Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing robust risk assessment model

US 6,983,221 B2
Filed: 11/27/2002
Issued: 01/03/2006
Est. Priority Date: 11/27/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method, comprising:

associating at least one first data element uniquely with at least one requirement category, each first data element from the at least one first data element representing a potential of a vulnerability that could be used to exploit a target system;

associating at least one second data element uniquely with a degree of exposure of the target system to a threat associated with the vulnerability of the target system;

comparing the at least one first data element to the at least one second data element;

determining, based on predetermined rules, at least one composite data element for each requirement category from the at least one requirement category; and

determining a baseline risk level for each requirement category from the at least one requirement category, the baseline risk level for each requirement category being based on a level of risk of the composite data element associated with that requirement category.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-assisted system, medium and method of providing a risk assessment of a target system. The method includes providing one or more test requirements categories, associating one or more first data elements with each requirements category, associating one or more second data elements with a degree of exposure of the target system to the one or more threats, comparing the first data elements to the second data elements to determine, based on predetermined rules, composite data elements for each requirements category; and selecting, based upon predetermined rules, a level of risk of the composite data elements as a baseline risk level for each requirements category.

367 Citations

71 Claims

1. A method, comprising:
- associating at least one first data element uniquely with at least one requirement category, each first data element from the at least one first data element representing a potential of a vulnerability that could be used to exploit a target system;
  
  associating at least one second data element uniquely with a degree of exposure of the target system to a threat associated with the vulnerability of the target system;
  
  comparing the at least one first data element to the at least one second data element;
  
  determining, based on predetermined rules, at least one composite data element for each requirement category from the at least one requirement category; and
  
  determining a baseline risk level for each requirement category from the at least one requirement category, the baseline risk level for each requirement category being based on a level of risk of the composite data element associated with that requirement category.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, wherein each baseline risk level is selected from the group of:
    - high, medium-high, medium, medium-low, low and negligible.
  - 3. The method of claim 1, wherein the baseline risk level for each requirement category from the at least one requirement category is selected from the group of:
    - high, medium-high, medium, medium-low, low and negligible, each baseline risk level being determined by at least one of the following;
      
      assigning a baseline risk level of negligible if;
      
      a threat level of the requirement category is negligible and a corresponding project threat level is negligible, low, medium-low, or medium;
      
      a threat level of the requirement category is low and a corresponding project threat level is negligible;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is negligible;
      
      or a threat level of the requirement category is medium and a corresponding project threat level is negligible;
      
      assigning a baseline risk level of low if;
      
      a threat level of the requirement category is negligible and a corresponding project threat level is medium-high or high;
      
      a threat level of the requirement category is low and a corresponding project threat level is medium-low or low;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is low or medium-low;
      
      a threat level of the requirement category is medium and a corresponding project threat level is low;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is negligible;
      
      or a threat level of the requirement category is high and a corresponding project threat level is negligible;
      
      assigning a baseline risk level of medium-low if;
      
      a threat level of the requirement category is low and a corresponding project threat level is medium or medium-high;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is medium;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium-low;
      
      or a threat level of the requirement category is medium-high and a corresponding project threat level is low;
      
      assigning a baseline risk level of medium if;
      
      a threat level of the requirement category is low and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is medium-high;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium-low;
      
      or a threat level of the requirement category is high and a corresponding project threat level is low or medium-low;
      
      assigning a baseline risk level of medium-high if;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium-high;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium;
      
      or a threat level of the requirement category is high and a corresponding project threat level is low or medium; and
      
      assigning a baseline risk level of high if;
      
      a threat level of the requirement category is medium and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium-high or high;
      
