[특허]Enhanced system, method and medium for certifying and accrediting requirements compliance

Enhanced system, method and medium for certifying and accrediting requirements compliance 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-017/30
출원번호	US-0946164 (2001-09-05)
등록번호	US-7380270 (2008-05-27)
발명자 / 주소	Tracy,Richard P. Barrett,Hugh Berman,Lon J. Catlin,Gary M. Dimtsios,Thomas G.
출원인 / 주소	Telos Corporation
대리인 / 주소	Sonnenschein Nath & Rosenthal LLP
인용정보	피인용 횟수 : 32 인용 특허 : 34

초록 ▼

A computer-assisted system, method and medium for enabling a user to select at least one of a plurality of predefined process steps to create a tailored sequence of process steps that can be used to assess the risk of and/or determine the suitability of a target system to comply with at least one pr

대표청구항 ▼

Having thus described our invention, what we claim as new and desire to secure by Letters Patent is as follows: 1. A method of assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the server performing the method comprising the steps of: a) enabling a user to choose at least one of a plurality of predefined process steps pertaining to collecting information descriptive of at least one aspect of a target system hardware and/or software, and/or a physical environment in which the target system operates; b) testing the target system against at least one test procedure selected to satisfy at least one predefined standard, regulation and/or requirement with which the target system is to comply; c) generating a score for at least one threat element, the score indicating a likelihood of that threat element affecting the target system; d) receiving at least a portion of the result of tests performed for the at least one test procedure in said step b); and e) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step e) (1). 2. The method of claim 1, further comprising enabling the user to choose at least one predefined process step pertaining to selecting at least one predefined standard, regulation and/or requirement. 3. The method of claim 2, further comprising enabling the user to edit at least one standard, regulation and/or requirement. 4. The method of claim 1, further comprising enabling the user to define an order of at least one of the plurality of process steps. 5. The method of claim 1, further comprising enabling the user to define at least one role for at least one user performing at least a portion of a process step. 6. The method of claim 5, wherein the at least one role comprise at least one of certification and accreditation analyst, computer security incident response capabilities representative, privacy advocates office representative, disclosure office representative, vulnerabilities office representative, technical contingency planning document representative, request for information system originator, owner of business system, certification and accreditation request for information system coordinator, critical infrastructure protection representative, system point of contact, principal accrediting authority, certification and accreditation administrator, and certification and accreditation chief. 7. The method of claim 5, further comprising sending an electronic notification to one or more users performing at least a portion of a specified process step upon the occurrence of a predefined event. 8. The method of claim 7, wherein the predefined events comprise at least one of opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step. 9. The method of claim 1 wherein said testing the target system further comprises enabling the user to test the target system. 10. The method of claim 1, further comprising: enabling at least one of a system administrator and the user to define at least one role for each user performing at least a portion of a process step; and performing the steps associated with said at least one test procedure to determine whether the target system passes or fails said at least one test procedures. 11. The method of claim 1, further comprising: enabling at least one of a system administrator and the user to define at least one role for each user performing at least a portion of a process step with which the target system is to comply; and enabling at least one of a system administrator and the user to define an order of at least one of the process steps. 12. The method of claim 1, wherein the information collected in said step a) comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches. 13. The method of claim 1, wherein said scores for said step c) comprise at least one of: a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence; b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence; c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence. 14. The method of claim 1, wherein the scores of said step c) are generated in response to one or more user provided inputs. 15. The method of claim 14, wherein the user can modify and/or edit said scores. 16. The method of claim 1, wherein said step c) threat elements comprise at least one of natural disaster elements, system failure elements, environmental failure elements, unintentional human caused elements, and intentional human caused elements. 17. The method of claim 16, wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado, weather, and lighting elements. 18. The method of claim 16, wherein the system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure. 19. The method of claim 16, wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration. 20. The method of claim 16, wherein the human caused unintentional threat element comprises at least one of a software design error, a system design error, and an operator error. 21. The method of claim 16, wherein the human caused intentional threat elements comprise actions by at least one of an authorized system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal. 22. The method of claim 1 wherein said step e) threat correlation indication comprises at least one of the following scores: a) negligible, wherein negligible indicates that the threat is not applicable to the vulnerability; b) low, wherein low indicates that the threat has a low potential to exploit the vulnerability; c) medium, wherein medium indicates that the threat has a potential to exploit the vulnerability; and d) high, wherein high indicates that the threat has a relatively high potential to exploit the vulnerability. 