IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0304826
(2002-11-27)
|
발명자
/ 주소 |
- Tracy, Richard P.
- Barrett, Hugh
- Catlin, Gary M.
|
출원인 / 주소 |
|
인용정보 |
피인용 횟수 :
34 인용 특허 :
35 |
초록
▼
A computer-assisted system, medium and method of providing a risk assessment of a target system. The method includes electronically scanning, on a predetermined basis, hardware and/or software characteristics of components within a target system to obtain and store target system configuration inform
A computer-assisted system, medium and method of providing a risk assessment of a target system. The method includes electronically scanning, on a predetermined basis, hardware and/or software characteristics of components within a target system to obtain and store target system configuration information, receiving and storing target system operational environment information, using information collected in the scanning and receiving steps to select one or more security requirements in accordance with the at least one predefined standard, regulation and/or requirement, selecting one or more test procedures used to determine target system compliance with the security requirements, and producing a risk assessment of the target system.
대표청구항
▼
1. A method, comprising:electronically scanning at least one of: a hardware characteristic and a software characteristic, of components within a target system to obtain information associated with a target system configuration; receiving information associated with a target system operational enviro
1. A method, comprising:electronically scanning at least one of: a hardware characteristic and a software characteristic, of components within a target system to obtain information associated with a target system configuration; receiving information associated with a target system operational environment; selecting at least one security requirement at least partially based on at least one of: a predefined standard, regulation, and requirement associated with the target system operational environment; selecting at least one test procedure to determine target system compliance with the at least one security requirement; and producing a risk assessment of the target system. 2. The method of claim 1, wherein producing a risk assessment of a target system includes producing a baseline risk assessment by:associating at least one first data element with a requirement category from a plurality of requirement categories, the at least one first data element being uniquely associated with at least one threat from a plurality of threats, each threat from the plurality of threats being associated with a vulnerability of the target system; associating at least one second data element with a degree of exposure from a plurality of degrees of exposure of the target system, each degree of exposure from the plurality of degrees of exposure being uniquely associated with each threat from the plurality of threats; determining at least one composite data element for each requirement category from the plurality of requirement categories, the determining being at least partially based on at least one predetermined rule and a comparison of the at least one first data element and the at least one second data element; and selecting, based upon the at least one predetermined rule, a baseline risk level of the at least one composite data element for each requirement category. 3. The method of claim 2, wherein the baseline risk assessment has baseline risk levels of at least one of: high, medium-high, medium, medium-low, low, and negligible, the baseline risk level for each requirement category from the plurality of requirement categories being determined by at least one of the following:assigning a baseline risk level of negligible if: a threat level of the requirement category is negligible and a corresponding project threat level is negligible, low, medium-low, or medium; a threat level of the requirement category is low and a corresponding project threat level is negligible; a threat level of the requirement category is medium-low and a corresponding project threat level is negligible; or a threat level of the requirement category is medium and a corresponding project threat level is negligible; assigning a baseline risk level of low if: a threat level of the requirement category is negligible and a corresponding project threat level is medium-high or high; a threat level of the requirement category is low and a corresponding project threat level is medium-low or low; a threat level of the requirement category is medium-low and a corresponding project threat level is low or medium-low; a threat level of the requirement category is medium and a corresponding project threat level is low; a threat level of the requirement category is medium-high and a corresponding project threat level is negligible; or a threat level of the requirement category is high and a corresponding project threat level is negligible; assigning a baseline risk level of medium-low if: a threat level of the requirement category is low and a corresponding project threat level is medium or medium-high; a threat level of the requirement category is medium-low and a corresponding project threat level is medium; a threat level of the requirement category is medium and a corresponding project threat level is medium-low; or a threat level of the requirement category is medium-high and a corresponding project threat level is low; assigning a baseline risk level of medium if: a threat level of the requirement category is low and a corresponding project threat level is high; a threat level of the requirement category is medium-low and a corresponding project threat level is medium-high; a threat level of the requirement category is medium and a corresponding project threat level is medium; a threat level of the requirement category is medium-high and a corresponding project threat level is medium-low; or a threat level of the requirement category is high and a corresponding project threat level is low or medium-low; assigning a baseline risk level of medium-high if: a threat level of the requirement category is medium-low and a corresponding project threat level is high; a threat level of the requirement category is medium and a corresponding project threat level is medium-high; a threat level of the requirement category is medium-high and a corresponding project threat level is medium; or a threat level of the requirement category is high and a corresponding project threat level is low or medium; and assigning a baseline risk level of high if: a threat level of the requirement category is medium and a corresponding project threat level is high; a threat level of the requirement category is medium-high and a corresponding project threat level is medium-high or high; or a threat