      or a threat level of the requirement category is high and a corresponding project threat level is medium-high or high.
  - 4. The method of claim 3, further comprising:
    - determining an adjusted risk level for the at least one requirement category.
  - 5. The method of claim 4, wherein the adjusted risk level is selected from the group of:
    - high, medium-high, medium, medium-low, low, and negligible.
  - 6. The method of claim 5, further comprising:
    - decreasing the risk level of the requirement category two levels when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, and medium-low.
  - 7. The method of claim 6, wherein the first range includes approximately zero to approximately twenty percent.
  - 8. The method of claim 5, further comprising:
    - decreasing the risk level of the requirement category one level when the percentage of failed requirements falls within a first range, and an initial baseline risk level is low.
  - 9. The method of claim 8, wherein the first range includes approximately zero to approximately twenty percent.
  - 10. The method of claim 5, further comprising;
    - decreasing the risk level of the requirement category one level when a percentage of failed requirements falls within a second range, and an initial baseline risk level is one of high, medium-high, medium, medium-low and low.
  - 11. The method of claim 10, wherein the second range includes approximately twenty percent to approximately forty percent.
  - 12. The method of claim 5, further comprising:
    - maintaining the risk level of the requirement category at a current level when a percentage of failed requirements falls within a third range, and an initial baseline risk level is one of high, medium-high, medium, medium-low, low and negligible.
  - 13. The method of claim 12, wherein the third range includes approximately forty percent to approximately sixty percent.
  - 14. The method of claim 5, further comprising:
    - increasing the risk level of the requirement category one level when a percentage of failed requirements falls within a fourth range, and an initial baseline risk level is one of medium-high, medium, medium-low, low and negligible.
  - 15. The method of claim 14, wherein the fourth range includes approximately sixty percent to approximately eighty percent.
  - 16. The method of claim 5, further comprising:
    - increase the risk level of the requirement category two levels when the percentage of failed requirements falls within a fifth range, and an initial baseline risk level is one of medium, medium-low, low and negligible.
  - 17. The method of claim 16, wherein the fifth range includes approximately eighty percent to approximately one hundred percent.
  - 18. The method of claim 5, further comprising:
    - decreasing the risk level of the requirement category when a percentage of failed requirements falls within a first range, and an initial baseline risk level is one of high, medium-high, medium, and medium-low;
      
      decreasing the risk level of the requirement category one level when a percentage of failed requirements falls within a first range, and the initial baseline risk level is low;
      
      decreasing the risk level of the requirement category one level when a percentage of failed requirements falls within a second range, and the initial baseline risk level is one of high, medium-high, medium, medium-low and low;
      
      maintaining the risk level of the requirement category at a current level when a percentage of failed requirements falls within a third range, and the initial baseline risk level is one of high, medium-high, medium, medium-low, low and negligible;
      
      increasing a risk level of the requirement category one level when a percentage of failed requirements falls within a fourth range, and the initial baseline risk level is one of medium-high, medium, medium-low, low and negligible;
      
      increasing a risk level of the requirement category two levels when a percentage of failed requirements falls within a fifth range, and the initial baseline risk level is one of medium, medium-low, low and negligible; and
      
      increasing a risk level of the requirement category one level when a percentage of failed requirements falls within a fifth range, and the initial baseline risk level is medium-high.
  - 19. The method of claim 18, further comprising:
    - assigning the target system a risk having a risk level that is the highest risk level among any of the requirement categories.
  - 20. The method of claim 19, further comprising:
    - printing a documentation package indicative of target system resistance to at least one threat.
  - 21. The method of claim 1, wherein the vulnerability includes at least one of natural disaster, system failure, environmental failure, unintentional human, and intentional human threats.
  - 22. The method of claim 21, wherein the natural disaster vulnerability includes at least one of fire, flood, earthquake, volcano, tornado and lighting.
  - 23. The method of claim 21, wherein the system failure vulnerability includes at least one of a hardware failure, a power failure, and a communication link failure.
  - 24. The method of claim 21, wherein the environmental failure vulnerability includes at least one of temperature, power, humidity, sand, dust, shock, and vibration.
  - 25. The method of claim 21, wherein the human unintentional vulnerability includes at least one of a software design error, a system design error, and an operator error.
  - 26. The method of claim 21, wherein the human intentional vulnerability includes at least one of an authorized system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal.
  - 27. The method of claim 1, wherein the first data elements and the second data elements comprise strings.
  - 28. The method of claim 1, wherein the highest threat level among the data elements is selected as the baseline risk level for each requirement category.

