Methods and systems for assessing and advising on electronic compliance

US 8,201,256 B2
Filed: 03/28/2003
Issued: 06/12/2012
Est. Priority Date: 03/28/2003
Status: Active Grant

First Claim

Patent Images

1. A computer system for determining compliance of a computer network, comprising:

a memory storing an operating framework of various predetermined compliance standards with which to measure against the computer network,the various predetermined compliance standards comprising at least a governmental regulatory standard having requirements for protecting confidentiality of health-related information and a payment card information security program having requirements for destruction of data stored on electronic media beyond reconstruction or prevention of data being stored on electronic media;

a compliance question database, comprising questions relating to whether the computer network complies with requirements of the various predetermined compliance standards answerable by a user to verify compliance with the various predetermined compliance standards, for selecting the governmental regulatory standard of the various predetermined compliance standards specific to the user; and

a processor configured to provide predetermined compliance questions to the user based on the selected governmental regulatory standard of the various predetermined compliance standards, receive the user'"'"'s answer to the predetermined compliance questions, and store the user'"'"'s answer to the predetermined compliance questions in a compliance answer database;

wherein the processor is further configured to scan the computer network, generate a score indicating the degree to which the computer network complies with the selected governmental regulatory standard of the various predetermined compliance standard based on the scan of the computer network and the user'"'"'s answer in the compliance answer database, and generate a report including a result as to whether the computer network complies with the requirements of the selected predetermined compliance standard based on the score, and when the generated score identifies non-compliance of the computer network, including information how to solve the non-compliance with the report.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of developing electronic performance support systems implemented in a computer system or in a graphical user interface. A method and system determines electronic compliance with a regulatory scheme, includes a compliance standard and using a question and answer prompt in conjunction with a scanning engine to perform an assessment of a computer network'"'"'s compliance with at least one predetermined standard in addition to a technical assessment of the computer network.

66 Citations

View as Search Results

35 Claims

1. A computer system for determining compliance of a computer network, comprising:
- a memory storing an operating framework of various predetermined compliance standards with which to measure against the computer network,the various predetermined compliance standards comprising at least a governmental regulatory standard having requirements for protecting confidentiality of health-related information and a payment card information security program having requirements for destruction of data stored on electronic media beyond reconstruction or prevention of data being stored on electronic media;
  
  a compliance question database, comprising questions relating to whether the computer network complies with requirements of the various predetermined compliance standards answerable by a user to verify compliance with the various predetermined compliance standards, for selecting the governmental regulatory standard of the various predetermined compliance standards specific to the user; and
  
  a processor configured to provide predetermined compliance questions to the user based on the selected governmental regulatory standard of the various predetermined compliance standards, receive the user'"'"'s answer to the predetermined compliance questions, and store the user'"'"'s answer to the predetermined compliance questions in a compliance answer database;
  
  wherein the processor is further configured to scan the computer network, generate a score indicating the degree to which the computer network complies with the selected governmental regulatory standard of the various predetermined compliance standard based on the scan of the computer network and the user'"'"'s answer in the compliance answer database, and generate a report including a result as to whether the computer network complies with the requirements of the selected predetermined compliance standard based on the score, and when the generated score identifies non-compliance of the computer network, including information how to solve the non-compliance with the report.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the processor provides the predetermined compliance questions in an on-line questionnaire presentable to the user via a web-based interface.
  - 3. The system of claim 2, wherein the on-line questionnaire further comprises links to suggestions on how to understand and respond to the questions.
  - 4. The system of claim 1, wherein the processor is further configured to send a wireless electronic transmission to a mobile device as part of the scan of the computer network.
  - 5. The system of claim 1, wherein the predetermined compliance questions in similar policy areas are grouped together by the processor prior to being provided to the user.
  - 6. The system of claim 5, wherein the policy areas comprise at least one selected from the group consisting of:
    - network security concerns related to whether an organization has a properly configured firewall,privacy concerns addressing how an organization protects personal information,physical concerns regarding the user'"'"'s hardware, andcontingency concerns regarding plans to continue computer network operations after a power outage, off-line data security, on-line data security, server security, authentication and validation, human resources, and disaster recovery.
  - 7. The system of claim 1, wherein the compliance question database comprises questions related to at least one selected from the group consisting of corporate guidelines, security policies, and regulations requiring predetermined levels of compliance.
  - 8. The system of claim 1, wherein the compliance question database comprises questions related to at least one selected from the group consisting of firewalls, security patches, encryption of stored data, encryption of data sent over open networks, use of anti-virus programs, data access restrictions, and the assignment of user identifiers.
  - 9. The system of claim 1, further comprising:
    - generating the score based on weighting means for selectively assigning varying levels of importance to answers to the predetermined compliance questions.
  - 10. The system of claim 1, wherein the processor is further configured to store the score in the compliance answer database.
  - 11. The system of claim 1, wherein the requirements of the at least one compliance standard further comprises retaining documentation for 6 years from creation of the documentation.
  - 12. The system of claim 1, wherein the requirements of the at least one compliance standard further comprises identification of a security official.

