Auditing system and method

US 9,202,183 B2
Filed: 06/09/2006
Issued: 12/01/2015
Est. Priority Date: 03/21/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for auditing an organization'"'"'s internal controls for handling information technology (IT) configurations and vulnerabilities comprising:

receiving, with a processor, a technology summary summarizing a plurality of IT systems in an organization;

based on the technology summary, assigning, with the processor, a vulnerability risk value to each of the plurality of IT systems, wherein each vulnerability risk value represents the risk of the associated IT system compromising the integrity of sensitive information in the organization;

determining, with the processor, a risk threshold;

comparing the risk threshold to the vulnerability risk value associated with each of the plurality of IT systems;

based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of IT systems, selecting, with the processor, one or more of the plurality of IT systems to test;

for each of the selected one or more IT systems, identifying a first vulnerability and a second vulnerability that affect the respective IT system;

performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system;

accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system;

implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and

if the first vulnerability has been corrected, determining, based on the file, whether the second vulnerability was corrected when the first vulnerability was corrected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for auditing information technology used to handle financial statement accounts to secure sensitive financial information against the exploitation of vulnerabilities and ineffective configuration standards. By working with the client organization, an audit team evaluates the way the client organization controls sensitive IT systems. The audit team is able to assess the client organization'"'"'s internal control processed and recommend improvements.

8 Citations

View as Search Results

7 Claims

1. A method for auditing an organization'"'"'s internal controls for handling information technology (IT) configurations and vulnerabilities comprising:
- receiving, with a processor, a technology summary summarizing a plurality of IT systems in an organization;
  
  based on the technology summary, assigning, with the processor, a vulnerability risk value to each of the plurality of IT systems, wherein each vulnerability risk value represents the risk of the associated IT system compromising the integrity of sensitive information in the organization;
  
  determining, with the processor, a risk threshold;
  
  comparing the risk threshold to the vulnerability risk value associated with each of the plurality of IT systems;
  
  based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of IT systems, selecting, with the processor, one or more of the plurality of IT systems to test;
  
  for each of the selected one or more IT systems, identifying a first vulnerability and a second vulnerability that affect the respective IT system;
  
  performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system;
  
  accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system;
  
  implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and
  
  if the first vulnerability has been corrected, determining, based on the file, whether the second vulnerability was corrected when the first vulnerability was corrected.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein performing a test comprises:
    - evaluating control standards for each of the one or more IT systems identified in the IT systems list;
      
      receiving information associated with the organization'"'"'s internal controls over a vulnerability management process;
      
      determining one or more gaps in the organization'"'"'s internal controls over the vulnerability management process;
      
      generating a report, the report including the one or more determined gaps; and
      
      testing one or more of the IT systems identified in the IT systems list for vulnerability exposure.
  - 3. The method of claim 1, further comprising:
    - identifying software code associated with the first vulnerability that affects the respective IT system; and
      
      configuring the respective IT system to not use the identified software code.

4. A system for auditing an organization'"'"'s internal controls for handling information technology (IT) configurations and vulnerabilities comprising:
- a processor; and
  
  a program storage device readable by the computer system, embodying a program of instructions executable by the processor, the program of instructions comprising;
  
  a receiving unit for receiving a technology summary summarizing IT systems in an organization;
  
  an assigning unit for assigning, based on the technology summary, a risk value to each of the IT systems, wherein each vulnerability risk value represents the risk of the IT system compromising the integrity of sensitive information in the organization;
  
  a determining unit for determining a risk threshold;
  
  a comparing unit for comparing the risk threshold to the vulnerability risk value associated with each of the plurality of IT systems;
  
  a selecting unit for selecting one or more of the plurality of IT systems to test based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of IT systems;
  
  an identifying unit for identifying, for each of the selected one or more IT systems, a first vulnerability and a second vulnerability that affect the respective IT systema performing unit for performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system;
  
  an accessing unit for accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system;
  
  a determining unit for implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and
  
  a determining unit for determining, based on the file, if the first vulnerability has been corrected, whether the second vulnerability was corrected when the first vulnerability was corrected.
- View Dependent Claims (5)
- - 5. The system of claim 4, wherein the performing unit is operable to perform the test by:
    - evaluating control standards for each of the one or more IT systems identified in the IT systems list;
      
      receiving information associated with the organization'"'"'s internal controls over a vulnerability management process;
      
      determining one or more gaps in the organization'"'"'s internal controls over the vulnerability management process;
      
      generating a report, the report including the one or more determined gaps; and
      
      testing one or more of the IT systems identified in the IT systems list for vulnerability exposure.

6. A computer system comprising:
- a processor; and
  
  a program storage device readable by the computer system, embodying a program of instructions executable by the processor to perform method steps for auditing an organization'"'"'s internal controls for handling information technology configurations and vulnerabilities comprising;
  
  receiving, a technology summary summarizing IT systems in an organization;
  
  based on the technology summary, assigning a vulnerability risk value to each of the IT systems, wherein each vulnerability risk value represents the risk of the IT system compromising the integrity of sensitive information in the organization;
  
  determining a risk threshold;
  
  comparing the risk threshold to the vulnerability risk value associated with each of the plurality of high-risk IT systems;
  
  based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of high-risk IT systems, selecting one or more of the plurality of IT systems to test;
  
  for each of the selected one or more IT systems, identifying a first vulnerability and a second vulnerability that affect the respective IT system;
  
  performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system;
  
  accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system;
  
  implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and
  
  if the first vulnerability has been corrected, determining, based on the file, whether the second vulnerability was corrected when the first vulnerability was corrected.
- View Dependent Claims (7)
- - 7. The computer system of claim 6, wherein performing a test comprises:
    - evaluating control standards for each of the one or more IT systems identified in the IT systems list;
      
      receiving information associated with the organization'"'"'s internal controls over a vulnerability management process;
      
      determining one or more gaps in the organization'"'"'s internal controls over the vulnerability management process;
      
      generating a report, the report including the one or more determined gaps; and
      
      testing one or more of the IT systems identified in the IT systems list for vulnerability exposure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Price, Kevin I., Giubileo, John P., Woolf, Michael Chad
Primary Examiner(s)
Meinecke Diaz, Susanna M

Application Number

US11/423,213
Publication Number

US 20070136622A1
Time in Patent Office

3,462 Days
Field of Search

705/1, 705/7, 705/7.12, 705/7.28
US Class Current

1/1
CPC Class Codes

G06Q 10/06 Resources, workflows, human...

G06Q 10/10 Office automation; Time man...

Auditing system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Auditing system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links