Control transparency framework

US 8,256,004 B1
Filed: 10/29/2008
Issued: 08/28/2012
Est. Priority Date: 10/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method for a control transparency framework, comprising:

identifying threats to an organization;

developing a risk score for each of the threats to develop a threat portfolio, wherein the risk score is indicative of an impact each threat may have on the organization and a probability of the threat occurring;

developing a maturity portfolio comprising a maturity level for controls, the maturity levels being determined utilizing a maturity model, the maturity model comprising a Control Objective for Information and Related Technology (COBIT) maturity model, a Capability Maturity Model (CMM), or a combination of the above;

configuring at least one processor to perform the function of mapping information from the threat portfolio to the maturity portfolio to develop a control portfolio;

determining a gap portfolio comprising identifying any gaps between a target state maturity level of each control and a current maturity level of each control assigned to handle each of the at least one identified threat, such that the gap occurs if the target state maturity level is at a level that is higher than the current maturity level; and

developing a control transparency portfolio to close each of the gaps to match or exceed the target state maturity level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention are directed to methods, systems and computer program products for a control transparency framework which is, in one embodiment, a transparent (i.e. easy to understand) and actionable risk/reward approach for organizational processes, controls, training and development. The control transparency framework method includes identifying threats to an organization, developing a risk score for each of the threats to develop a threat portfolio, developing a maturity portfolio, developing a control portfolio, determining a gap portfolio, and developing a control transparency portfolio to close gaps. A gap exists between a target state maturity level of each identified threat and a current maturity level of each control assigned to handle each identified threat, such that the gap occurs if the target state maturity level is at a level that is lower than the control maturity level.

157 Citations

27 Claims

1. A method for a control transparency framework, comprising:
- identifying threats to an organization;
  
  developing a risk score for each of the threats to develop a threat portfolio, wherein the risk score is indicative of an impact each threat may have on the organization and a probability of the threat occurring;
  
  developing a maturity portfolio comprising a maturity level for controls, the maturity levels being determined utilizing a maturity model, the maturity model comprising a Control Objective for Information and Related Technology (COBIT) maturity model, a Capability Maturity Model (CMM), or a combination of the above;
  
  configuring at least one processor to perform the function of mapping information from the threat portfolio to the maturity portfolio to develop a control portfolio;
  
  determining a gap portfolio comprising identifying any gaps between a target state maturity level of each control and a current maturity level of each control assigned to handle each of the at least one identified threat, such that the gap occurs if the target state maturity level is at a level that is higher than the current maturity level; and
  
  developing a control transparency portfolio to close each of the gaps to match or exceed the target state maturity level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising developing a vulnerability management control strategy comprising at least one of describing how each control will be applied throughout the organization, determining a priority for each identified risk, and determining what level of control will be assigned to each risk.
  - 3. The method of claim 1, wherein the developing a maturity portfolio comprises:
    - determining new controls and processes;
      
      establishing control metrics; and
      
      documenting processes with control points.
  - 4. The method of claim 3, wherein the developing a maturity portfolio further comprises assessing process and organizational maturity.
  - 5. The method of claim 1, wherein determining a gap portfolio further comprises:
    - identifying the target state maturity level for each control;
      
      identifying the current maturity level of each control assigned to handle each of the at least one identified threat; and
      
      documenting the gaps.
  - 6. The method of claim 1, wherein determining a gap portfolio further comprising determining a strategy map via a 9-block NIST model by assigning the target state level for each block of the NIST model, wherein each threat is assigned to one of the nine NIST blocks.
  - 7. The method of claim 1, further comprising evaluating and prioritizing at least one of the gaps.
  - 8. The method of claim 1, further comprising managing the risks.
  - 9. The method of claim 8, wherein the managing the risks comprises taking at least one of the following actions:
    - accepting the risks, avoiding the risks, mitigating the risks, and transferring the risks.

10. A computer program product for implementing a control transparency framework, the computer program product embodied in a non-transitory computer-readable storage medium having a computer program residing thereon, the computer program comprising:
- instructions for identifying threats to an organization;
  
  instructions for developing a risk score for each of the threats to develop a threat portfolio, wherein the risk score is indicative of an impact each threat may have on the organization and a probability of the threat occurring;
  
  instructions for developing a maturity portfolio comprising a maturity level for controls, the maturity levels being determined utilizing a maturity model, the maturity model comprising a Control Objective for Information and Related Technology (COBIT) maturity model, a Capability Maturity Model (CMM), or a combination of the above;
  
  instructions for mapping information from the threat portfolio to the maturity portfolio to develop a control portfolio;
  
  instructions for determining a gap portfolio comprising identifying any gaps between a target state maturity level of each control and a current maturity level of each control assigned to handle each of the at least one identified threat, such that the gap occurs if the target state maturity level is at a level that is higher than the current maturity level; and
  
  instructions for developing a control transparency portfolio to close each of the gaps to match or exceed the target state maturity level.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer program product of claim 10, further comprising instructions for developing a vulnerability management control strategy that comprises at least one of instructions for describing how each control will be applied throughout the organization, instructions for determining a priority for each identified risk, and instructions for determining what level of control will be assigned to each risk.
  - 12. The computer program product of claim 10, wherein the instructions for developing a maturity portfolio comprises:
    - instructions for determining new controls and processes;
      
      instructions for establishing control metrics; and
      
      instructions for documenting processes with control points.
  - 13. The computer program product of claim 12, wherein the instructions for developing a maturity portfolio further comprises instructions for assessing process and organizational maturity.
  - 14. The computer program product of claim 10, wherein the instructions for determining a gap portfolio further comprises:
    - instructions for identifying the target state maturity level for each control;
      
      instructions for identifying the current maturity level of each control assigned to handle each of the at least one identified threat; and
      
      instructions for documenting the gaps.
  - 15. The computer program product of claim 10, further comprising instructions for evaluating and prioritizing at least one of the gaps.