23. The method of claim 22, wherein the risk assessment in said step e) is determined by: a) for each element in the project threat profile and corresponding element in the threat correlation pattern, determining an overall risk of an element in a threat correlation indication in accordance with at least one of the following: (1) if a threat element score as determined in said step c) is negligible and a corresponding element in the threat correlation indication as determined in said step e) is anything, then the overall risk of the element is negligible; (2) if a threat element score as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step e) is negligible, then the overall risk of the element is low; (3) if a threat element score as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step e) is low, then the overall risk of the element is low; (4) if a threat element score as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step e) is medium, then the overall risk of the element is low; (5) if a threat element score as determined in said step c) is low and the corresponding element in the threat correlation indication as determined in said step e) is high, then the overall risk of the element is medium; (6) if a threat element score as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step e) is negligible, then the overall risk of the element is negligible; (7) if a threat element score as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step e) is low, then the overall risk of the element is low; (8) if a threat element score as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step e) is medium, then the overall risk of the element is medium; (9) if a threat element score as determined in said step c) is medium and the corresponding element in the threat correlation indication as determined in said step e) is high, then the overall risk of the element is medium; (10) if a threat element score as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step e) is negligible, then the overall risk of the element is negligible; (11) if a threat element score as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step e) is low, then the overall risk of the element is medium; (12) if a threat element score as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step e) is medium, then the overall risk of the element is high; and (13) if a threat element score as determined in said step c) is high and the corresponding element in the threat correlation indication as determined in said step e) is high, then the overall risk of the element is high; and b) selecting the risk profile for the test procedure, if that test procedure is failed, as being the highest overall risk as determined in at least one of steps a)1)-a)13). 24. The method of claim 23, further comprising determining an overall system risk. 25. The method of claim 24, wherein the overall system risk is the highest overall risk element of each of one or more failed test procedures. 26. The method of claim 24, further comprising printing a documentation package that will enable a determination to be made whether the target system complies with the at least one predefined standard, regulation and/or requirement of said step b). 27. The method of claim 26, wherein the documentation package includes a risk assessment for at least one test procedure. 28. The method of claim 26, wherein the documentation package includes an overall system risk. 29. A system for assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the server comprising: a) a process step module for enabling a user to choose at least one of a plurality of predefined process steps pertaining to collecting information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the target system operates; b) a test procedure module for testing the target system against at least one test procedure selected to satisfy the at least one predefined standard, regulation and/or requirement which the target system is to comply, and enabling the user to enter test data; c) a threat element score generation module for generating a score for at least one threat element, the score indicating a likelihood of that threat element affecting the target system; d) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said step d) (1). 30. The system of claim 29, wherein the process step module enables the user to define an order of at least one of the plurality of process steps. 31. The system of claim 29, wherein the process step module enables the user to define at least one role for at least one user performing at least a portion of a process step. 32. The system of claim 31, wherein the at least one role comprise at least one of certification and accreditation analyst, computer security incident response capabilities representative, privacy advocates office representative, disclosure office representative, vulnerabilities office representative, technical contingency planning document representative, request for information system originator, owner of business system, certification and accreditation request for information system coordinator, critical infrastructure protection representative, system point of contact, principal accrediting authority, certification and accreditation administrator, and certification and accreditation chief. 33. The system of claim 31, wherein the process step module enables a user to send an electronic notification to one or more users performing at least a portion of a specified process step upon the occurrence of a predefined event. 34. The system of claim 32, wherein the predefined events comprise at least one of opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step. 35. The system of claim 29, wherein the information collected by said process step module comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches. 36. The system of claim 29, wherein the test procedure module further enables the user to edit at least one standard, regulation and/or requirement. 37. The system of claim 29, wherein said threat element score generation module generates scores comprising at least one of: a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence; b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence; c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence. 38. The system of claim 29, wherein the scores generated by said threat element score generation module are generated in response to one or more user provided inputs. 39. The system of claim 38, wherein the user can modify and/or edit any of said scores. 40. The system of claim 29, wherein said threat element score generation module threat elements comprise at least one of natural disaster elements, system failure elements, environmental failure elements, unintentional human caused elements, and intentional human caused elements. 41. The system of claim 40, wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado, weather, and lighting elements. 42. The system of claim 40, wherein the system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure. 43. The system of claim 40, wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration. 44. The system of claim 40, wherein the human caused unintentional threat element comprises at least one of a software design error, a system design error, and an operator error. 45. The system of claim 40, wherein the human caused intentional threat elements comprise actions by at least one of an authorized system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal. 46. The system of claim 29, wherein the threat correlation indication comprises at least one of the following scores: a) negligible, wherein negligible indicates that the threat is not applicable to the vulnerability; b) low, wherein low indicates that the threat has a low potential to exploit the vulnerability; c) medium, wherein medium indicates that the threat has a potential to exploit the vulnerability; and d) high, wherein high indicates that the threat has a relatively high potential to exploit the vulnerability. 