Control automation tool

US 8,196,207 B2
Filed: 02/26/2010
Issued: 06/05/2012
Est. Priority Date: 10/29/2008
Status: Active Grant

First Claim

Patent Images

1. A control automation method for assisting an organization comprising one or more users with managing one or more controls for mitigating one or more risks or threats and managing one or more metrics corresponding to the one or more controls, the one or more metrics for providing quantitative and repeatable processes for use in determining an effectiveness of the one or more controls, the control automation method comprising:

using a computer processor to execute computer program code instructions stored in a non-transitory computer-readable medium, wherein the computer program code instructions are structured to cause the computer processor to;

receive, from the user, and store one or more control profiles each comprising a plurality of parameters defining the one or more controls, wherein at least one of said plurality of parameters is selected from a group consisting of correlated control information, correlated metric information, security level information, effectiveness calculation algorithm information, effectiveness calculation results information, and effectiveness calculation criteria information;

receive, from the user, and store one or more metric profiles each comprising a plurality of parameters defining the one or more metrics, wherein at least one of said plurality of parameters is selected from a group consisting of a unit of measure, a frequency of reporting, a type of metric, a relevance of the metric to one or more controls, and a threshold level for evaluating progress toward a goal of the metric;

receive user input choosing one or more of the metrics for association with the one or more controls;

map the metrics chosen by the user to the one or more controls, such that the metrics chosen by the user become associated with the one or more controls and can provide quantitative and repeatable process data for use in determining the effectiveness of the one or more controls;

receive and store one or more metric values corresponding to the one or more metrics; and

provide information corresponding to the one or more metric values to the user for assisting the user in determining the effectiveness of the one or more controls.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A control automation tool (“CAT”) is configured for supporting discrete management of controls and their corresponding metrics. The control automation tool includes a software application connected with, stored on, and executed by one or more relational, closed-loop data repositories and computer systems. The use and maturation of a control within an organization depends on management of operational performance and expenses, which the CAT assists through lean project management, effective implementation of action plans and financial functions. Further, people resources, organizational hierarchy and access management functions are used to support mapping of controls arranged by organizational unit and support access permissions that are consistent with appropriate data management. The CAT also provides transparency and meaning to control and metric status and relevant data regarding controls and their associated metrics and is configured for ease of control and metric management via the CAT interface.

141 Citations

42 Claims

1. A control automation method for assisting an organization comprising one or more users with managing one or more controls for mitigating one or more risks or threats and managing one or more metrics corresponding to the one or more controls, the one or more metrics for providing quantitative and repeatable processes for use in determining an effectiveness of the one or more controls, the control automation method comprising:
- using a computer processor to execute computer program code instructions stored in a non-transitory computer-readable medium, wherein the computer program code instructions are structured to cause the computer processor to;
  
  receive, from the user, and store one or more control profiles each comprising a plurality of parameters defining the one or more controls, wherein at least one of said plurality of parameters is selected from a group consisting of correlated control information, correlated metric information, security level information, effectiveness calculation algorithm information, effectiveness calculation results information, and effectiveness calculation criteria information;
  
  receive, from the user, and store one or more metric profiles each comprising a plurality of parameters defining the one or more metrics, wherein at least one of said plurality of parameters is selected from a group consisting of a unit of measure, a frequency of reporting, a type of metric, a relevance of the metric to one or more controls, and a threshold level for evaluating progress toward a goal of the metric;
  
  receive user input choosing one or more of the metrics for association with the one or more controls;
  
  map the metrics chosen by the user to the one or more controls, such that the metrics chosen by the user become associated with the one or more controls and can provide quantitative and repeatable process data for use in determining the effectiveness of the one or more controls;
  
  receive and store one or more metric values corresponding to the one or more metrics; and
  
  provide information corresponding to the one or more metric values to the user for assisting the user in determining the effectiveness of the one or more controls.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The control automation method of claim 1 wherein the computer processor is further to:
    - receive user input choosing one or more risk and threat profiles from a risk and threat master profile database, the one or more risk and threat profiles including information regarding managing one or more risks and threats; and
      