level of the requirement category is high and a corresponding project threat level is medium-high or high. 4. The method of claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being decreased one level when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, medium-low and low. 5. The method of claim 4, wherein the first range includes zero to twenty percent.6. The method of claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being decreased two levels when a percentage of failed requirements falls vithin a first range, and the baseline risk level is one of high, medium-high, medium, and medium-low. 7. The method of claim 6, wherein the first range includes zero to twenty percent.8. The method of claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being decreased one level when the percentage of failed requirements falls within a second range, and the baseline risk level is one of high, medium-high, medium, medium-low and low. 9. The method of claim 8, wherein the second range includes over twenty percent to forty percent.10. The method of claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being maintained the same when the percentage of failed requirements falls within a third range, and the baseline risk level is one of high, medium-high, medium, medium-low, low and negligible. 11. The method of claim 10, wherein the third range includes over forty percent to sixty percent.12. The method of claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being increased one level when the percentage of failed requirements falls within a fourth range, and the baseline risk level is one of medium-high, medium, medium-low, low and negligible. 13. The method of claim 12, wherein the fourth range includes over sixty percent to eighty percent.14. The method of claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being increased two levels when the percentage of failed requirements falls within a fifth range, and the baseline risk level is one of medium, medium-low, low and negligible. 15. The method of claim 14, wherein the fifth range includes over eighty percent to one hundred percent.16. The method according to claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk level being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being adjusted according to one of the following: when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, and medium-low, the adjusted risk level of the requirements category is decreased two levels; when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, and medium-low, and low, the adjusted risk level of the requirements category is decreased one level; when a percentage of failed requirements falls within a second range, and the baseline risk level is one of high, medium-high, medium, medium-low and low, the adjusted risk level of the requirements category is decreased one level; when a percentage of failed requirements falls within a third range, and the baseline risk level is one of high, medium-high, medium, medium-low, low and negligible, the adjusted risk level of the requirements category remains the same; when a percentage of failed requirements falls within a fourth range, and the baseline risk level is one of medium-high, medium, medium-low, low and negligible, the adjusted risk level of the requirements category is increased one level; and when a percentage of failed requirements falls within a fifth range, and the baseline risk level is one of medium, medium-low, low and negligible, the adjusted risk level of the requirements category is increased two levels. 17. The method of claim 16, wherein each threat from the plurality of threats associated with the target system is assigned a baseline risk level that is the highest level of risk among any of the plurality of requirement categories.18. The method of claim 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories. 19. The method of step 3, further comprising:determining an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk being one of high, medium-high, medium, medium-low, low, and negligible. 20. The method of claim 1, wherein the producing a risk assessment of the target system is at least partially based on input from a user.21. The method according to claim 20, wherein the input from the user includes at least one role associated with at least one user from a plurality of users, the plurality of users including the user.22. The method of claim 21, further comprising:sending an electronic notification to at least one user from the plurality of users upon the occurrence of a predefined event associated with the at least one user's corresponding role. 23. The method of claim 22, wherein the predefined event includes at least one of: opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step.24. The method of claim 21, wherein the at least one role includes at least one of:certification and accreditation analyst, computer security incident response capabilities representative, privacy advocates office representative, disclosure office representative, vulnerabilities office representative, technical contingency planning document representative, request for information system originator, owner of business system, certification and accreditation request for information system coordinator, critical infrastructure protection representative, system point of contact, principal accrediting authority, certification and accreditation administrator, and certification and accreditation chief. 25. The method according to claim 20, wherein the input from the user includes at least one process step.26. The method of claim 1, wherein the electronically scanning includes accessing an enterprise management system.27. The method of claim 26, wherein the at least one of: a hardware characteristic and a software characteristic, is associated with at least one of: an internet protocol address, a hostname, a media access control address, an operating system name, and an operating system version.28. The method according to claim 1, further comprising:updating at least one test procedure to include testing for at least one of: a newly discovered system component and an updated target system component; and updating the risk assessment at least partially based on the updating the at least one test procedure. 