47. The system of claim 46, wherein the risk assessment module assesses risk by: a) for each element in the project threat profile and corresponding element in the threat correlation pattern, determining an overall risk of an element in a threat correlation indication in accordance with at least one of the following: (1) if a threat element score as determined in said threat element score generation module is negligible and a corresponding element in the threat correlation indication is anything, then the overall risk of the element is negligible; (2) if a threat element score as determined in said threat element score generation module is low and the corresponding element in the threat correlation indication is negligible, then the overall risk of the element is low; (3) if a threat element score as determined in said threat element score generation module is low and the corresponding element in the threat correlation indication is low, then the overall risk of the element is low; (4) if a threat element score as determined in said threat element score generation module is low and the corresponding element in the threat correlation indication is medium, then the overall risk of the element is low; (5) if a threat element score as determined in said threat element score generation module is low and the corresponding element in the threat correlation indication is high, then the overall risk of the element is medium; (6) if a threat element score as determined in said threat element score generation module is medium and the corresponding element in the threat correlation indication is negligible, then the overall risk of the element is negligible; (7) if a threat element score as determined in said threat element score generation module is medium and the corresponding element in the threat correlation indication is low, then the overall risk of the element is low; (8) if a threat element score as determined in said threat element score generation module is medium and the corresponding element in the threat correlation indication is medium, then the overall risk of the element is medium; (9) if a threat element score as determined in said threat element score generation module is medium and the corresponding element in the threat correlation indication is high, then the overall risk of the element is medium; (10) if a threat element score as determined in said threat element score generation module is high and the corresponding element in the threat correlation indication is negligible, then the overall risk of the element is negligible; (11) if a threat element score as determined in said threat element score generation module is high and the corresponding element in the threat correlation indication is low, then the overall risk of the element is medium; (12) if a threat element score as determined in said threat element score generation module is high and the corresponding element in the threat correlation indication is medium, then the overall risk of the element is high; and (13) if a threat element score as determined in said threat element score generation module is high and the corresponding element in the threat correlation indication is high, then the overall risk of the element is high; and b) selecting the risk profile for the test procedure, if that test procedure is failed, as being the highest overall risk element as determined by at least one of steps a) 1)-a) 13). 48. The system of claim 47, wherein said risk assessment module further determines an overall system risk. 49. The system of claim 48, wherein the overall system risk is the highest overall risk element of each of one or more failed test procedures. 50. The system of claim 48, further comprising a printing module for printing a documentation package that will enable a determination to be made whether the target system complies with the at least one predefined standard, regulation and/or requirement. 51. The system of claim 50, wherein the documentation package includes a risk assessment for at least one test procedure. 52. The system of claim 50, wherein the documentation package includes an overall system risk. 53. A computer-readable medium for storing computer instructions therein, the computer-readable medium comprising instructions for assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the server executing the computer instructions for performing the method comprising the steps of: a) enabling the user to choose at least one predefined process step pertaining to collecting information descriptive of at least one aspect of a target system hardware and/or software, and/or a physical environment in which the target system operates; b) testing the target system against at least one test procedure selected to satisfy at least one predefined standard, regulation and/or requirement with which the target system is to comply for purposes of certification and accreditation; c) generating a score for at least one threat element, the score indicating a likelihood of that threat element affecting the target system; d) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said step c) with a corresponding threat correlation indication of said element d) (1) instructions. 54. The method of claim 53, further comprising receiving at least a portion of the result of tests performed for the at least one test procedure. 55. The computer-readable medium of claim 53, comprising instructions that enable the user to enter at least a subscription key to gain access to the process steps. 56. The computer-readable medium of claim 53, further comprising instructions that enable a user to define an order of at least one of the plurality of process steps. 57. The computer-readable medium of claim 53, further comprising instructions that enable a user to define at least one role for at least one user performing at least a portion of a process step. 58. The computer-readable medium of claim 57, wherein the roles comprise at least one of certification and accreditation analyst, computer security incident response capabilities representative, privacy advocates office representative, disclosure office representative, vulnerabilities office representative, technical contingency planning document representative, request for information system originator, owner of business system, certification and accreditation request for information system coordinator, critical infrastructure protection representative, system point of contact, principal accrediting authority, certification and accreditation administrator, and certification and accreditation chief. 59. The computer-readable medium of claim 57, further comprising instructions that enable an electronic notification to be sent to one or more users performing at least a portion of a specified process step upon the occurrence of a predefined event. 