding element in the threat correlation pattern;
      
      1) if a threat element as determined in said step c) is negligible and a corresponding element in the threat correlation indication as determined in said step f) is anything, then the overall risk of the element is negligible;
      
      2) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is low;
      
      3) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is low;
      
      4) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is low;
      
      5) if a threat element as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is medium;
      
      6) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is negligible;
      
      7) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is low;
      
      8) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is medium;
      
      9) if a threat element as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is medium;
      
      10) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is negligible, then the overall risk of the element is negligible;
      
      11) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is low, then the overall risk of the element is medium;
      
      12) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is medium, then the overall risk of the element is high; and
      
      13) if a threat element as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step f) is high, then the overall risk of the element is high; and
      
      b) selecting the risk profile for the failed test procedure as being the highest overall risk element.
  - 57. The computer program medium according to claim 56, further comprising instructions for determining an overall system risk.
  - 58. The computer program medium according to claim 57 wherein the overall system risk is the highest overall risk element of each of one or more failed test procedures.
  - 59. The computer program medium according to claim 57, further comprising instructions for generating and printing a documentation package that will enable a determination to be made whether the test system complies with the at least one predefined standard, regulation and/or requirement.
  - 60. The computer program medium according to claim 59 wherein the documentation package includes a risk assessment for at least one failed test procedure.
  - 61. The computer program medium according to claim 59 wherein the documentation package includes an overall system risk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David J. Wilson, Gary M. Catlin, Hugh Barrett, Larry L. Hall Jr, Lon J. Berman, Peter A. Smith, Richard P. Tracy
Original Assignee
David J. Wilson, Gary M. Catlin, Hugh Barrett, Larry L. Hall Jr, Lon J. Berman, Peter A. Smith, Richard P. Tracy
Inventors
Smith, Peter A., Wilson, David J., Barrett, Hugh, Catlin, Gary M., Tracy, Richard P., Berman, Lon J., Hall, Larry L. Jr.

Granted Patent

US 6,901,346 B2
Time in Patent Office

Days
Field of Search
US Class Current

702/181
CPC Class Codes

G06Q 30/018 Certifying business or prod...

G06Q 40/08 Insurance

System, method and medium for certifying and accrediting requirements compliance

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

61 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and medium for certifying and accrediting requirements compliance

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

61 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links