Data processing and scanning systems for assessing vendor risk

US 10,509,894 B2
Filed: 06/17/2019
Issued: 12/17/2019
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for performing a risk assessment for a vendor, the method comprising:

scanning, by one or more computer processors, one or more webpages associated with the vendor;

identifying, by the one or more computer processors, one or more vendor attributes associated with the vendor based on the scanned one or more webpages, wherein the one or more vendor attributes comprise one or more security certifications that the vendor holds;

accessing, by the one or more computer processors, one or more public databases of security certifications to determine whether the vendor holds the one or more security certifications;

receiving, by the one or more computer processors, a completed privacy template from a centralized repository of completed privacy templates, the completed privacy template comprising a plurality of question/answer pairings regarding the vendor;

receiving, by the one or more computer processors from a user, a weighting factor that is to be applied to at least one of the plurality question/answer pairings in the completed privacy template to calculate the risk rating for the vendor;

calculating, by the one or more computer processors, a vendor risk rating based at least in part on the one or more vendor attributes, the weighting factor, and content of the at least one of the plurality of question/answer pairings in the completed privacy template; and

taking, by the one or more computer processors, one or more automated actions based on the vendor risk rating.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data processing systems and methods, according to various embodiments are adapted for efficiently processing data to allow for the streamlined assessment of the risk level associated with particular privacy campaigns. The systems may provide a centralized repository of templates of privacy-related question/answer pairings for various vendors, products (e.g., software products), and services. Different entities may electronically access the templates (which may be periodically updated and centrally audited) and customize the templates for evaluating the risk associated with the entities'"'"' respective business endeavors that involve the relevant vendors, products, or services.

513 Citations

18 Claims

1. A computer-implemented data processing method for performing a risk assessment for a vendor, the method comprising:
- scanning, by one or more computer processors, one or more webpages associated with the vendor;
  
  identifying, by the one or more computer processors, one or more vendor attributes associated with the vendor based on the scanned one or more webpages, wherein the one or more vendor attributes comprise one or more security certifications that the vendor holds;
  
  accessing, by the one or more computer processors, one or more public databases of security certifications to determine whether the vendor holds the one or more security certifications;
  
  receiving, by the one or more computer processors, a completed privacy template from a centralized repository of completed privacy templates, the completed privacy template comprising a plurality of question/answer pairings regarding the vendor;
  
  receiving, by the one or more computer processors from a user, a weighting factor that is to be applied to at least one of the plurality question/answer pairings in the completed privacy template to calculate the risk rating for the vendor;
  
  calculating, by the one or more computer processors, a vendor risk rating based at least in part on the one or more vendor attributes, the weighting factor, and content of the at least one of the plurality of question/answer pairings in the completed privacy template; and
  
  taking, by the one or more computer processors, one or more automated actions based on the vendor risk rating.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented data processing method of claim 1, wherein the one or more vendor attributes further comprise one or more vendor attributes that are selected from a group consisting of:
    - (1) one or more awards that the vendor has received;
      
      (2) one or more security policies implemented by the vendor;
      
      (3) one or more privacy policies for the one or more webpages; and
      
      (4) one or more potential sub processors of one or more services associated with the vendor.
  - 3. The computer-implemented data processing method of claim 1, wherein the one or more webpages are operated by the particular vendor.
  - 4. The computer-implemented data processing method of claim 1, wherein the one or more webpages are not operated by the particular vendor.
  - 5. The computer-implemented data processing method of claim 1, wherein:
    - scanning the one or more webpages comprises scanning the one or more webpages for documentation that the vendor holds the one or more security certifications.
  - 6. The computer-implemented data processing method of claim 5, wherein scanning the one or more webpages comprises identifying at least one image that makes up part of the one or more webpages and that is associated with the one or more security certifications.
  - 7. The computer-implemented data processing method of claim 1, the method further comprising:
    - in response to determining that the vendor holds the one or more security certifications via the one or more public databases, confirming that the vendor holds the one or more security certifications.

