System, method and medium for certifying and accrediting requirements compliance

US 6,901,346 B2
Filed: 02/28/2001
Issued: 05/31/2005
Est. Priority Date: 08/09/2000
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A computer-assisted method of assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the method comprising the steps of:

a) collecting information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the target system operates;

b) selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply;

c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting and/or impacting the target system;

d) selecting at least one test procedure against which the target system is tested to satisfy the at least one predefined standard, regulation and/or requirement;

e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one test procedure; and

f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more threat elements to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step f) (1).

View all claims

6 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A computer-implemented system, method and medium for assessing the risk of and/or determining the suitability of a system to comply with at least one predefined standard, regulation and/or requirement. In at least some embodiments of the present invention, the method can utilize the steps of: 1) gathering information pertaining to the system, 2) selecting one or more requirements with which the system is to comply; 3) testing the system against the requirements; 4) performing risk assessment of the failed test procedures, and 5) generating certification documentation based on an assessment of the first four elements.

381 Citations

61 Claims

1. A computer-assisted method of assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the method comprising the steps of:
- a) collecting information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the target system operates;
  
  b) selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply;
  
  c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting and/or impacting the target system;
  
  d) selecting at least one test procedure against which the target system is tested to satisfy the at least one predefined standard, regulation and/or requirement;
  
  e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one test procedure; and
  
  f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more threat elements to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step f) (1).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The computer-assisted method according to claim 1 wherein the information collected in said step a) comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches.
  - 3. The computer-assisted method according to claim 1 wherein said selecting step b) is initially performed by the computer.
  - 4. The computer-assisted method according to claim 3, further comprising the step of enabling a user to optionally input at least one standard, regulation and/or requirement.
  - 5. The computer-assisted method according to claim 3, further comprising the step of enabling a user to optionally edit at least one standard, regulation and/or requirement.
  - 6. The computer-assisted method according to claim 1 wherein said scores for said step c) comprise at least one of:
    - a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence;
      
      b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence;
      
      c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and
      
      d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence.
  - 7. The computer-assisted method according to claim 1 wherein said score of said step c) is generated in response to one or more inputs provided by a user.
  - 8. The computer-assisted method according to claim 7 wherein the user can modify and/or edit said score as determined in said step c).
  - 9. The computer-assisted method according to claim 1 wherein said step c) plurality of threat elements comprise at least one of natural disaster elements, target system failure elements, environmental failure elements, unintentional human elements, and intentional human elements.
  - 10. The computer-assisted method according to claim 9 wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado and lighting elements.
  - 11. The computer-assisted method according to claim 9 wherein the target system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure.
  - 12. The computer-assisted method according to claim 9 wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration.
  - 13. The computer-assisted method according to claim 9 wherein the human unintentional threat element comprises at least one of a software design error, a target system design error, and an operator error.
  - 14. The computer-assisted method according to claim 9 wherein the human intentional threat elements comprise at least one of an authorized target system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal.
  - 15. The computer-assisted method according to claim 1 wherein said step f1) threat correlation indication comprises at least one of the following scores:
    - negligible, wherein negligible indicates that the threat element is not applicable to the vulnerability;
      
      low, wherein low indicates that the threat element has a low potential to exploit the vulnerability;
      
      medium, wherein medium indicates that the threat element has a potential to exploit the vulnerability; and
      
      high, wherein high indicates that the threat element has a relatively high potential to exploit the vulnerability.
  - 16. The computer-assisted method according to claim 15 wherein the risk assessment in said step f2) is determined in accordance with the following steps:
    - a) for each threat element in a project threat profile and corresponding threat element in a threat correlation pattern;
      
      1) if a threat element as determined in said step c) is negligible and a corresponding threat element in the threat correlation indication as determined in said step f1) is anything, then the overall risk of the element is negligible;
      
      2) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is low;
      
      3) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is low;
      
      4) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is low;
      
      5) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is medium;
      
      6) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is negligible;
      
      7) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is low;
      
      8) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is medium;
      
      9) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is medium;
      
      10) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is negligible;
      
      11) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is medium;
      
      12) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is high; and
      
      13) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is high; and
      
      b) selecting a risk profile for a failed test procedure as being the highest overall risk element.
  - 17. The computer-assisted method according to claim 16, further comprising the step of determining an overall target system risk.
  - 18. The computer-assisted method according to claim 17 wherein the overall target system risk is the highest overall risk element of each of one or more failed test procedures.
  - 19. The computer-assisted method according to claim 17, further comprising the step of printing a documentation package that will enable a determination to be made whether the target system complies with the at least one predefined standard, regulation and/or requirement selected in said step b).
  - 20. The computer-assisted method according to claim 19 wherein the documentation package includes a risk assessment for at least one failed test procedure.
  - 21. The computer-assisted method according to claim 19 wherein the documentation package includes an overall target system risk.