60. The computer-readable medium of claim 59 wherein the predefined events comprise at least one of opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step. 61. The computer-readable medium of claim 53 wherein the information collected in said element a) instructions comprises at least one of central processing unit (CPU) manufacturer, CPU clock speed, operating system (OS) manufacturer, OS version, and OS patches. 62. The computer-readable medium of claim 53, further comprising instructions that enable a user to optionally edit at least one standard, regulation and/or requirement. 63. The computer-readable medium of claim 53, wherein said scores for said element c) instructions comprise at least one of: a) negligible, wherein negligible indicates that the threat element is not applicable or has negligible likelihood of occurrence; b) low, wherein low indicates that the threat element has a relatively low likelihood of occurrence; c) medium, wherein medium indicates that the threat element has a medium likelihood of occurrence; and d) high, wherein high indicates that the threat element has a relatively high likelihood of occurrence. 64. The computer-readable medium of claim 53 wherein the scores of said element c) instructions are generated in response to one or more user provided inputs. 65. The computer-readable medium of claim 64, further comprising instructions that enable a user to modify and/or edit said scores. 66. The computer-readable medium of claim 53, wherein said element c) threat element instructions comprise at least one of natural disaster elements, system failure elements, environmental failure elements, unintentional human caused elements, and intentional human caused elements. 67. The computer-readable medium of claim 66, wherein the natural disaster threat elements comprise at least one of fire, flood, earthquake, volcano, tornado, weather, and lighting elements. 68. The computer-readable medium of claim 66, wherein the system failure threat elements comprise at least one of a hardware failure, a power failure, and a communication link failure. 69. The computer-readable medium of claim 66, wherein the environmental failure threat elements comprise at least one of temperature, power, humidity, sand, dust, shock, and vibration. 70. The computer-readable medium of claim 66, wherein the human caused unintentional threat element comprises at least one of a software design error, a system design error, and an operator error. 71. The computer-readable medium of claim 66, wherein the human caused intentional threat elements comprise actions by at least one of an authorized system administrator, an authorized maintenance personnel, an authorized user, a terrorist, a hacker, a saboteur, a thief, and a vandal. 72. The computer-readable medium of claim 53, wherein said element e) threat correlation indication instructions comprise at least one of the following scores: a) negligible, wherein negligible indicates that the threat is not applicable to the vulnerability; b) low, wherein low indicates that the threat has a low potential to exploit the vulnerability; c) medium, wherein medium indicates that the threat has a potential to exploit the vulnerability; and d) high, wherein high indicates that the threat has a relatively high potential to exploit the vulnerability. 73. The computer-readable medium of claim 72 wherein the risk assessment in said element e) instructions is determined by: a) for each element in the project threat profile and corresponding element in the threat correlation pattern, determining an overall risk of an element in a threat correlation indication in accordance with at least one of the following: (1) if a threat element score as determined in said element e) instructions is negligible and a corresponding element in the threat correlation indication as determined in said element e) instructions is anything, then the overall risk of the element is negligible; (2) if a threat element score as determined in said element c) instructions is low and the corresponding element in the threat correlation indication as determined in said element e) instructions is negligible, then the overall risk of the element is low; (3) if a threat element score as determined in said element c) instructions is low and the corresponding element in the threat correlation indication as determined in said element e) instructions is low, then the overall risk of the element is low; (4) if a threat element score as determined in said element c) instructions is low and the corresponding element in the threat correlation indication as determined in said element e) instructions is medium, then the overall risk of the element is low; (5) if a threat element score as determined in said element c) instructions is low and the corresponding element in the threat correlation indication as determined in said element e) instructions is high, then the overall risk of the element is medium; (6) if a threat element score as determined in said element c) instructions is medium and the corresponding element in the threat correlation indication as determined in said element e) instructions is negligible, then the overall risk of the element is negligible; (7) if a threat element score as determined in said element c) instructions is medium and the corresponding element in the threat correlation indication as determined in said element e) instructions is low, then the overall risk of the element is low; (8) if a threat element score as determined in said element c) instructions is medium and the corresponding element in the threat correlation indication as determined in said element e) instructions is medium, then the overall risk of the element is medium; (9) if a threat element score as determined in said element c) instructions is medium and the corresponding element in the threat correlation indication as determined in said element e) instructions is high, then the overall risk of the element is medium; (10) if a threat element score as determined in said element c) instructions is high and the corresponding element in the threat correlation indication as determined in said element e) instructions is negligible, then the overall risk of the element is negligible; (11) if a threat element score as determined in said element c) instructions is high and the corresponding element in the threat correlation indication as determined in said element e) instructions is low, then the overall risk of the element is medium; (12) if a threat element score as determined in said element c) instructions is high and the corresponding element in the threat correlation indication as determined in said element e) instructions is medium, then the overall risk of the element is high; and (13) if a threat element score as determined in said element c) instructions is high and the corresponding element in the threat correlation indication as determined in said element e) instructions is high, then the overall risk of the element is high; and b) selecting the risk profile for the test procedure, if that test procedure is failed, as being the highest overall risk element of at least one of instructions a)1)-a)13). 74. The computer-readable medium of claim 73, further comprising instructions that determine an overall system risk. 75. The computer-readable medium of claim 74, wherein the overall system risk is the highest overall risk element of each of one or more test procedures. 