29. A system, comprising:
- at least one data repository configured to store at least one requirement category and information about potential vulnerabilities, the at least one data repository being further configured to store predetermined rules configured to be used in determining risk levels;
  
  a processor in communication with the at least one data repository, the processor configured to associate at least one first data element uniquely with the at least one requirement category, each first data element from the at least one first data element representing a potential of a vulnerability that could be used to exploit a target system, the processor being configured to associate at least one second data element uniquely with a degree of exposure of the target system to the a threat associated with the vulnerability of the target system, the processor being configured to compare the at least one first data element to the at least one second data element, the processor being configured to determine, based on predetermined rules, at least one composite data element for each requirement category from the at least one requirement category, the processor being further configured to determine a baseline risk level for each requirement category from the at least one requirement category, the baseline risk level for each requirement category being based on a level of risk of the composite data element associated with that requirement category.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 30. The system of claim 29, wherein the processor is configured to select each baseline risk level from the group of high, medium-high, medium, medium-low, low and negligible.
  - 31. The system of claim 30, wherein the processor is configured to determine an overall risk of the at least one composite data element by:
    - assigning a risk as negligible if;
      
      a threat level of the requirement category is negligible and a corresponding project threat level is negligible, low, medium-low, or medium;
      
      a threat level of the requirement category is low and a corresponding project threat level is negligible;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is negligible;
      
      or a threat level of the requirement category is medium and a corresponding project threat level is negligible;
      
      assigning a risk as low if;
      
      a threat level of the requirement category is negligible and a corresponding project threat level is medium-high or high;
      
      a threat level of the requirement category is low and a corresponding project threat level is medium-low or low;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is low or medium-low;
      
      a threat level of the requirement category is medium and a corresponding project threat level is low;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is negligible;
      
      or a threat level of the requirement category is high and a corresponding project threat level is negligible;
      
      assigning a risk as medium-low if;
      
      a threat level of the requirement category is low and a corresponding project threat level is medium or medium-high;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is medium;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium-low;
      
      or a threat level of the requirement category is medium-high and a corresponding project threat level is low;
      
      assigning a risk as medium if;
      
      a threat level of the requirement category is low and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is medium-high;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium-low;
      
      or a threat level of the requirement category is high and a corresponding project threat level is low or medium-low;
      
      assigning a risk as medium-high if;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is high a threat level of the requirement category is medium and a corresponding project threat level is medium-high;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium;
      
      or a threat level of the requirement category is high and a corresponding project threat level is low or medium; and
      
      assigning a risk as high if;
      
      a threat level of the requirement category is medium and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium-high or high;
      
      or a threat level of the requirement category is high and a corresponding project threat level is medium-high or high.
  - 32. The system of claim 31, wherein the processor is further configured to determine an adjusted risk level for the at least one requirement category.
  - 33. The system of claim 32, wherein the processor is configured to select the adjusted risk level from the group of:
    - high, medium-high, medium, medium-low, low, and negligible.
  - 34. The system of claim 33, wherein the processor is configured to decrease the risk level of the requirement category by two levels if a percentage of failed requirements falls within a first range and the baseline risk level is one of high, medium-high, medium, and medium-low.
  - 35. The system of claim 34, wherein the first range includes approximately zero to twenty percent.
  - 36. The system of claim 33, wherein the processor is configured to decrease the risk level of the requirement category by one level if the percentage of failed requirements falls within a first range and an initial baseline risk level is low.
  - 37. The system of claim 36, wherein the first range includes approximately zero to twenty percent.
  - 38. The system of claim 33, wherein the processor is configured to decrease the risk level of the requirement category by one level if a percentage of failed requirements falls within a second range and an initial baseline risk level is one of high, medium-high, medium, medium-low and low.
  - 39. The system of claim 38, wherein the second range includes approximately twenty percent to forty percent.
  - 40. The system of claim 33, wherein the processor is configured to maintain the risk level of the requirement category the same if a percentage of failed requirements falls within a third range and an initial baseline risk level is one of high, medium-high, medium, medium-low, low and negligible.
  - 41. The system of claim 40, wherein the third range includes approximately forty percent to sixty percent.
  - 42. The system of claim 33, wherein the processor is configured to increase the risk level of the requirement category by one level if a percentage of failed requirements falls within a fourth range, and an initial baseline risk level is one of medium-high, medium, medium-low, low and negligible.
  - 43. The system of claim 42, wherein the fourth range includes approximately sixty percent to eighty percent.
  - 44. The system of claim 33, wherein the processor is configured to increase the risk level of the requirement category by two levels when the percentage of failed requirements falls within a fifth range, and an initial baseline risk level is one of medium, medium-low, low and negligible.
  - 45. The system of claim 44, wherein the fifth range includes approximately eighty percent to one hundred percent.
  - 46. The system of claim 33, wherein the processor is configured to cause a documentation package to be printed, the documentation package being indicative of target system resistance to one or more threats.
  - 47. The system of claim 29, wherein the first data elements and the second data elements comprise strings.
  - 48. The system of claim 29, wherein the highest threat level among the data elements is selected as the baseline risk level for each requirement category.

