Data processing and scanning systems for assessing vendor risk

US 10,853,501 B2
Filed: 08/30/2019
Issued: 12/01/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for performing a risk assessment for a vendor, the method comprising:

scanning, by one or more computer processors, one or more webpages associated with the vendor to identify one or more vendor attributes, wherein the one or more vendor attributes comprise one or more security certifications that the vendor claims to hold,wherein each of the one or more security certifications is associated with a respective certifying authority; and

wherein each of the one or more security certifications indicates that the vendor is in compliance with security certification requirements of the respective certifying authority;

accessing, by one or more computer processors, one or more databases of security certifications to determine whether the vendor holds the one or more security certifications;

accessing, by one or more computer processors, a completed privacy template, the completed privacy template comprising a plurality of question/answer pairings regarding the vendor;

calculating, by one or more computer processors, a vendor risk rating based at least in part on;

(a) the one or more security certifications;

(b) the one or more vendor attributes; and

(c) content of the at least one of the plurality of question/answer pairings in the completed privacy template; and

taking, by one or more computer processors, one or more automated actions based on the vendor risk rating.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data processing systems and methods, according to various embodiments, are adapted for efficiently processing data to allow for the streamlined assessment of risk ratings for one or more vendors. In various embodiments, the systems/methods may use one or more particular vendor attributes (e.g., as determined from scanning one or more webpages associated with the particular vendor) and the contents of one or more completed privacy templates for the vendor to determine a vendor risk rating for the particular vendor. As a particular example, the system may scan a website associated with the vendor to automatically determine one or more security certifications associated with the vendor and use that information, along with information from a completed privacy template for the vendor, to calculate a vendor risk rating that indicates the risk of doing business with the vendor.

1022 Citations

30 Claims

1. A computer-implemented data processing method for performing a risk assessment for a vendor, the method comprising:
- scanning, by one or more computer processors, one or more webpages associated with the vendor to identify one or more vendor attributes, wherein the one or more vendor attributes comprise one or more security certifications that the vendor claims to hold,wherein each of the one or more security certifications is associated with a respective certifying authority; and
  
  wherein each of the one or more security certifications indicates that the vendor is in compliance with security certification requirements of the respective certifying authority;
  
  accessing, by one or more computer processors, one or more databases of security certifications to determine whether the vendor holds the one or more security certifications;
  
  accessing, by one or more computer processors, a completed privacy template, the completed privacy template comprising a plurality of question/answer pairings regarding the vendor;
  
  calculating, by one or more computer processors, a vendor risk rating based at least in part on;
  
  (a) the one or more security certifications;
  
  (b) the one or more vendor attributes; and
  
  (c) content of the at least one of the plurality of question/answer pairings in the completed privacy template; and
  
  taking, by one or more computer processors, one or more automated actions based on the vendor risk rating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented data processing method of claim 1, wherein the one or more security certifications comprise one or more privacy shield certifications.
  - 3. The computer-implemented data processing method of claim 1, wherein the one or more vendor attributes further comprise one or more security policies implemented by the vendor.
  - 4. The computer-implemented data processing method of claim 1, wherein the one or more vendor attributes further comprise one or more privacy policies for the one or more webpages.
  - 5. The computer-implemented data processing method of claim 1, wherein the one or more vendor attributes further comprise one or more potential sub processors of one or more services associated with the vendor.
  - 6. The computer-implemented data processing method of claim 1, wherein the one or more webpages are served by the particular vendor.
  - 7. The computer-implemented data processing method of claim 1, wherein the one or more webpages are not served by the particular vendor.
  - 8. The computer-implemented data processing method of claim 1, wherein scanning the one or more webpages comprises scanning the one or more webpages for documentation that the vendor holds the one or more security certifications.
  - 9. The computer-implemented data processing method of claim 8, wherein the documentation that the vendor holds the one or more security certifications comprises at least one image that is associated with the one or more security certifications.
  - 10. The computer-implemented data processing method of claim 1, the method further comprising:
    - in response to determining that the vendor holds the one or more security certifications that the vendor claims to hold via the one or more databases, confirming that the vendor holds the one or more security certifications.
  - 11. The computer-implemented data processing method of claim 1, wherein the one or more databases of security certifications comprise one or more public databases of security certifications.

12. A computer-implemented data processing method for performing a risk assessment for a vendor, the method comprising:
- scanning, by one or more computer processors, one or more webpages associated with the vendor to identify one or more vendor attributes, wherein the one or more vendor attributes comprise one or more security policies implemented by the vendor and one or more security certifications that the vendor claims to hold,wherein each of the one or more security certifications is associated with a respective certifying authority; and
  
  wherein each of the one or more security certifications indicates that the vendor is in compliance with security certification requirements of the respective certifying authority;
  
  accessing, by one or more computer processors, one or more databases of security certifications to determine whether the vendor holds the one or more security certifications;
  
  accessing, by one or more computer processors, a completed privacy template, the completed privacy template comprising a plurality of question/answer pairings regarding the vendor;
  
  calculating, by one or more computer processors, a vendor risk rating based at least in part on;
  
  (a) the one or more security policies implemented by the vendor;
  
  (b) the one or more security certifications; and
  
  (c) content of the at least one of the plurality of question/answer pairings in the completed privacy template; and
  
  taking, by one or more computer processors, one or more automated actions based on the vendor risk rating.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computer-implemented data processing method of claim 12, wherein the one or more vendor attributes further comprise one or more awards that the vendor claims to have received.
  - 14. The computer-implemented data processing method of claim 13, wherein one or more of the one or more security certifications is selected from a group consisting of:
    - (a) a System and Organization Control (SOC) certification;
      