76. The computer-readable medium of claim 74, further comprising instructions that enable a user to print a documentation package that will enable a determination to be made whether the target system complies with the at least one predefined standard, regulation and/or requirement. 77. The computer-readable medium of claim 76, wherein the documentation package includes a risk assessment for at least one test procedure. 78. The computer-readable medium of claim 76, wherein the documentation package includes an overall system risk. 79. A general purpose computing system for assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the computing system comprising: a first means for: a) enabling a user to utilize a predefined sequence of process steps to collect and/or receive information descriptive of at least one aspect of a target system hardware and/or software, and/or a physical environment in which the system operates; b) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting the target system; c) enabling at least one of the user and the system to test the system against at least one test procedure selected to satisfy the at least one predefined standard, regulation and/or requirement; d) enabling a user to enter results associated with said at least one test procedure selected in said element d) to determine whether the target system passes or fails said at least one test procedure; and e) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said element c) with a corresponding threat correlation indication of said element e) (1); and a second means for: f) enabling the user to choose one or more predefined process steps associated with said element a) information and/or said element a) process steps. 80. The general purpose computing system of claim 79, further comprising enabling the user to utilize a predefined sequence of process steps for selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply for purposes of certification and accreditation. 81. The general purpose computing system of claim 79, wherein said first means comprises a host computer having a first module and said second means comprises a host computer having a second module. 82. The general purpose computing system of claim 81, wherein said first module contains instructions for enabling at least one of two or more users working collaboratively via a network to select, via a local or remote terminal, at least one test procedure against which the target system is tested to satisfy the at least one predefined standard, regulation and/or requirement. 83. The system of claim 79, wherein the second means further enables the user to define an order of at least one of the prerequisite process steps. 84. The system of claim 79, wherein the second means further enables the user to define at least one role for at least one user performing at least a portion of a process step. 85. The system of claim 84, wherein the at least one role comprises at least one of certification and accreditation analyst, computer security incident response capabilities representative, privacy advocates office representative, disclosure office representative, vulnerabilities office representative, technical contingency planning document representative, request for information system originator, owner of business system, certification and accreditation request for information system coordinator, critical infrastructure protection representative, system point of contact, principal accrediting authority, certification and accreditation administrator, and certification and accreditation chief. 86. The system of claim 79, wherein the second means further enables the user to direct the system to send an electronic notification to one or more users performing at least a portion of a specified process step upon the occurrence of a predefined event. 87. The system of claim 86, wherein the predefined events comprise at least one of opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step. 88. The system of claim 79, wherein a predefined mapping between said element a) information and/or said element b) process steps and the said element d) test procedures enables the system to select at least one said element d) test procedure. 89. A computer-readable medium for storing computer instructions therein, the computer-readable medium comprising instructions for assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the medium comprising: first instructions for: a) enabling the user to utilize a predefined sequence of process steps to collect and/or receive information descriptive of at least one aspect of a target system hardware and/or software, and/or a physical environment in which the system operates; b) generating a score for each of a plurality of threat elements, each score indicating a likelihood of that threat element affecting the target system with which the target system is to comply; c) enabling at least one of the user and the system to test the system against at least one test procedure selected to satisfy the at least one predefined standard, regulation and/or requirement; d) enabling a user to enter results associated with said at least one test procedure selected in said instruction element d) to determine whether the target system passes or fails said at least one test procedure; and e) (1) obtaining a threat correlation indication associated with said at least one test procedure, wherein said threat correlation indication indicates a relative potential of one or more given threats to exploit a vulnerability caused by a failure of said at least one test procedure, and (2) determining a risk assessment by comparing each score generated in said instruction element b) with a corresponding threat correlation indication of said instruction element e) (1); and second instructions for: f) enabling the user to choose one or more predefined process steps associated with said instructions element a) information. 90. The medium of claim 89, wherein said second instructions further comprise instructions that enable the user to define an order of at least one of the prerequisite process steps. 91. The medium of claim 89, wherein said second instructions further comprise instructions that enable the user to define at least one role for at least one user performing at least a portion of a process step. 92. The medium of claim 91, wherein the at least one role comprises at least one of certification and accreditation analyst, computer security incident response capabilities representative, privacy advocates office representative, disclosure office representative, vulnerabilities office representative, technical contingency planning document representative, request for information system originator, owner of business system, certification and accreditation request for information system coordinator, critical infrastructure protection representative, system point of contact, principal accrediting authority, certification and accreditation administrator, and certification and accreditation chief. 