49. A processor-readable medium comprising code representing instructions to cause a processor to:
- associate at least one first data element uniquely with at least one requirement category, each first data element from the at least one first data element representing a potential of a vulnerability that could be used to exploit a target system;
  
  associate at least one second data element uniquely with the vulnerability of the target system;
  
  compare the at least one first data element to the at least one second data element;
  
  determine, based on predetermined rules, at least one composite data element for each requirement category from the at least one requirement category; and
  
  determine a baseline risk level for each requirement category from the at least one requirement category, the baseline risk level for each requirement category being based on a level of risk of the composite data element associated with that requirement category.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 50. The processor-readable medium of claim 49, wherein the baseline risk levels comprise high, medium-high, medium, medium-low, low and negligible.
  - 51. The processor-readable medium of claim 50, wherein the code representing instructions to determine a baseline risk level for a requirement category is configured to determine an overall risk of each of the at least one composite data element by:
    - assigning a risk as negligible if;
      
      a threat level of the requirement category is negligible and a corresponding project threat level is negligible, low, medium-low, or medium;
      
      a threat level of the requirement category is low and a corresponding project threat level is negligible;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is negligible;
      
      or a threat level of the requirement category is medium and a corresponding project threat level is negligible;
      
      assigning a risk as low if;
      
      a threat level of the requirement category is negligible and a corresponding project threat level is medium-high or high;
      
      a threat level of the requirement category is low and a corresponding project threat level is medium-low or low;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is low or medium-low;
      
      a threat level of the requirement category is medium and a corresponding project threat level is low;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is negligible;
      
      or a threat level of the requirement category is high and a corresponding project threat level is negligible;
      
      assigning a risk as medium-low if;
      
      a threat level of the requirement category is low and a corresponding project threat level is medium or medium-high;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is medium;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium-low;
      
      or a threat level of the requirement category is medium-high and a corresponding project threat level is low;
      
      assigning a risk as medium if;
      
      a threat level of the requirement category is low and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is medium-high;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium-low;
      
      or a threat level of the requirement category is high and a corresponding project threat level is low or medium-low;
      
      assigning a risk as medium-high if;
      
      a threat level of the requirement category is medium-low and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium and a corresponding project threat level is medium-high;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium;
      
      or a threat level of the requirement category is high and a corresponding project threat level is low or medium; and
      
      assigning a risk as high if;
      
      a threat level of the requirement category is medium and a corresponding project threat level is high;
      
      a threat level of the requirement category is medium-high and a corresponding project threat level is medium-high or high;
      
