Performing an Automated Compliance Audit by Vulnerabilities

US 20140215630A1
Filed: 01/31/2013
Published: 07/31/2014
Est. Priority Date: 01/31/2013
Status: Active Grant

First Claim

Patent Images

1. An automated enterprise compliance auditing by vulnerabilities system comprising:

an enterprise asset database comprising details of assets of said enterprise;

at least one compliance regulation, each of said at least one compliance regulation comprising at least one compliance control;

a known asset vulnerabilities database comprising details of publicly known asset vulnerabilities;

compliance control associating functionality to associate each of a set of audited assets with at least a subset of compliance controls of said at least one compliance regulation, said set of audited assets being at least a subset of said assets of said enterprise;

vulnerability mapping functionality to map each compliance control of said at least one compliance regulation to a subset of said publicly known asset vulnerabilities which may potentially impact compliance of at least one of said audited assets therewith;

asset scanning functionality to scan each audited asset of said set of audited assets to ascertain to which of said publicly known asset vulnerabilities said audited asset is vulnerable to; and

numeric compliance score calculating functionality to, responsive to said associating, said mapping and said scanning, calculate for each of said set of audited assets, a numeric compliance score for each compliance control associated therewith, said numeric compliance score being within a range of possible numeric compliance scores.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated enterprise compliance auditing by vulnerabilities system including an enterprise asset database, a compliance regulation including compliance controls, a known asset vulnerabilities database including details of publicly known asset vulnerabilities, compliance control associating functionality to associate each of a set of audited assets with at least a subset of compliance controls of the compliance regulation, the audited assets being a subset of the enterprise assets, vulnerability mapping functionality to map each compliance control to a subset of the known asset vulnerabilities which may impact compliance of at least one of the audited assets therewith, asset scanning functionality to scan each audited asset to ascertain to which publicly known asset vulnerabilities the audited asset is vulnerable to, and numeric compliance score calculating functionality to, responsive to the associating, mapping and scanning, calculate for each audited asset, a numeric compliance score for each compliance control associated therewith.

24 Citations

View as Search Results

15 Claims

1. An automated enterprise compliance auditing by vulnerabilities system comprising:
- an enterprise asset database comprising details of assets of said enterprise;
  
  at least one compliance regulation, each of said at least one compliance regulation comprising at least one compliance control;
  
  a known asset vulnerabilities database comprising details of publicly known asset vulnerabilities;
  
  compliance control associating functionality to associate each of a set of audited assets with at least a subset of compliance controls of said at least one compliance regulation, said set of audited assets being at least a subset of said assets of said enterprise;
  
  vulnerability mapping functionality to map each compliance control of said at least one compliance regulation to a subset of said publicly known asset vulnerabilities which may potentially impact compliance of at least one of said audited assets therewith;
  
  asset scanning functionality to scan each audited asset of said set of audited assets to ascertain to which of said publicly known asset vulnerabilities said audited asset is vulnerable to; and
  
  numeric compliance score calculating functionality to, responsive to said associating, said mapping and said scanning, calculate for each of said set of audited assets, a numeric compliance score for each compliance control associated therewith, said numeric compliance score being within a range of possible numeric compliance scores.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. An automated enterprise compliance auditing by vulnerabilities system according to claim 1 and wherein said database also comprises a hierarchical structure of said assets.
  - 3. An automated enterprise compliance auditing by vulnerabilities system according to claim 1 and wherein each of said publicly known asset vulnerabilities has a severity value associated therewith.
  - 4. An automated enterprise compliance auditing by vulnerabilities system according to claim 1 and wherein when calculating said numeric compliance score for each of said set of audited assets, said numeric compliance score calculating functionality is operative to consider at least one of:
    - a preexisting compliance score for said audited asset;
      
      a number of said publicly known asset vulnerabilities to which said audited asset is vulnerable to; and
      
      a severity of each of said publicly known asset vulnerabilities to which said audited asset is vulnerable to.
  - 5. An automated enterprise compliance auditing by vulnerabilities system according to claim 4 and wherein when calculating said numeric compliance score for each of said set of audited assets, a high severity publicly known asset vulnerability has a higher impact on said numeric compliance score of an audited asset vulnerable thereto than a low severity publicly known asset vulnerability.
  - 6. An automated enterprise compliance auditing by vulnerabilities system according to claim 4 and wherein when calculating said numeric compliance score for each of said set of audited assets, a publicly known asset vulnerability having a highest severity among said publicly known asset vulnerabilities to which said audited asset is vulnerable to, has a highest impact on said numeric compliance score of an audited asset.