93. The medium of claim 89, wherein said second instructions further comprise instructions that enable the user to direct the system to send an electronic notification one or more users performing at least a portion of a specified process step upon the occurrence of a predefined event. 94. The medium of claim 93, wherein the predefined events comprise at least one of opening a process step, submitting a process step for approval, re-opening a process step, and approving a process step. 95. The medium of claim 89, wherein a predefined mapping between first instruction element a) information and the first instruction element c) test procedures enables the system to select at least one first instruction element c) test procedure. 96. The computer program medium storing computer instructions therein of claim 89, said first instructions further comprising instructions for: enabling at least one user via a local or remote terminal to utilize a predefined sequence of process steps for selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply; and enabling at least one of two or more users working collaboratively via a network to select, via a local or remote terminal, at least one test procedure against which the target system is tested to satisfy the at least one predefined standard, regulation and/or requirement. 97. A system for assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the server comprising: means for enabling at least one user via a local or remote terminal to utilize a predefined sequence of process steps to collect and/or receive information descriptive of at least one aspect of a target system hardware and/or software, and/or a physical environment in which the target system operates; means for enabling at least one user via a local or remote terminal to utilize a predefined sequence of process steps for selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply; at least one storage medium for storing thereon: (i) at least one predefined standard, regulation and/or requirement with which the segment is to comply; and (ii) data pertaining to at least one platform category, each platform category having associated therewith one or more devices having at least a hardware specification and an operating system; and decision logic for determining which test procedures will be used to test each of the at least one platform category based on a mapping between the test procedures and the at least one predefined standard, regulation and/or requirement. 98. The system of claim 97, further comprising a printer for printing the one or more test procedures. 99. The system of claim 97, wherein the target system information comprises at least one of an IP address, a hostname, a media access control address, operating system name, operating system version. 100. The system of claim 99, wherein the information further comprises at least one of application software, hard disk drive capacity, device manufacturer, and device model. 101. A system for assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the server comprising: means for enabling at least one user via a local or remote terminal to utilize a predefined sequence of process steps to collect and/or receive information descriptive of at least one aspect of a target system hardware and/or software, and/or a physical environment in which the system operates; means for enabling at least one user via a local or remote terminal to utilize a predefined sequence of process steps for selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply; a storage medium for storing the at least one predefined standard, regulation and/or requirement with which the target system is to comply; a plurality of information entities, each of said plurality of information entities storing data pertaining to at least one platform category, each platform category defining one or more devices having at least a hardware specification and an operating system; and decision logic for determining which of one or more test procedures will be used to test each platform category based on a mapping between the test procedures and the at least one predefined standard, regulation and/or requirement. 102. The system of claim 101, wherein said plurality of information entities comprise relational database tables. 103. The system of claim 102, wherein said relational database tables comprise tables for defining: a) each of the at least one platform category; b) each of the at least one device; c) each application program; d) each defined association between an application program and a platform category, wherein each such association indicates that the application program is typically installed on devices belonging to the platform category; and e) each defined association between an application program and a device, wherein each such association indicates that the application program is actually installed on the device; and f) each standard operating system. 104. A method of assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the server performing the method comprising the steps of: a) enabling at least one user via a local or remote terminal to utilize a predefined sequence of process steps to collect and/or receive information descriptive of at least one aspect of the target system hardware and/or software, and/or a physical environment in which the system operates; b) enabling at least one user via a local or remote terminal to utilize a predefined sequence of process steps for selecting at least one predefined standard, regulation and/or requirement with which the target system is to comply; c) associating hardware and/or software information pertaining to the at least one device, collected in said step a), with at least one pre-defined platform category; d) for each of said at least one platform category, determining which of one or more test procedures will be used to test hardware and/or software associated with said at least one platform category based on a mapping between the test procedures and the at least one predefined standard, regulation and/or requirement; and e) generating at least one test procedure as determined in said step d) for each platform category. 105. A system for assessing risk over a computer network having at least one target system and a server that communicates with the at least one target system via the computer network, the server comprising: a) a discovery engine that scans a target system for a hardware configuration, operating system and/or application programs of each of at least one device in the target system; b) at least one storage medium for storing thereon: (i) at least one predefined standard, regulation and/or requirement with which the target system is to comply, and (ii) data pertaining to at least one platform category, each platform category having associated therewith one or more devices having at least a hardware specification and an operating system; and c) decision logic for determining which of zero or more test procedures will be used to test each of the at least one platform category based on a mapping between the test procedures and the at least one predefined standard, regulation and/or requirement.