      (b) an International Organization for Standardization (ISO) certification;
      
      (c) a Health Insurance Portability and Accountability Act (HIPAA) certification; and
      
      (d) a Privacy Shield certification.
  - 15. The computer-implemented data processing method of claim 12, wherein the one or more vendor attributes further comprise one or more privacy policies for the one or more webpages.
  - 16. The computer-implemented data processing method of claim 12, wherein the one or more vendor attributes further comprise one or more potential sub processors of one or more services associated with the vendor.
  - 17. The computer-implemented data processing method of claim 12, wherein the one or more webpages are served by the particular vendor.
  - 18. The computer-implemented data processing method of claim 12, wherein the one or more webpages are not served by the particular vendor.

19. A computer-implemented data processing method for performing a risk assessment for a vendor used as part of a processing activity, the method comprising:
- receiving, by one or more computer processors, a completed privacy template from a vendor, the completed privacy template comprising a plurality of question/answer pairings regarding a particular product or service provided by the vendor;
  
  scanning, by one or more computer processors, one or more webpages associated with the vendor to identify one or more vendor attributes, wherein the one or more vendor attributes comprise a privacy policy associated with the one or more webpages;
  
  analyzing, by one or more computer processors, the privacy policy to identify one or more key terms in the privacy policy related to the particular product or service that is the subject of at least one question within the privacy template;
  
  analyzing, by one or more computer processors, content of the at least one of the plurality of question/answer pairings in the completed privacy template to identify one or more security certifications that the vendor holds,wherein each of the one or more security certifications is associated with a respective certifying authority; and
  
  wherein each of the one or more security certifications indicates that the vendor is in compliance with security certification requirements of the respective certifying authority;
  
  calculating, by one or more computer processors, a vendor risk rating for the vendor based at least in part on;
  
  (a) the one or more security certifications;
  
  (b) the one or more key terms in the privacy policy; and
  
  (c) the one or more question/answer pairings from the privacy template; and
  
  taking, by one or more computer processors, one or more automated actions based on the calculated vendor risk rating.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 20. The computer-implemented data processing method of claim 19, the method further comprising:
    - monitoring the one or more webpages for one or more updates;
      
      in response to identifying the one or more updates, determining whether the one or more updates affect the one or more vendor attributes; and
      
      in response to determining that the one or more updates affect the one or more vendor attributes, calculating an updated vendor risk rating based at least in part on the affected one or more vendor attributes.
  - 21. The computer-implemented data processing method of claim 19, wherein:
    - scanning the one or more webpages comprises scanning the one or more webpages to identify the privacy policy.
  - 22. The computer-implemented data processing method of claim 19, wherein:
    - the one or more vendor attributes comprise a cookie policy implemented via the one or more webpages; and
      
      scanning the one or more webpages comprises scanning the one or more webpages to determine one or more vendor data collection policies based on the cookie policy.
  - 23. The computer-implemented data processing method of claim 22, wherein:
    - the one or more vendor data collection policies relate to the particular product or service; and
      
      the method further comprises calculating the vendor risk rating based at least in part on the one or more vendor data collection policies.
  - 24. The computer-implemented data processing method of claim 19, wherein:
    - calculating the vendor risk rating further comprises;
      
      determining one or more employee titles, employee roles, or available job posts with the vendor from one or more third party social networking sites; and
      
      calculating the vendor risk rating based at least in part on the one or more employee titles, employee roles, or available job posts with the vendor.
  - 25. The computer-implemented data processing method of claim 19, whereinscanning the one or more webpages comprises scanning the one or more webpages for documentation that the vendor holds the one or more security certifications.
  - 26. The computer-implemented data processing method of claim 25, wherein the documentation that the vendor holds the one or more security certifications comprises at least one image that is associated with the one or more security certifications.
  - 27. The computer-implemented data processing method of claim 26, the method further comprising:
    - accessing, by the one or more computer processors, one or more public databases of security certifications to determine whether the vendor holds the one or more security certifications; and
      
      in response to determining that the vendor holds the one or more security certifications via the one or more public databases, confirming that the vendor holds the one or more security certifications.
  - 28. The computer-implemented data processing method of claim 19, the method further comprising:
    - determining that the vendor risk rating is below a predetermined threshold; and
      
      automatically initiating the processing activity in response to determining that the vendor risk rating is below the predetermined threshold.
  - 29. The computer-implemented data processing method of claim 19, wherein the one or more vendor attributes further comprise one or more vendor attributes that are selected from a group consisting of:
    - one or more awards that the vendor has received; and
      
      one or more security policies implemented by the vendor.
  - 30. The computer-implemented data processing method of claim 19, wherein the one or more automated actions comprise transferring the vendor risk rating to a current or potential client of the vendor for use in assessing a risk of doing business with the vendor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Brannon, Jonathan Blake
Primary Examiner(s)
Dascomb, Jacob D

Application Number

US16/557,392
Publication Number

US 20190384899A1
Time in Patent Office

459 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 21/316   by observing the pattern of...

G06F 21/60   Protecting data

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

G06F 2201/81   Threshold

G06F 2221/2111   Location-sensitive, e.g. ge...

Data processing and scanning systems for assessing vendor risk

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

1022 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing and scanning systems for assessing vendor risk

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1022 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links