22. A general purpose computing system for implementing a method for assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the general purpose computing system interacting with a user to implement the method comprising the steps of:
- a) collecting and/or receiving information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the target system operates;
  
  b) selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply;
  
  c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting and/or impacting the target system;
  
  d) selecting at least one test procedure against which the target system is tested to satisfy the at least one predefined standard, regulation and/or requirement;
  
  e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one test procedure; and
  
  f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more threat elements to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step f) (1).
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 23. The general purpose computing system according to claim 22 wherein the information collected in said step a) comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches.
  - 24. The general purpose computing system according to claim 23, wherein the user can optionally input at least one standard, regulation and/or requirement.
  - 25. The general purpose computing system according to claim 23, wherein the user can optionally edit at least one standard, regulation and/or requirement.
  - 26. The general purpose computing system according to claim 22 wherein said scores for said step c) comprise at least one of:
    - a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence;
      
      b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence;
      
      c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and
      
      d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence.
  - 27. The general purpose computing system according to claim 22 wherein said score of said step c) is generated in response to one or more user provided inputs.
  - 28. The general purpose computing system according to claim 27 wherein the user can modify and/or edit said score as determined in said step c).
  - 29. The general purpose computing system according to claim 22 wherein said step c) plurality of threat elements comprise at least one of natural disaster elements, target system failure elements, environmental failure elements, unintentional human elements, and intentional human elements.
  - 30. The general purpose computing system according to claim 29 wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado and lighting elements.
  - 31. The general purpose computing system according to claim 29 wherein the target system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure.
  - 32. The general purpose computing system according to claim 29 wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration.
  - 33. The general purpose computing system according to claim 29 wherein the human unintentional threat element comprises at least one of a software design error, a target system design error, and an operator error.
  - 34. The general purpose computing system according to claim 29 wherein the human intentional threat elements comprise at least one of an authorized target system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal.
  - 35. The general purpose computing system according to claim 22 wherein said step f1) threat correlation indication comprises at least one of the following scores:
    - negligible, wherein negligible indicates that the threat element is not applicable to the vulnerability;
      
      low, wherein low indicates that the threat element has a low potential to exploit the vulnerability;
      
      medium, wherein medium indicates that the threat element has a potential to exploit the vulnerability; and
      
      high, wherein high indicates that the threat element has a relatively high potential to exploit the vulnerability.
  - 36. The general purpose computing system according to claim 35 wherein the risk assessment in said step f2) is determined in accordance with the following steps:
    - a) for each threat element in a project threat profile and corresponding element in a threat correlation pattern;
      
      1) if a threat element as determined in said step c) is negligible and a corresponding threat element in the threat correlation indication as determined in said step f1) is anything, then the overall risk of the element is negligible;
      
      2) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is low;
      
      3) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is low;
      
      4) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is low;
      
      5) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is medium;
      
      6) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is negligible;
      
      7) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is low;
      
      8) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is medium;
      
      9) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is medium;
      
      10) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is negligible;
      
      11) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is medium;
      
      12) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is high; and
      
      13) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is high; and
      
      b) selecting a risk profile for a failed test procedure as being the highest overall risk element.
  - 37. The general purpose computing system according to claim 36, further comprising the step of determining an overall target system risk.
  - 38. The general purpose computing system according to claim 37 wherein the overall target system risk is the highest overall risk element of each of one or more failed test procedures.
  - 39. The general purpose computing system according to claim 37, wherein the general purpose computing system prints a documentation package that will enable a determination to be made whether the target system complies with the at least one selected predefined standard, regulation and/or requirement.
  - 40. The general purpose computing system according to claim 39 wherein the documentation package includes a risk assessment for at least one failed test procedure.
  - 41. The general purpose computing system according to claim 39 wherein the documentation package includes an overall target system risk.

42. A computer program medium storing computer instructions therein for instructing a computer to perform a computer-implemented and user assisted process for assessing the risk of and/or determining the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement, the target system including hardware and/or software, the program medium comprising:
- a recording medium readable by the computer; and
  
  the computer instructions stored on said recording medium instructing the computer to perform the computer-implemented and user assisted process, the instructions including;
  
  a) collecting and/or receiving information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the target system operates;
  
  b) selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply;
  
  c) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat elements affecting and/or impacting the target system;
  
  d) selecting at least one test procedure against which the target system is tested to satisfy the at least one predefined standard, regulation and/or requirement;
  
  e) performing the steps associated with said at least one test procedure in said step d) to determine whether the target system passes or fails said at least one test procedure; and
  
  f) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more threat elements to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each threat element generated in said step c) with said threat correlation indication of said step f) (1).
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 43. The computer program medium according to claim 42 wherein the information collected in said instruction a) comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches.
  - 44. The computer program medium according to claim 43, further comprising instructions that enable the user to optionally input at least one standard, regulation and/or requirement.
  - 45. The computer program medium according to claim 43, further comprising instructions that enable the user to optionally edit at least one standard, regulation and/or requirement.
  - 46. The computer program medium according to claim 42 wherein said scores for said step c) comprise at least one of:
    - a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence;
      