      map the chosen risk and threat profiles to the one or more controls such that the one or more risks and threats are mitigated by implementation of the one or more controls.
  - 3. The control automation method of claim 2 wherein the computer processor is further to:
    - determine a target maturity state for one or more of the controls based at least in part on the risks and threats mapped to the one or more controls.
  - 4. The control automation method of claim 3 wherein the computer processor is further to:
    - receive and store information from the user corresponding to one or more control maturity verification checklist criteria;
      
      identify one or more gaps requiring attention, based at least in part on the information received from the user corresponding to one or more control maturity verification checklist criteria, in order for one or more of the controls to attain the target maturity state; and
      
      develop one or more action plans comprising one or more action plan steps, the one or more action plans created to assist in closing the one or more identified gaps.
  - 5. The control automation method of claim 4 wherein identifying one or more gaps requiring attention comprises:
    - retrieving one or more gap profiles from an operational and regulatory gap profile repository; and
      
      wherein identifying the one or more gaps requiring attention comprises;
      
      comparing the one or more gap profiles with a potential gap to determine whether the potential gap is a gap requiring attention.
  - 6. The control automation method of claim 1 wherein the computer processor is further to:
    - receive and store information from the user corresponding to one or more control maturity verification checklist criteria;
      
      identify one or more gaps requiring attention, based at least in part on the information received from the user corresponding to one or more control maturity verification checklist criteria, in order for one or more of the controls to attain a target maturity state; and
      
      develop one or more action plans comprising one or more action plan steps, the one or more action plans created to assist in closing the one or more identified gaps.
  - 7. The control automation method of claim 6 wherein identifying one or more gaps requiring attention comprises:
    - retrieving, one or more gap profiles from an operational and regulatory gap profile repository; and
      
      comparing the one or more gap profiles with a potential gap to determine whether the potential gap is a gap requiring attention.
  - 8. The control automation method of claim 1 wherein the computer processor is further to:
    - determine the effectiveness of the one or more controls based at least in part on the one or more metric values; and
      
      wherein;
      
      the information provided to the user for assisting the user in determining the effectiveness of the one or more controls comprises the effectiveness determined using the processor.
  - 9. The control automation method of claim 1 wherein the computer processor is further to:
    - providing the user a people repository comprising information corresponding to the people within the organization.
  - 10. The control automation method of claim 9 wherein the computer processor is further to:
    - receive user input choosing one or more people from the people repository and user input choosing one or more preferences corresponding to the one or more chosen people; and
      
      map the people chosen by the user to one or more of the controls based at least in part on the one or more chosen preferences.
  - 11. The control automation method of claim 1 wherein the computer processor is further to:
    - retrieve policy information from a policy repository, the policy information corresponding to one or more organization policies and standards; and
      
      modify one or more parameters of the control and metrics such that the parameters are aligned with the policy information.
  - 12. The control automation method of claim 1 wherein the computer processor is further to:
    - retrieve business functional classification information from a business and operational functions repository; and
      
      group based at least in part on the business functional classification information, some or all of the controls and metrics.
  - 13. The control automation method of claim 1 wherein the computer processor is further to:
    - retrieve information regarding at least one of budgetary funding allocations, people allocations, and action plans from a projects and business case financials repository; and
      
      modify one or more parameters of the control and metrics such that the parameters are aligned with the information.

14. A computer program product configured for assisting an organization comprising one or more users with managing one or more controls for mitigating one or more risks or threats and managing one or more metrics corresponding to the one or more controls, the one or more metrics for providing quantitative and repeatable processes for use in determining an effectiveness of the one or more controls, the computer program product comprising a non-transitory computer-readable medium, the non-transitory computer-readable medium having computer-readable instructions stored therein, the instructions comprising:
- instructions for receiving, from the user, and storing one or more control profiles each comprising a plurality of parameters defining the one or more controls, wherein at least one of said plurality of parameters is selected from a group consisting of correlated control information, correlated metric information, security level information, effectiveness calculation algorithm information, effectiveness calculation results information, and effectiveness calculation algorithm information, effectiveness calculation results information, or effectiveness calculation criteria information;
  
  instructions for receiving, from the user, and storing one or more metric profiles each comprising a plurality of parameters defining the one or more metrics, wherein at least one of said plurality of parameters is selected from a group consisting of a unit of measure, a frequency of reporting, a type of metric, a relevance of the metric to one or more controls, and a threshold level for evaluating progress toward a goal of the metric;
  
  instructions for receiving user input choosing one or more of the metrics for association with the one or more controls;
  