      or a threat level of the requirement category is high and a corresponding project threat level is medium-high or high.
  - 52. The processor-readable medium of claim 51, further comprising code representing instructions to cause a processor to determine an adjusted risk level for at least one requirement category.
  - 53. The processor-readable medium of claim 52, wherein the adjusted risk level is selected from a group of:
    - high, medium-high, medium, medium-low, low, and negligible.
  - 54. The processor-readable medium of claim 53, wherein the code representing instructions is configured to cause a processor to decrease the risk level of the requirement category by two levels if a percentage of failed requirements falls within a first range and the baseline risk level is selected from one of high, medium-high, medium, and medium-low.
  - 55. The processor-readable medium of claim 54, wherein the first range includes approximately zero to twenty percent.
  - 56. The processor-readable medium of claim 53, wherein the code representing instructions is configured to cause a processor to decrease the risk level of the requirement category by one level if the percentage of failed requirements falls within a first range and an initial baseline risk level is low.
  - 57. The processor-readable medium of claim 56, wherein the first range includes approximately zero to twenty percent.
  - 58. The processor-readable medium of claim 53, wherein the code representing instructions is configured to cause a processor to decrease the risk level of the requirement category by one level if a percentage of failed requirements falls within a second range and an initial baseline risk level is one of high, medium-high, medium, medium-low and low.
  - 59. The processor-readable medium of claim 58, wherein the second range includes approximately twenty percent to forty percent.
  - 60. The processor-readable medium of claim 53, wherein the code representing instructions is configured to cause a processor to maintain the risk level of the requirement category the same if a percentage of failed requirements falls within a third range, and an initial baseline risk level is one of high, medium-high, medium, medium-low, low and negligible, the risk level of the requirement category remains the same.
  - 61. The processor-readable medium of claim 60, wherein the third range includes approximately forty percent to sixty percent.
  - 62. The processor-readable medium of claim 53, wherein the code representing instructions is configured to cause a processor to increase the risk level of the requirement category by one level if a percentage of failed requirements falls within a fourth range and an initial baseline risk level is one of medium-high, medium, medium-low, low and negligible.
  - 63. The processor-readable medium of claim 62, wherein the fourth range includes approximately sixty percent to eighty percent.
  - 64. The processor-readable medium of claim 53, wherein the code representing instructions is configured to cause a processor to increase the risk level of the requirement category by two levels if the percentage of failed requirements falls within a fifth range, and an initial baseline risk level is one of medium, medium-low, low and negligible.
  - 65. The processor-readable medium of claim 64, wherein the fifth range includes approximately eighty percent to one hundred percent.
  - 66. The processor-readable medium of claim 52, further comprising code representing instructions to cause a processor to determine the target system risk as the highest level of risk among any of the requirement categories.
  - 67. The processor-readable medium of claim 66, further comprising code representing instructions to cause a processor to facilitate printing a documentation package indicative of target system resistance any threats associated with the vulnerability of the target system.
  - 68. The processor-readable medium of claim 49, wherein the first data elements and the second data elements comprise strings.
  - 69. The processor-readable medium of claim 49, wherein the highest threat level among the data elements is selected as the baseline risk level for each requirement category.

70. A device, comprising:
- at least one memory area; and
  
  at least one processor, the processor being configured to associate at least one first data element uniquely with at least one requirement category, each first data element from the at least one first data element representing a potential of a vulnerability that could be used to exploit a target system, the processor being configured to associate at least one second data element uniquely with a degree of exposure of the target system to a threat associated with the vulnerability of the target system, the processor being configured to compare the at least one first data element to the at least one second data element, the processor being configured to determine, based on predetermined rules, at least one composite data element for each requirement category from the at least one requirement category, the processor being further configured to determine a baseline risk level for each requirement category from the at least one requirement category, the baseline risk level for each requirement category being based on a level of risk of the composite data element associated with that requirement category.
- View Dependent Claims (71)
- - 71. The device of claim 70, wherein the device is configured to enable selection of at least one technique from a plurality of predefined techniques, the device being configured to create a tailored sequence of techniques from the selected at least one technique, the tailored sequence of techniques being configured to assess a risk associated with the target system at least partially based on the compliance of the target system at least one of a predefined standard, a regulation and a requirement.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telos Corporation (L3Harris Technologies, Inc.)
Original Assignee
Telos Corporation (L3Harris Technologies, Inc.)
Inventors
Barrett, Hugh, Tracy, Richard P., Catlin, Gary M.
Primary Examiner(s)
Hoff, Marc S.
Assistant Examiner(s)
Barbee, Manuel L

Application Number

US10/304,825
Publication Number

US 20040102922A1
Time in Patent Office

1,133 Days
Field of Search

702/81, 702/108, 702/123, 702179-188, 705/51, 713/170, 714/1, 714/33, 717/121, 717/107, 703/21, 703/22
US Class Current

702/181
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06Q 40/08   Insurance

Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing robust risk assessment model

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

367 Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing robust risk assessment model

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

367 Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links