29. The method of claim 1, wherein the electronically scanning utilizes a secure connection.30. The method of claim 1, wherein the at least one of: a hardware characteristic and a software characteristic, is associated with at least one of: an internet protocol address, a hostname, a media access control address, an operating system name, and an operating system version.31. The method of claim 1, wherein the at least one of: a hardware characteristic and a software characteristic, within the target system includes a characteristic associated with at least one of: a central processing unit (CPU) manufacturer, a CPU clock speed, an operating system (OS) manufacturer, an OS version, and an OS patchs.32. The method according to claim 1, wherein the at least one security requirement and the at least one test procedure are at least partially based on input from a user.33. The method of claim 1, wherein the risk assessment includes a baseline risk assessment having risk levels of high, medium-high, medium, medium-low, low, and negligible.34. The method of claim 1, further comprising:outputting an indication of the risk assessment of the target system. 35. A system, comprising:a scanner configured to electronically scan at least one of: a hardware characteristic and a software characteristic, of components within a target system, the scanner being configured to obtain information associated with a target system configuration; a storage device in communication with the scanner, the storage device configured to receive and store information associated with a target system operational environment; and a processor in communication with the storage device, the processor configured to select at least one security requirement associated with the target system operational environment, the processor configured to select at least one test procedure to determine target system compliance with at least one security requirement, the processor configured to produce a risk assessment of the target system. 36. The system of claim 35, wherein the processor is configured to produce a baseline risk assessment by:associating at least one first data element with a requirement category from a plurality of requirement categories, the at least one first data element being uniquely associated with at least one threat from a plurality of threats, each threat from the plurality of threats being associated with a vulnerability of the target system; associating at least one second data element with a degree of exposure from a plurality of degrees of exposure of the target system, each degree of exposure from the plurality of degrees of exposure being uniquely associated with each threat from the plurality of threats; determining at least one composite data element for each requirement category from the plurality of requirement categories, the determining being at least partially based on at least one predetermined rule and a comparison of the at least one first data element and the at least one second data element; and selecting, based upon the at least one predetermined rule, a baseline risk level of the at least one composite data element for each requirement category. 37. The system of claim 36, wherein the processor is configured to produce a baseline risk assessment having a baseline risk level of at least one of: high, medium-high, medium, medium-low, low, and negligible, the baseline risk level for each requirement category from the plurality of requirement categories being determined by least one of the following:assigning a baseline risk level of negligible if: a threat level of the requirement category is negligible and a corresponding project threat level is negligible, low, medium-low, or medium; a threat level of the requirement category is low and a corresponding project threat level is negligible; a threat level of the requirement category is medium-low and a corresponding project threat level is negligible; or a threat level of the requirement category is medium and a corresponding project threat level is negligible; assigning a baseline risk level of low if: a threat level of the requirement category is negligible and a corresponding project threat level is medium-high or high; a threat level of the requirement category is low and a corresponding project threat level is medium-low or low; a threat level of the requirement category is medium-low and a corresponding project threat level is low or medium-low; a threat level of the requirement category is medium and a corresponding project threat level is low; a threat level of the requirement category is medium-high and a corresponding project threat level is negligible; or a threat level of the requirement category is high and a corresponding project threat level is negligible; assigning a baseline risk level of medium-low if: a threat level of the requirement category is low and a corresponding project threat level is medium or medium-high; a threat level of the requirement category is medium-low and a corresponding project threat level is medium; a threat level of the requirement category is medium and a corresponding project threat level is medium-low; or a threat level of the requirement category is medium-high and a corresponding project threat level is low; assigning a baseline risk level of medium if: a threat level of the requirement category is low and a corresponding project threat level is high; a threat level of the requirement category is medium-low and a corresponding project threat level is medium-high; a threat level of the requirement category is medium and a corresponding project threat level is medium; a threat level of the requirement category is medium-high and a corresponding project threat level is medium-low; or a threat level of the requirement category is high and a corresponding project threat level is low or medium-low; assigning a baseline risk level of medium-high if: a threat level of the requirement category is medium-low and a corresponding project threat level is high; a threat level of the requirement category is medium and a corresponding project threat level is medium-high; a threat level of the requirement category is medium-high and a corresponding project threat level is medium; or a threat level of the requirement category is high and a corresponding project threat level is low or medium; and assigning a baseline risk level of high if: a threat level of the requirement category is medium and a corresponding project threat level is high; a threat level of the requirement category is medium-high and a corresponding project threat level is medium-high or high; or a threat level of the requirement category is high and a corresponding project threat level is medium-high or high. 38. The system of claim 37, wherein the processor is further configured to adjust a risk level to determine an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk level being one of high, medium-high, medium, medium-low, low, and negligible, the processor being configured to determine the adjusted risk level according to one of the following:when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, medium-low and low, the adjusted risk level of the requirements category is decreased one level; when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, and medium-low, the adjusted risk level of the requirements category is decreased two levels; when a percentage of failed requirements falls within a second range, and the baseline risk level is one of high, medium-high, medium, medium-low and low, the adjusted risk level of the requirements category is decreased one level; when a percentage of failed requirements falls within a third range, and the baseline risk level is one of high, medium-high, medium, medium-low, low and negligible, the adjusted risk level of the requirements category remains the same; when a percentage of failed requirements falls within a fourth range, and the baseline risk level is one of medium-high, medium, medium-low, low and negligible, the adjusted risk level of the requirements category is increased one level; and when a percentage of failed requirements falls within a fifth range, and the baseline risk level is one of medium, medium-low, low and negligible, the adjusted risk level of the requirements category is increased two levels. 