  instructions for mapping the metrics chosen by the user to the one or more controls, such that the metrics chosen by the user become associated with the one or more controls and can provide quantitative and repeatable process data for use in determining the effectiveness of the one or more controls;
  
  instructions for receiving and storing one or more metric values corresponding to the one or more metrics; and
  
  instructions for providing information corresponding to the one or more metric values to the user for assisting the user in determining the effectiveness of the one or more controls.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The computer program product of claim 14, the computer readable instructions further comprising:
    - instructions for receiving user input choosing one or more risk and threat profiles from a risk and threat master profile database, the one or more risk and threat profiles including information regarding managing one or more risks and threats; and
      
      instructions for mapping, using a processor, the chosen risk and threat profiles to the one or more controls such that the one or more risks and threats are mitigated by implementation of the one or more controls.
  - 16. The computer program product of claim 15, the computer readable instructions further comprising:
    - instructions for determining, using a processor, a target maturity state for one or more of the controls based at least in part on the risks and threats mapped to the one or more controls.
  - 17. The computer program product of claim 16, the computer readable instructions further comprising:
    - instructions for receiving and storing information from the user corresponding to one or more control maturity verification checklist criteria;
      
      instructions for identifying, using a processor, one or more gaps requiring attention, based at least in part on the information received from the user corresponding to one or more control maturity verification checklist criteria, in order for one or more of the controls to attain the target maturity state; and
      
      instructions for developing, using a processor, one or more action plans comprising one or more action plan steps, the one or more action plans created to assist in closing the one or more identified gaps.
  - 18. The computer program product of claim 17, the computer readable instructions further comprising:
    - instructions for retrieving, using a processor, one or more gap profiles from an operational and regulatory gap profile repository; and
      
      wherein the instructions for identifying one or more gaps requiring attention comprise;
      
      instructions for comparing, using a processor, the one or more gap profiles with a potential gap to determine whether the potential gap is a gap requiring attention.
  - 19. The computer program product of claim 14, the computer readable instructions further comprising:
    - instructions for receiving and storing information from the user corresponding to one or more control maturity verification checklist criteria;
      
      instructions for identifying, using a processor, one or more gaps requiring attention, based at least in part on the information received from the user corresponding to one or more control maturity verification checklist criteria, in order for one or more of the controls to attain a target maturity state; and
      
      instructions for developing, using a processor, one or more action plans comprising one or more action plan steps, the one or more action plans created to assist in closing the one or more identified gaps.
  - 20. The computer program product of claim 19, the computer readable instructions further comprising:
    - instructions for retrieving, using a processor, one or more gap profiles an operational and regulatory gap profile repository; and
      
      instructions for comparing, using a processor, the one or more gap profiles with a potential gap to determine whether the potential gap is a gap requiring attention.
  - 21. The computer program product of claim 14, the computer readable instructions further comprising:
    - instructions for determining, using a processor, the effectiveness of the one or more controls based at least in part on the one or more metric values; and
      
      wherein;
      
      the instructions for providing information to the user for assisting the user in determining the effectiveness of the one or more controls comprise instructions for providing the effectiveness determined using the processor.
  - 22. The computer program product of claim 14, the computer readable instructions further comprising:
    - Instructions for providing the user a people repository comprising information corresponding to the people within the organization.
  - 23. The computer program product of claim 22, the computer readable instructions further comprising:
    - instructions for receiving user input choosing one or more people from the people repository and user input choosing one or more preferences corresponding to the one or more chosen people; and
      
      instructions for mapping, using a processor, the people chosen by the user to one or more of the controls based at least in part on the one or more chosen preferences.
  - 24. The computer program product of claim 14, the computer readable instructions further comprising:
    - instructions for retrieving, using a processor, policy information from a policy repository, the policy information corresponding to one or more organization policies and standards; and
      
      modifying, using a processor, one or more parameters of the control and metrics such that the parameters are aligned with the policy information.
  - 25. The computer program product of claim 14, the computer readable instructions further comprising:
    - instructions for retrieving, using a processor, business functional classification information from a business and operational functions repository; and
      
      instructions for grouping, using a processor, based at least in part on the business functional classification information, some or all of the controls and metrics.
  - 26. The computer program product of claim 14, the computer readable instructions further comprising:
    - instructions for retrieving, using a processor, information regarding at least one of budgetary funding allocations, people allocations, and action plans from a projects and business case financials repository; and
      
      instructions for modifying, using a processor, one or more parameters of the control and metrics such that the parameters are aligned with the information.