13. A method for determining compliance of a computer network, wherein all steps are performed by a computer, the method comprising:
- storing in a memory on a computer system an operating framework of various predetermined compliance standards with which to measure against the computer network,the various predetermined compliance standards comprising at least a governmental regulatory standard having requirements for protecting confidentiality of health-related information and a payment card information security program having requirements for destruction of data stored on electronic media beyond reconstruction or prevention of data being stored on electronic media;
  
  selecting the a payment card information security program having requirements for destruction of data stored on electronic media beyond reconstruction of the various predetermined compliance standards specific to the user;
  
  storing in a compliance question database on a computer system, questions relating to whether the computer network complies with requirements of the various predetermined compliance standard answerable by a user to verify compliance with the selected payment card information security program of the predetermined compliance standards;
  
  providing predetermined compliance questions to the user based on the selected payment card information security program of the predetermined compliance standards;
  
  receiving the user'"'"'s answer to the predetermined compliance questions;
  
  storing the user'"'"'s answer to the predetermined compliance questions in a compliance answer database;
  
  scanning the computer network;
  
  generating a score indicating the degree to which the computer network complies with the selected payment card information security program of the predetermined compliance standards based on the scan of the computer network and the user'"'"'s answer in the compliance answer database;
  
  generating a report including a result as to whether the computer network complies with the requirements of the selected payment card information security program of the predetermined compliance standards based on the score; and
  
  including information how to solve non-compliance with the report when the generated score identifies non-compliance of the computer network.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein the step of providing the predetermined compliance questions includes presenting an on-line questionnaire to the user via a web-based interface.
  - 15. The method of claim 14, wherein the on-line questionnaire further comprises links to suggestions on how to understand and respond to the questions.
  - 16. The method of claim 13, further comprising:
    - transmitting a wireless electronic signal to a mobile device as part of the step of scanning the computer network.
  - 17. The method of claim 13, further comprising:
    - grouping the predetermined compliance questions in similar policy areas together prior to the step of providing the predetermined compliance questions to the user.
  - 18. The method of claim 17, wherein the policy areas comprise at least one selected from the group consisting of:
    - network security concerns related to whether an organization has a properly configured firewall,privacy concerns addressing how an organization protects personal information,physical concerns regarding the user'"'"'s hardware, andcontingency concerns regarding plans to continue computer network operations after a power outage, off-line data security, on-line data security, server security, authentication and validation, human resources, and disaster recovery.
  - 19. The method of claim 13, further comprising:
    - selecting questions from the compliance question database relating to at least one selected from the group consisting of corporate guidelines, security policies, and regulations requiring predetermined levels of compliance.
  - 20. The method of claim 13, further comprising:
    - presenting questions from the compliance question database related to at least one selected from the group consisting of firewalls, security patches, encryption of stored data, encryption of data sent over open networks, use of anti-virus programs, data access restrictions, and the assignment of user identifiers.
  - 21. The method of claim 13, further comprising:
    - generating the score based on weighting means for selectively assigning varying levels of importance to answers to the predetermined compliance questions.
  - 22. The method of claim 13, further comprising:
    - storing the score in the compliance answer database.
  - 23. The method of claim 13, wherein the requirements of the at least one compliance standard further comprises a prohibition against connections between publicly accessible servers and any component of the computer network that stores cardholder data.
  - 24. The method of claim 13, wherein the requirements of the at least one compliance standard further comprises documentation of all connections to databases that store cardholder data.