      b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence;
      
      c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and
      
      d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence.
  - 47. The computer program medium according to claim 42 wherein said score of said step c) is generated in response to one or more user provided inputs.
  - 48. The computer program medium according to claim 47 wherein the user can modify and/or edit said score as determined in said step c).
  - 49. The computer program medium according to claim 42 wherein said instruction c) threat elements comprise at least one of natural disaster elements, target system failure elements, environmental failure elements, unintentional human elements, and intentional human elements.
  - 50. The computer program medium according to claim 49 wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado and lighting elements.
  - 51. The computer program medium according to claim 49 wherein the target system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure.
  - 52. The computer program medium according to claim 49 wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration.
  - 53. The computer program medium according to claim 49 wherein the human unintentional threat elements comprise at least one of a software design error, a target system design error, and an operator error.
  - 54. The computer program medium according to claim 49 wherein the human intentional threat elements comprise at least one of an authorized target system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal.
  - 55. The computer program medium according to claim 42 wherein said instruction f1) threat correlation indication comprises at least one of the following scores:
    - negligible, wherein negligible indicates that the threat element is not applicable to the vulnerability;
      
      low, wherein low indicates that the threat element has a low potential to exploit the vulnerability;
      
      medium, wherein medium indicates that the threat element has a potential to exploit the vulnerability; and
      
      high, wherein high indicates that the threat element has a relatively high potential to exploit the vulnerability.
  - 56. The computer program medium according to claim 55 wherein the risk assessment in said instruction f2) is determined in accordance with the following steps:
    - a) for each element in a project threat profile and corresponding element in a threat correlation pattern;
      
      1) if a threat element as determined in said step c) is negligible and a corresponding threat element in the threat correlation indication as determined in said step f1) is anything, then the overall risk of the element is negligible;
      
      2) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is low;
      
      3) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is low;
      
      4) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is low;
      
      5) if a threat element as determined in said step c) is low and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is medium;
      
      6) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is negligible;
      
      7) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is low;
      
      8) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is medium;
      
      9) if a threat element as determined in said step c) is medium and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is medium;
      
      10) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is negligible, then the overall risk of the element is negligible;
      
      11) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is low, then the overall risk of the element is medium;
      
      12) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is medium, then the overall risk of the element is high; and
      
      13) if a threat element as determined in said step c) is high and the corresponding threat element in the threat correlation indication as determined in said step f1) is high, then the overall risk of the element is high; and
      
      b) selecting a risk profile for a failed test procedure as being the highest overall risk element.
  - 57. The computer program medium according to claim 56, further comprising instructions for determining an overall target system risk.
  - 58. The computer program medium according to claim 57 wherein the overall target system risk is the highest overall risk element of each of one or more failed test procedures.
  - 59. The computer program medium according to claim 57, further comprising instructions for generating and printing a documentation package that will enable a determination to be made whether the target system complies with the at least one predefined standard, regulation and/or requirement.
  - 60. The computer program medium according to claim 59 wherein the documentation package includes a risk assessment for at least one failed test procedure.
  - 61. The computer program medium according to claim 59 wherein the documentation package includes an overall target system risk.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Telos Corporation (L3Harris Technologies, Inc.)
Original Assignee
Telos Corporation (L3Harris Technologies, Inc.)
Inventors
Smith, Peter A., Wilson, David J., Hall, Larry L. Jr., Barrett, Hugh, Catlin, Gary M., Tracy, Richard P., Berman, Lon J.
Primary Examiner(s)
Wachsman, Hal D.

Application Number

US09/794,386
Publication Number

US 20020069035A1
Time in Patent Office

1,553 Days
Field of Search

702179-183, 702/119, 702/123, 702185-188, 702/FOR.134, 702/FOR.135, 702/DIG.150, 702/FOR.171, 705/7, 705/1, 705/405, 705/51, 705/37, 705/53, 705/80, 717/124, 717/106, 703 20- 22, 703/2, 709223-225, 709/219, 709/227, 709/229, 706/932, 706/919, 706/920, 706/916, 706/917, 706/908, 706/909, 706/902, 706/20, 713200-202, 713/133, 707/9, 714/25, 714/26, 714/40, 380/201
US Class Current

702/181
CPC Class Codes

G06Q 30/018 Certifying business or prod...

G06Q 40/08 Insurance

System, method and medium for certifying and accrediting requirements compliance

First Claim

6 Assignments

Litigations

0 Petitions

Accused Products

Abstract

381 Citations

61 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and medium for certifying and accrediting requirements compliance

First Claim

6 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

381 Citations

61 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links