27. A control automation system configured for assisting an organization comprising one or more users with managing one or more controls for mitigating one or more risks or threats and managing one or more metrics corresponding to the one or more controls, the one or more metrics for providing quantitative and repeatable processes for use in determining an effectiveness of the one or more controls, the control automation system comprising:
- a workstation module configured for providing access to the control automation system for the one or more users and providing an interface enabling the one or more users to interact with the control automation system;
  
  a control management module configured for communicating with the workstation module;
  
  a metric repository configured for communicating with the control management module and configured for receiving, from the user, and storing one or more metric profiles each comprising a plurality of parameters defining the one or more metrics, wherein at least one of said plurality of parameters is selected from a group consisting of a unit of measure, a frequency of reporting, a type of metric, a relevance of the metric to one or more controls, and a threshold level for evaluating progress toward a goal of the metric;
  
  a control repository configured for communicating with the control management module, the control repository comprising;
  
  a control profile and process module configured for;
  
  receiving user input regarding one or more control profiles each comprising a plurality of parameters defining the one or more controls from the workstation module by way of the control management module, wherein at least one of said plurality of parameters is selected from a group consisting of correlated control information, correlated metric information, security level information, effectiveness calculation algorithm information, effectiveness calculation results information, and effectiveness calculation algorithm information;
  
  receiving user input choosing one or more of the metrics from the workstation module by way of the control management module, the user choosing one or more of the metrics for association with the one or more controls;
  
  mapping the metrics chosen by the user to the one or more controls, such that the metrics chosen by the user become associated with the one or more controls and can provide quantitative and repeatable process data for use in determining the effectiveness of the one or more controls;
  
  receiving user input regarding one or more metric values corresponding to the one or more metrics from the workstation module byway of the control management module; and
  
  communicating information corresponding to the one or more metric values to the user by way of the control management module and the workstation module, the information for assisting the user in determining the effectiveness of the one or more controls.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 28. The control automation system of claim 27 wherein the control automation system further comprises:
    - a risk and threat master profile module configured for storing a plurality of risk and threat profiles, and wherein the control repository further comprises;
      
      a risk profile module configured for receiving user input choosing one or more risk and threat profiles from the risk and threat master profile module from the workstation module by way of the control management module,the control profile and process module further configured for mapping the chosen risk and threat profiles to the one or more controls such that the one or more risks and threats are mitigated by implementation of the one or more controls.
  - 29. The control automation system of claim 28 wherein the control repository further comprises:
    - a maturity assessment module configured for determining a target maturity state for one or more of the controls based at least in part on the risks and threats mapped to the one or more controls.
  - 30. The control automation system of claim 27 wherein the maturity assessment module is further configured for:
    - receiving, from the workstation module by way of the control management module, information from the user corresponding to one or more control maturity verification checklist criteria, and wherein the control repository further comprises;
      
      a gap profiles module configured for identifying one or more gaps requiring attention, based at least in part on the information received from the user corresponding to one or more control maturity verification checklist criteria, in order for one or more controls to attain a target maturity state; and
      
      an action plan module configured for developing one or more action plans comprising one or more action plan steps, the one or more action plans created to assist in closing the one or more identified gaps.
  - 31. The control automation system of claim 30 wherein the gap profile module is further configured for:
    - retrieving one or more gap profiles andcomparing the one or more gap profiles with a potential gap to determine whether the potential gap is a gap requiring attention.
  - 32. The control automation system of claim 27 wherein:
    - the control management module is configured for determining the effectiveness of the one or more controls based at least in part on the one or more metric values; and
      
      wherein;
      
      the information provided to the user for assisting the user in determining the effectiveness of the one or more controls comprises the effectiveness determined by the control management module.
  - 33. The control automation system of claim 27 further comprising:
    - a people resources module configured for communicating with the control management module and providing the user a people repository comprising information corresponding to the people within the organization.
  - 34. The control automation system of claim 33 wherein the control repository is further configured for:
    - receiving user input from the workstation module by way of the control management module, the user input comprising choosing one or more people from the people repository and choosing one or more preferences corresponding to the one or more chosen people; and
      