이 특허에 인용된 특허 (34)

Goodman,Marina; Mesoy,Tor; Taylor,Stanton J.; Reiter,Scott R.; Bowen,Michael T.; Auriemma,Ralph; Alairys,Tamara D.; Degiorgio,Christopher M.; Coleman,Lizbeth Johnson, Architectures for netcentric computing systems.
상세보기
Steinmetz Michael J. ; Kirst Michael E., Automated diagnostic system.
상세보기
Michel K. Bowman-Amuah, Building techniques in a development architecture framework.
상세보기
Dew Larry A. ; Davison William B. ; Miller Timothy E. ; Slazinski Robert M., Common database system for a communication system.
상세보기
Shostack Adam ; Allouch David,ILX, Computer security.
상세보기
Drake Christopher Nathan,AUX, Computer software authentication, protection, and security system.
상세보기
Hecht Matthew S. (Potomac MD) Johri Abhai (Gaithersburg MD) Wei Tsung T. (Gaithersburg MD) Steves Douglas H. (Austin TX), Distributed security auditing subsystem for an operating system.
상세보기
Julie Lynn Huff ; Tracy Glenn Shelanskey ; Sheila Ann Jackson, Dynamic system defense for information warfare.
상세보기
Lermuzeaux Jean-Marc (St Michel sur Orge FRX) Emery Thierry (St Germain les Arpajon FRX) Gonthier Patrice (Antony FRX), Facility for detecting intruders and suspect callers in a computer installation and a security system including such a f.
상세보기
Schneier Bruce, Method and apparatus for analyzing information systems using stored tree database structures.
상세보기
Esbensen Daniel, Method and apparatus for automated network-wide surveillance and security breach intervention.
상세보기
Klaus Christopher W., Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication sy.
상세보기
Jones Wendell Davis ; Aud Stephen J. ; Hudepohl John P. ; Flournory Martin L. ; Snipes William B. ; Schutz Eric C., Method and system for dynamic risk assessment of software systems.
상세보기
Walker Jeffrey H., Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources.
상세보기
Bhat Sunil (Colorado Springs CO) McKee Neil (Bristol GBX), Method for determining topology of a network.
상세보기
Todd ; Sr. Robert E. ; Glahe Aaron C. ; Pendleton Adam H., Method for network self security assessment.
상세보기
Terada Masato,JPX ; Yoshida Kenichi,JPX ; Kayashima Makoto,JPX, Network system having external/internal audit system for computer security.
상세보기
Ronnen U. George (Ocean NJ), Network vulnerability management apparatus and method.
상세보기
Brandwajn Vladimir (San Jose CA) Ipakchi Ali (San Carlos CA) Kumar A. B. Ranjit (Cupertino CA) Cauley Gerald W. (San Jose CA), Neural network for contingency ranking dynamic security indices for use under fault conditions in a power distribution s.
상세보기
Grimm Robert ; Bershad Brian N., Process for transparently enforcing protection domains and access control as well as auditing operations in software components.
상세보기
Fieres Helmut ; Merckling Roger ; Klemba Keith, Software level touchpoints for an international cryptography frameworks.
상세보기
Kodosky Jeffrey L. ; Andrade Hugo ; Odom Brian K. ; Butler Cary P., System and method for configuring an instrument to perform measurement functions utilizing conversion of graphical programs into hardware implementations.
상세보기
Testa Louis C. ; Geiger Susan P., System and method for generating test program code simultaneously with data produced by ATPG or simulation pattern capture program.
상세보기
Devanbu Premkumar Thomas ; Stubblebine Stuart Gerald, System and method for providing assurance to a host that a piece of software possesses a particular property.
상세보기
Gleichauf Robert ; Shanklin Steven, System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment.
상세보기
Michael F. Guheen ; James D. Mitchell ; James J. Barrese, System for establishing plan to test components of web based framework by displaying pictorial representation and conveying indicia coded components of existing network framework.
상세보기
Bowman-Amuah Michel K., System, method and article of manufacture for configuration management in a development architecture framework.
상세보기
Michel K. Bowman-Amuah, System, method and article of manufacture for managing an environment of a development architecture framework.
상세보기
Bowman-Amuah Michel K., System, method and article of manufacture for security management in a development architecture framework.
상세보기
Magdych, James S.; Rahmanovic, Tarik; McDonald, John R.; Tellier, Brock E., System, method and computer program product for risk assessment scanning based on detected anomalous events.