25. A computer system for determining compliance of a computer network, comprising:
- a memory storing an operating framework of various predetermined compliance standards with which to measure against the computer network;
  
  the various predetermined compliance standards comprising at least a governmental regulatory standard having requirements for protecting confidentiality of health-related information and a payment card information security program having requirements for destruction of data stored on electronic media beyond reconstruction;
  
  a compliance question database, comprising questions relating to whether the computer network complies with requirements of the various predetermined compliance standards answerable by a user to verify compliance with the various predetermined compliance standards, for selecting the payment card information security program having requirements for destruction of data stored on electronic media beyond reconstruction of the various predetermined compliance standards specific to the user;
  
  a processor configured to provide predetermined compliance questions to the user based on the selected payment card information security program of the predetermined compliance standard standards, receive the user'"'"'s answer to the predetermined compliance questions, and store the user'"'"'s answer to the predetermined compliance questions in a compliance answer database;
  
  wherein the processor is further configured to scan the computer network, generate a score indicating the degree to which the computer network complies with the selected payment card information security program of the predetermined compliance standards based on the scan of the computer network and the user'"'"'s answer in the compliance answer database, and generate a report including a result as to whether the computer network complies with the requirements of the selected payment card information security program of the predetermined compliance standards based on the score, and including information how to solve non-compliance with the report when the generated score identifies non-compliance of the computer network.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The system of claim 25, wherein the processor provides the predetermined compliance questions in an on-line questionnaire presentable to the user via a web-based interface.
  - 27. The system of claim 26, wherein the on-line questionnaire further comprises links to suggestions on how to understand and respond to the questions.
  - 28. The system of claim 25, wherein the processor is further configured to send a wireless electronic transmission to a mobile device as part of the scan of the computer network.
  - 29. The system of claim 25, wherein the predetermined compliance questions in similar policy areas are grouped together by the processor prior to being provided to the user.
  - 30. The system of claim 29, wherein the policy areas comprise at least one selected from the group consisting of:
    - network security concerns related to whether an organization has a properly configured firewall,privacy concerns addressing how an organization protects personal information,physical concerns regarding the user'"'"'s hardware, andcontingency concerns regarding plans to continue computer network operations after a power outage, off-line data security, on-line data security, server security, authentication and validation, human resources, and disaster recovery.
  - 31. The system of claim 25, wherein the compliance question database comprises questions related to at least one selected from the group consisting of corporate guidelines, security policies, and regulations requiring predetermined levels of compliance.
  - 32. The system of claim 25, wherein the compliance question database comprises questions related to at least one selected from the group consisting of firewalls, security patches, encryption of stored data, encryption of data sent over open networks, use of anti-virus programs, data access restrictions, and the assignment of user identifiers.
  - 33. The system of claim 25, further comprising:
    - generating the score based on weighting means for selectively assigning varying levels of importance to answers to the predetermined compliance questions.
  - 34. The system of claim 33, wherein the processor is further configured to store the score in the compliance answer database.
  - 35. The system of claim 25, wherein the requirements of the at least one compliance standard further comprises retaining documentation for 6 years from creation of the documentation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sysxnet Ltd.
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Patanella, Joseph
Primary Examiner(s)
Cervetti, David García

Application Number

US10/400,924
Publication Number

US 20040193907A1
Time in Patent Office

3,364 Days
Field of Search

713/201, 726/1, 726/22, 726/23, 726/24, 726/25
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/10   Office automation; Time man...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1433   Vulnerability analysis

Methods and systems for assessing and advising on electronic compliance

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for assessing and advising on electronic compliance

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links