39. The system of claim 38, wherein the processor is configured to assign a baseline risk level having the highest level of risk among the plurality of the requirement categories to each threat from the plurality of threats associated with the target system.40. The system of claim 37, wherein the processor is further configured to determine an adjusted risk level for at least one requirement category from a plurality of requirements categories.41. The system of claim 35, further comprising:an interface in communication with the processor, the interface configured to receive input from a user, the processor being further configured to produce the risk assessment of the target system at least partially based on the input received from the user. 42. The system of claim 41, wherein the input from the user includes at least one process step.43. The system of claim 41, wherein the input from the user includes at least one role associated with at least one user from a plurality of users, the plurality of users including the user.44. The system of claim 35, further comprising:a communications component in communication with the processor, the communications component configured to send an electronic notification to at least one user from the plurality of users upon the occurrence of a predefined event. 45. The system of claim 44, wherein the predefined event includes at least one of: opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step.46. The system of claim 35, wherein the processor is further configured to update at least one test procedure to include testing for at least one of: a newly discovered system component and an updated target system component, the processor being further configured to update the risk assessment based at least partially on the at least one test procedure.47. The system of claim 35, wherein said scanner is configured to utilize a secure connection.48. The system of claim 35, wherein the at least one of: a hardware characteristic and a software characteristic, is associated with at least one of: an internet protocol address, a hostname, a media access control address, an operating system name, and an operating system version.49. The system of claim 35, wherein the scanner is configured to access an enterprise management system.50. The system of claim 35, wherein the risk assessment includes a baseline risk assessment having risk levels of high, medium-high, medium, medium-low, low and negligible.51. A processor-readable medium comprising code representing instructions configured to cause a processor to:electronically scan at least one of: a hardware characteristic and a software characteristic, of components within a target system to obtain information associated with target system configuration information; receive information associated with a target system operational environment; select at least one security requirement configured to cause a processor to select at least one security requirement at least partially based on at least one of: a predefined standard, regulation, and requirement, associated with the target system operational environment; select at least one test procedure to determine target system compliance with the at least one security requirement; and produce a risk assessment of the target system. 52. The processor-readable medium of claim 51, wherein the code representing instructions to cause a processor to produce a risk assessment of a target system includes code representing instructions to cause a processor to produce a baseline risk assessment by causing a processor to:associate at least one first data element with a requirement category from a plurality of requirement categories, the at least one first data element being uniquely associated with at least one threat from a plurality of threats, each threat from the plurality of threats being associated with a vulnerability of the target system; associate at least one second data element with a degree of exposure from a plurality of degrees of exposure of the target system, each degree of exposure from the plurality of degrees of exposure being uniquely associated with each threat from the plurality of threats; determine at least one composite data element for each requirement category from the plurality of requirement categories, the code representing instructions to cause a processor to determine being at least partially based on at least one predetermined rule and a comparison of the at least one first data element; and select, based upon the at least one predetermined rule, a baseline risk level of the at least one composite data element for each requirement category. 53. The processor-readable medium of claim 52, wherein the baseline risk assessment has baseline risk levels of at least one of: high, medium-high, medium, medium-low, low, and negligible, the baseline risk level for each requirement category from the plurality of requirement categories being determined by code representing instructions to cause a processor to do at least one of the following:assign a baseline risk level of negligible if: a threat level of the requirement category is negligible and a corresponding project threat level is negligible, low, medium-low, or medium; a threat level of the requirement category is low and a corresponding project threat level is negligible; a threat level of the requirement category is medium-low and a corresponding project threat level is negligible; or a threat level of the requirement category is medium and a corresponding project threat level is negligible; assign a baseline risk level of low if: a threat level of the requirement category is negligible and a corresponding project threat level is medium-high or high; a threat level of the requirement category is low and a corresponding project threat level is medium-low or low; a threat level of the requirement