8. A computer-implemented data-processing method for performing a risk assessment for a vendor used as part of a processing activity, the method comprising:
- receiving, by one or more computer processors, a completed privacy template from a vendor, the completed privacy template comprising a plurality of question/answer pairings regarding a particular product or service provided by the vendor;
  
  automatically coordinating, by the one or more computer processors, an audit for the completed privacy template;
  
  scanning, by the one or more computer processors, one or more webpages associated with the vendor;
  
  identifying, by the one or more computer processors, one or more vendor attributes associated with the vendor based on the scanned one or more webpages, wherein the one or more vendor attributes comprise a privacy policy associated with the one or more webpages;
  
  analyzing the privacy policy to identify one or more key terms in the privacy policy related to the particular product or service in the audited privacy template;
  
  calculating a vendor risk rating for the vendor based at least in part on the one or more vendor attributes, the one or more key terms, the privacy policy, and the audited privacy template; and
  
  taking, by the one or more computer processors, one or more automated actions based on the vendor risk rating.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. The computer-implemented data-processing method of claim 8, the method further comprising:
    - monitoring the one or more webpages for one or more updates;
      
      in response to identifying the one or more updates, determining whether the one or more updates affect the one or more vendor attributes; and
      
      in response to determining that the one or more updates affect the one or more vendor attributes, calculating an updated vendor risk rating based at least in part on the affected one or more vendor attributes.
  - 10. The computer-implemented data-processing method of claim 8, wherein:
    - scanning the one or more webpages comprises scanning the one or more webpages to identify the privacy policy.
  - 11. The computer-implemented data-processing method of claim 8, wherein:
    - the one or more vendor attributes comprise a cookie policy implemented via the one or more webpages; and
      
      scanning the one or more webpages comprises scanning the one or more webpages to determine one or more vendor data collection policies based on the cookie policy.
  - 12. The computer-implemented data-processing method of claim 11, wherein:
    - the one or more vendor data collection policies relate to the particular product or service; and
      
      the method further comprises calculating the vendor risk rating based at least in part on the one or more vendor data collection policies.
  - 13. The computer-implemented data-processing method of claim 8, wherein:
    - calculating the vendor risk rating further comprises;
      
      determining one or more employee titles, employee roles, or available job posts with the vendor from one or more third party social networking sites; and
      
      calculating the vendor risk rating based at least in part on the one or more employee titles, employee roles, or available job posts with the vendor.
  - 14. The computer-implemented data processing method of claim 8, wherein:
    - the one or more vendor attributes comprise one or more security certifications that the vendor holds; and
      
      scanning the one or more webpages comprises scanning the one or more webpages for documentation that the vendor holds the one or more security certifications.
  - 15. The computer-implemented data processing method of claim 14, wherein scanning the one or more webpages comprises identifying at least one image that makes up part of the one or more webpages that is associated with the one or more security certifications.
  - 16. The computer-implemented data processing method of claim 15, the method further comprising:
    - accessing, by the one or more computer processors, one or more public databases of security certifications to determine whether the vendor holds the one or more security certifications; and
      
      in response to determining that the vendor holds the one or more security certifications via the one or more public databases, confirming that the vendor holds the one or more security certifications.
  - 17. The computer-implemented data processing method of claim 8, the method further comprising:
    - determining that the vendor risk rating is below a predetermined threshold; and
      
      automatically initiating the processing activity in response to determining that the vendor risk rating is below the predetermined threshold.
  - 18. The computer-implemented data processing method of claim 8, wherein the one or more vendor attributes further comprise one or more vendor attributes that are selected from a group consisting of:
    - one or more awards that the vendor has received; and
      
      one or more security policies implemented by the vendor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Brannon, Jonathan Blake
Primary Examiner(s)
Deng, Anna C

Application Number

US16/443,374
Publication Number

US 20190311094A1
Time in Patent Office

183 Days
Field of Search

717101
US Class Current
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 21/316   by observing the pattern of...

G06F 21/6245   Protecting personal data, e...

G06F 2201/81   Threshold

G06F 2221/2111   Location-sensitive, e.g. ge...

Data processing and scanning systems for assessing vendor risk

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

513 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing and scanning systems for assessing vendor risk

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

513 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links