16. Apparatus for control transparency framework, the apparatus comprisingmeans for identifying threats to an organization;
- means for developing a risk score for each of the threats to develop a threat portfolio, wherein the risk score is indicative of an impact each threat may have on the organization and a probability of the threat occurring;
  
  means for developing a maturity portfolio comprising a maturity level for controls, the maturity levels being determined utilizing a maturity model, the maturity model comprising a Control Objective for Information and Related Technology (COBIT) maturity model, a Capability Maturity Model (CMM), or a combination of the above;
  
  means for mapping information from the threat portfolio to the maturity portfolio to develop a control portfolio;
  
  means for determining a gap portfolio comprising identifying any gaps between a target state maturity level of each of control and a current maturity level of each control assigned to handle each of the at least one identified threat, such that the gap occurs if the target state maturity level is at a level that is higher than the current maturity level; and
  
  means for developing a control transparency portfolio to close each of the gaps to match or exceed the target state maturity level.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The apparatus of claim 16, further comprising means for developing a vulnerability management control strategy that comprises at least one of means for describing how each control will be applied throughout the organization, means for determining a priority for each identified risk, and means for determining what level of control will be assigned to each risk.
  - 18. The apparatus of claim 16, wherein the means for developing a maturity portfolio comprises:
    - means for determining new controls and processes;
      
      means for establishing control metrics; and
      
      means for documenting processes with control points.
  - 19. The apparatus of claim 18, wherein the means for developing a maturity portfolio further comprises means for assessing process and organizational maturity.
  - 20. The apparatus of claim 16, wherein the means for determining a gap portfolio further comprises:
    - means for identifying the target state maturity level for each control;
      
      means for identifying the current maturity level of each control assigned to handle each of the at least one identified threat; and
      
      means for documenting the gaps.
  - 21. The apparatus of claim 16, further comprising means for evaluating and prioritizing at least one of the gaps.

22. A system for control transparency framework, the apparatus comprising:
- a computer processor;
  
  a data structure operable on the computer processor to identify threats to an organization;
  
  a data structure operable on the computer processor to develop a risk score for each of the threats to develop a threat portfolio, wherein the risk score is indicative of an impact each threat may have on the organization and a probability of the threat occurring;
  
  a data structure operable on the computer processor to develop a maturity portfolio comprising a maturity level for controls, the maturity levels being determined utilizing a maturity model, the maturity model comprising a Control Objective for Information and Related Technology (COBIT) maturity model, a Capability Maturity Model (CMM), or a combination of the above;
  
  a data structure operable on the computer processor to map information from the threat portfolio to the maturity portfolio to develop a control portfolio;
  
  a data structure operable on the computer processor to determine a gap portfolio comprising identifying any gaps between a target state maturity level of each control and a current maturity level of each control assigned to handle each of the at least one identified threat, such that the gap occurs if the target state maturity level is at a level that is higher than the current maturity level; and
  
  a data structure operable on the computer processor to develop a control transparency portfolio to close each of the gaps to match or exceed the target state maturity level.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The system of claim 22, further comprising a data structure operable on the computer processor to develop a vulnerability management control strategy that comprises at least one of a data structure operable on the computer processor to describe how each control will be applied throughout the organization, a data structure operable on the computer processor to determine a priority for each identified risk, and a data structure operable on the computer processor to determine what level of control will be assigned to each risk.
  - 24. The system of claim 22, wherein the data structure operable on the computer processor to develop a maturity portfolio comprises:
    - a data structure operable on the computer processor to determine new controls and processes;
      
      a data structure operable on the computer processor to establish control metrics; and
      
      a data structure operable on the computer processor to document processes with control points.
  - 25. The system of claim 24, wherein the data structure operable on the computer processor to develop a maturity portfolio further comprises a data structure operable on the computer processor to assess process and organizational maturity.
  - 26. The system of claim 22, wherein the data structure operable on the computer processor to determine a gap portfolio further comprises:
    - a data structure operable on the computer processor to identify the target state maturity level for each control;
      
      a data structure operable on the computer processor to identify the current maturity level of each control assigned to handle each of the at least one identified threat; and
      
      a data structure operable on the computer processor to document the gaps.
  - 27. The system of claim 22, further comprising a data structure operable on the computer processor to evaluate and prioritize at least one of the gaps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Hill, Marshell L., Carroll, Tianay, Carter, Johnna, Higgins, Chris, Renfro, Chad, Yomine, Dan
Primary Examiner(s)
Chai, Longbit

Application Number

US12/260,422
Time in Patent Office

1,399 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06Q 10/00 Administration; Management

Control transparency framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

157 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Control transparency framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others