category is medium-low and a corresponding project threat level is low or medium-low; a threat level of the requirement category is medium and a corresponding project threat level is low; a threat level of the requirement category is medium-high and a corresponding project threat level is negligible; or a threat level of the requirement category is high and a corresponding project threat level is negligible; assign a baseline risk level of medium-low if: a threat level of the requirement category is low and a corresponding project threat level is medium or medium-high; a threat level of the requirement category is medium-low and a corresponding project threat level is medium; a threat level of the requirement category is medium and a corresponding project threat level is medium-low; or a threat level of the requirement category is medium-high and a corresponding project threat level is low; assign a baseline risk level of medium if: a threat level of the requirement category is low and a corresponding project threat level is high; a threat level of the requirement category is medium-low and a corresponding project threat level is medium-high; a threat level of the requirement category is medium and a corresponding project threat level is medium; a threat level of the requirement category is medium-high and a corresponding project threat level is medium-low; or a threat level of the requirement category is high and a corresponding project threat level is low or medium-low; assign a baseline risk level of medium-high if: a threat level of the requirement category is medium-low and a corresponding project threat level is high; a threat level of the requirement category is medium and a corresponding project threat level is medium-high; a threat level of the requirement category is medium-high and a corresponding project threat level is medium; or a threat level of the requirement category is high and a corresponding project threat level is low or medium; and assign a baseline risk level of high if: a threat level of the requirement category is medium and a corresponding project threat level is high; a threat level of the requirement category is medium-high and a corresponding project threat level is medium-high or high; or a threat level of the requirement category is high and a corresponding project threat level is medium-high or high. 54. The processor-readable medium of claim 53, comprising code representing instructions to cause a processor to:determine an adjusted risk level for at least one requirement category from the plurality of requirement categories. 55. The processor-readable medium of claim 54, further comprising code representing instructions to cause a processor to determine an adjusted risk level for at least one requirement category from the plurality of requirement categories, the adjusted risk level being one of high, medium-high, medium, medium-low, low, and negligible, the adjusted risk level being increased according to one of the following:when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, medium-low and low, the adjusted risk level of the requirements category is decreased one level; when a percentage of failed requirements falls within a first range, and the baseline risk level is one of high, medium-high, medium, and medium-low, the adjusted risk level of the requirements category is decreased two levels; when a percentage of failed requirements falls within a second range, and the baseline risk level is one of high, medium-high, medium, medium-low and low, the adjusted risk level of the requirements category is decreased one level; when a percentage of failed requirements falls within a third range, and the baseline risk level is one of high, medium-high, medium, medium-low, low and negligible, the adjusted risk level of the requirements category remains the same; when a percentage of failed requirements falls within a fourth range, and the baseline risk level is one of medium-high, medium, medium-low, low and negligible, the adjusted risk level of the requirements category is increased one level; and when a percentage of failed requirements falls within a fifth range, and the baseline risk level is one of medium, medium-low, low and negligible, the adjusted risk level of the requirements category is increased two levels. 56. The processor-readable medium of claim 55, wherein the code comprising instructions configured to cause a processor to determine an adjusted risk level is configured to assign a baseline risk level that is the highest level of risk among any of the plurality of requirement categories for each threat from the plurality of threats associated with the target system.57. The processor-readable medium of claim 51, wherein the code representing instructions to cause a processor to produce a risk assessment of the target system is at least partially based on input from a user.58. The processor-readable medium of claim 57, wherein the input from the user includes at least one role associated with at least one user from a plurality of users including the user.59. The processor-readable medium of claim 58, further comprising code representing instructions to cause a processor to:cause an electronic notification to be transmitted to at least one user from the plurality of users upon the occurrence of a predefined event associated with the at least one user's corresponding role. 60. The processor-readable medium of claim 59, wherein the predefined event includes at least one of: opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step.61. The processor-readable medium of claim 57, wherein the input from the user includes at least one process step.62. The processor-readable medium of claim 51, further comprising code representing instructions to cause a processor to:update at least one test procedure to include testing for at least one of: a newly discovered system component and an updated target system component; and update the risk assessment at least partially based on the updating the at least one test procedure. 63. The processor-readable medium of claim 51, wherein the at least one of: a hardware characteristic and a software characteristic is associated with at least one of: an internet protocol address, a hostname, a media access control address, an operating system name, and an operating system version.64. The processor-readable medium of claim 51, wherein code representing instructions to cause a processor to electronically scan includes code representing instructions to cause a processor to access an enterprise management system.65. The processor-readable medium of claim 51, wherein the risk assessment includes a baseline risk assessment having risk levels of high, medium-high, medium, medium-low, low and negligible.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.