      mapping the people chosen by the user to one or more of the controls based at least in part on the one or more chosen preferences.
  - 35. The control automation system of claim 27 further comprising:
    - a policy and standards module, and wherein the control management module is further configured for;
      
      retrieving policy information from the policy and standards module, the policy information corresponding to one or more organization policies and standards; and
      
      wherein the control repository is further configured for;
      
      modifying one or more parameters of the controls such that the parameters are aligned with the policy information.
  - 36. The control automation system of claim 27 further comprising:
    - a policy and standards module, and wherein the control management module is further configured for;
      
      retrieving policy information from the policy and standards module, the policy information corresponding to one or more organization policies and standards; and
      
      wherein the metric repository is further configured for;
      
      modifying one or more parameters of the metrics such that the parameters are aligned with the policy information.
  - 37. The control automation system of claim 27 further comprising:
    - a business and operational functions module, and wherein the control management module is further configured for;
      
      retrieving business functional classification information from the business and operational functions module; and
      
      grouping, using a processor, based at least in part on the business functional classification information, some or all of the controls and metrics.
  - 38. The control automation system of claim 27 further comprising:
    - a projects and business case financials module, and wherein the control management module is further configured for;
      
      retrieving information regarding at least one of budgetary funding allocations, people allocations, and action plans from the projects and business case financials module; and
      
      modifying one or more parameters of the controls and metrics such that the parameters are aligned with the information.

39. An apparatus for assisting an organization comprising one or more users with managing one or more controls for mitigating one or more risks or threats and managing one or more metrics corresponding to the one or more controls, the one or more metrics for providing quantitative and repeatable processes for use in determining an effectiveness of the one or more controls, the apparatus comprising:
- means for receiving, from the user, and storing one or more control profiles each comprising a plurality of parameters defining the one or more controls, wherein at least one of said plurality of parameters is selected from a group consisting of correlated control information, correlated metric information, security level information, effectiveness calculation algorithm information, effectiveness calculation results information, and effectiveness calculation algorithm information;
  
  means for receiving, from the user, and storing one or more metric profiles each comprising a plurality of parameters defining the one or more metrics, wherein at least one of said plurality of parameters is selected from a group consisting of a unit of measure, a frequency of reporting, a type of metric, a relevance of the metric to one or more controls, and a threshold level for evaluating progress toward a goal of the metric;
  
  means for receiving user input choosing one or more of the metrics for association with the one or more controls;
  
  means for mapping the metrics chosen by the user to the one or more controls, such that the metrics chosen by the user become associated with the one or more controls and can provide quantitative and repeatable process data for use in determining the effectiveness of the one or more controls;
  
  means for receiving and storing one or more metric values corresponding to the one or more metrics; and
  
  means for providing information corresponding to the one or more metric values to the user for assisting the user in determining the effectiveness of the one or more controls.
- View Dependent Claims (40, 41, 42)
- - 40. The apparatus of claim 39 further comprising:
    - means for receiving user input choosing one or more risk and threat profiles from a risk and threat master profile database, the one or more risk and threat profiles including information regarding managing one or more risks and threats; and
      
      means for mapping the chosen risk and threat profiles to the one or more controls such that the one or more risks and threats are mitigated by implementation of the one or more controls.
  - 41. The apparatus of claim 40 further comprising:
    - means for determining a target maturity state for one or more of the controls based at least in part on the risks and threats mapped to the one or more controls.
  - 42. The apparatus of claim 40 further comprising:
    - means for receiving and storing information from the user corresponding to one or more control maturity verification checklist criteria;
      
      means for identifying one or more gaps requiring attention, based at least in part on the information received from the user corresponding to one or more control maturity verification checklist criteria, in order for one or more of the controls to attain a target maturity state; and
      
      means for developing one or more action plans comprising one or more action plan steps, the one or more action plans created to assist in closing the one or more identified gaps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Hill, Marshell L., Yomine, Daniel, Aligno, Dennis, Carter, Johnna, Carroll, Tianay, Barve, Ajay
Primary Examiner(s)
Chai, Longbit

Application Number

US12/713,775
Publication Number

US 20100199352A1
Time in Patent Office

830 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06Q 10/10 Office automation; Time man...

Control automation tool

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

141 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

Control automation tool

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others