7. A computer product for automatic asset compliance auditing in an enterprise, including a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to associate each of a set of audited assets with at least a subset of compliance controls of at least one compliance regulation, said set of audited assets being at least a subset of said assets of said enterprise, to map each compliance control of said at least one compliance regulation to a subset of a collection of publicly known asset vulnerabilities which may potentially impact compliance of at least one of said audited assets therewith, to scan each audited asset of said set of audited assets to ascertain to which of said collection of publicly known asset vulnerabilities said audited asset is vulnerable to, and responsive to said associating, said mapping and said scanning, to calculate, for each of said set of audited assets, a numeric compliance score for each compliance control associated therewith, said numeric compliance score being within a range of possible numeric compliance scores.
- View Dependent Claims (8, 9, 10, 11)
- - 8. A computer product for automatic asset compliance auditing in an enterprise according to claim 7 and wherein each of said publicly known asset vulnerabilities has a severity value associated therewith.
  - 9. A computer product for automatic asset compliance auditing in an enterprise according to claim 7 and wherein said numeric compliance score is calculated for each of said set of audited assets by considering at least one of:
    - a preexisting compliance score for said audited asset;
      
      a number of said publicly known asset vulnerabilities to which said audited asset is vulnerable to; and
      
      a severity of each of said publicly known asset vulnerabilities to which said audited asset is vulnerable to.
  - 10. A computer product for automatic asset compliance auditing in an enterprise according to claim 9 and wherein when calculating said numeric compliance score for each of said set of audited assets, a high severity publicly known asset vulnerability has a higher impact on said numeric compliance score of an audited asset vulnerable thereto than a low severity publicly known asset vulnerability.
  - 11. A computer product for automatic asset compliance auditing in an enterprise according to claim 9 and wherein when calculating said numeric compliance score for each of said set of audited assets, a publicly known asset vulnerability having a highest severity among said publicly known asset vulnerabilities to which said audited asset is vulnerable to, has a highest impact on said numeric compliance score of an audited asset.

12. A method for asset compliance auditing in an enterprise, said method comprising:
- associating each of a set of audited assets with at least a subset of compliance controls of at least one compliance regulation, said set of audited assets being at least a subset of said assets of said enterprise;
  
  mapping each compliance control of said at least one compliance regulation to a subset of a collection of publicly known asset vulnerabilities which may potentially impact compliance of at least one of said assets therewith;
  
  scanning each audited asset of said set of audited assets to ascertain to which of said collection of publicly known asset vulnerabilities said audited asset is vulnerable to; and
  
  responsive to said associating, said mapping and said scanning, calculating via at least one processor, for each of said set of audited assets, a numeric compliance score corresponding to each compliance control associated therewith, a numeric compliance score for each compliance control associated therewith, said numeric compliance score being within a range of possible numeric compliance scores.
- View Dependent Claims (13, 14, 15)
- - 13. A method for asset compliance auditing in an enterprise according to claim 12 and wherein each of said publicly known asset vulnerabilities has a severity value associated therewith.
  - 14. A method for asset compliance auditing in an enterprise according to claim 12 and wherein said numeric compliance score is calculated for each of said set of audited assets by considering at least one of:
    - a preexisting compliance score for said audited asset;
      
      a number of said publicly known asset vulnerabilities to which said audited asset is vulnerable to; and
      
      a severity of each of said publicly known asset vulnerabilities to which said audited asset is vulnerable to.
  - 15. A method for asset compliance auditing in an enterprise according to claim 12 and wherein:
    - when calculating said numeric compliance score for each of said set of audited assets, a high severity publicly known asset vulnerability has a higher impact on said numeric compliance score of an audited asset vulnerable thereto than a low severity publicly known asset vulnerability; and
      
      when calculating said numeric compliance score for each of said set of audited assets, a publicly known asset vulnerability having a highest severity among said publicly known asset vulnerabilities to which said audited asset is vulnerable to, has a highest impact on said numeric compliance score of an audited asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Raz, Barak, Feher, Ben

Granted Patent

US 8,893,283 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 63/1433 Vulnerability analysis

Performing an Automated Compliance Audit by Vulnerabilities

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Performing an Automated Compliance Audit by Vulnerabilities

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links