상세보기
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
상세보기
Karl L. Ginter ; Victor H. Shear ; Francis J. Spahn ; David M. Van Wie, Systems and methods for secure transaction management and electronic rights protection.
상세보기
Harris Cliff A. ; Love Jerry T., Transfer impedance measurement instrument system.
상세보기
Shrader Theodore Jack London ; Ault Michael Bradford ; Child Garry L. ; Plassmann Ernst Robert ; Rich Bruce Arland ; Soper Davis Kent, Web client scripting test architecture for web server-based authentication.
상세보기

이 특허를 인용한 특허 (32)

Oliphant, Brett M.; Blignaut, John P., Anti-vulnerability system, method, and computer program product.
상세보기
Oliphant, Brett M.; Blignaut, John P., Anti-vulnerability system, method, and computer program product.
상세보기
Oliphant, Brett M.; Blignaut, John P., Anti-vulnerability system, method, and computer program product.
상세보기
Oliphant, Brett M.; Blignaut, John P., Anti-vulnerability system, method, and computer program product.
상세보기
Oliphant, Brett M.; Blignaut, John P., Anti-vulnerability system, method, and computer program product.
상세보기
Oliphant, Brett M.; Blignaut, John P., Anti-vulnerability system, method, and computer program product.
상세보기
Oliphant, Brett M.; Blignaut, John P., Computer program product and apparatus for multi-path remediation.
상세보기
Oliphant, Brett M.; Blignaut, John P., Computer program product and apparatus for multi-path remediation.
상세보기
Oliphant, Brett M.; Blignaut, John P., Computer program product and apparatus for multi-path remediation.
상세보기
Lawrence, David, Gaming industry risk management clearinghouse.
상세보기
Roytman, Michael; Bellis, Edward T.; Heuer, Jeffrey, Identifying vulnerabilities of computing assets based on breach data.
상세보기
Roytman, Michael; Bellis, Edward T.; Heuer, Jeffrey, Internet breach correlation.
상세보기
Barai, Bikash; De, Nilanjan, Method and system simulating a hacking attack on a network.
상세보기
Schloegel, Kirk A.; Bhatt, Devesh, Method for software vulnerability flow analysis, generation of vulnerability-covering code, and multi-generation of functionally-equivalent code.
상세보기
Scates, Joseph F., Method of risk management across a mission support network.
상세보기
Scates, Joseph F., Method of risk management across a mission support network.
상세보기
Nori, Sarita Brahmandam; Pae, Christine; Thiagarajan, Bhuvaneswari, Method(s) for updating database object metadata.
상세보기
Lawrence, David; Nitze, Peter; MacDonald, Alasdair, Method, system, apparatus, program code and means for determining a redundancy of information.
상세보기
Lawrence, David; Nitze, Peter; MacDonald, Alasdair, Method, system, apparatus, program code and means for identifying and extracting information.
상세보기
Oliphant, Brett M.; Blignaut, John P., Multi-path remediation.
상세보기
Krisher, Michael; Bellis, Edward T.; Heuer, Jeffrey, Ordered computer vulnerability remediation reporting.
상세보기
Roytman, Michael; Bellis, Edward T.; Heuer, Jeffrey, Ordered computer vulnerability remediation reporting.
상세보기
Oliphant, Brett M.; Blignaut, John P., Real-time vulnerability monitoring.
상세보기
Oliphant, Brett M.; Blignaut, John P., Real-time vulnerability monitoring.
상세보기
Chatlain, David R; Lim, Amy V, System and method for certification.
상세보기
Taneja, Deepak; Bhamidipati, Prasad V.; Byragani, Bushan Yadav; Nadimpalli, Sanjay; Lull, Joaquin, System and method for collecting and normalizing entitlement data within an enterprise.
상세보기
Oliphant, Brett M.; Blignaut, John P., System, method, and computer program product for reporting an occurrence in different manners.
상세보기
Powell, William S.; Chen, Thomas L., System, method, and software for cyber threat analysis.
상세보기
Powell, William Shane; Chen, Thomas L., System, method, and software for cyber threat analysis.
상세보기
Marsh, Jacob J.; Roney, Gregory D., Systems and methods for implementing modular computer system security solutions.
상세보기
Lawrence, David; Nitze, Peter; MacDonald, Alasdair, Systems and methods for managing information associated with legal, compliance and regulatory risk.
상세보기
Stienhans, Frank, Systems and methods of multidimensional software management.
상세보기

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

Enhanced system, method and medium for certifying and accrediting requirements compliance 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (34)

이 특허를 인용한 특허 (32)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

Enhanced system, method and medium for certifying and accrediting requirements compliance 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (34)

이 특허를 인용한 특허 (32)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트