DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendment filed on 12/18/2020 has been entered and fully considered.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an electronic communication with Douglas G. Gallagher (Registration Number 57,783) on January 27, 2021.

Please replace the claims as follows:

1. (Currently Amended) A system comprising a processor and a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to enable monitoring actual access to data elements in an enterprise computer network and providing associated data, the system further comprising:
an at least near real time data element audit subsystem providing audit output data including at least one of a time stamp, identification of an accessor, user depository stored data regarding said accessor, accessed data element data, affected data element data, type of access operation, source IP 
an additional data providing subsystem operative to:
receive in at least near real time at least a part of said audit output data relating to said actual access of said accessor;
automatically search said enterprise computer network in order to find at least one useful data source outside of said enterprise computer network;
utilize said at least part of said audit output data for automatically retrieving, in response to said audit output data, additional data relating to said actual access of said accessor from said at least one useful data source outside of said enterprise computer network, which said additional data is not part of said audit output data; and
utilize a combination of at least said part of said audit output data relating to said actual access to said data elements within said enterprise computer network and said additional data relating to said actual access of said accessor from said at least one data source outside of said enterprise computer network for said monitoring said actual access to said data elements in said enterprise computer network and providing a monitoring access output for said actual access; and
a protective measure subsystem operative to provide at least one automatic protective measure in at least near real time to said enterprise computer network when said monitoring access output indicates that said actual access may be problematic.

2. (Cancelled).
4. (Cancelled).
5. (Cancelled).


providing 
receiving at least part of said audit output data relating to said actual access of said accessor; 
automatically searching said enterprise computer network in order to find at least one useful data source outside of said enterprise computer network;
utilizing said at least part of said audit output data for automatically receiving, in response to said audit output data, additional data relating to said actual access of said accessor from said at least one useful data source outside of said enterprise computer network which said additional data is not part of said audit output data; 
utilizing a combination of at least said part of said audit output data relating to said actual access to said data elements within said enterprise computer network and said additional data relating to said actual access of said accessor from said at least one data source outside of said enterprise computer network for said monitoring said actual access to said data elements in said enterprise computer network and providing a monitoring access output for said actual access; and
providing at least one automatic protective measure in at least near real time to said enterprise computer network when said monitoring access output indicates that said actual access of said accessor may be problematic. 

7. (Cancelled).


11. (Currently amended) A system comprising a processor and a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to enable monitoring actual access to data elements in an enterprise computer network and providing associated data, the system further comprising:
a data element audit subsystem providing audit data including at least data relating to time stamps of at least two actual accesses of a particular accessor and IP addresses of computers used for said two actual accesses of said particular accessor; 
an additional data providing subsystem operative to:
receive at least a part of said audit data relating to said actual accesses of said accessor; 
automatically search said enterprise computer network in order to find at least one useful data source outside of said enterprise computer network;
utilize said at least part of said audit data for automatically retrieving, in response to said audit output data, additional data relating to said actual accesses of said accessor from said at least one useful data source outside of said enterprise computer network, said additional data comprising physical location data corresponding to said IP addresses of said computers used for said two actual accesses of said particular accessor, said additional data not being part of said audit output data; and 
utilize a combination of at least said part of said audit output data and said additional data relating to said actual accesses of said accessor from said at least one data source outside of said enterprise computer network for said monitoring said actual access to said data elements in said enterprise computer network; 
a time and distance analysis engine providing a monitoring access output for said actual access indicating whether a time difference between said time stamps and a geographical separation between said physical locations of said at least two actual accesses of said particular accessor may feasibly correspond one to another, in view of a minimum time duration required to physically travel between said physical locations of said at least two actual accesses of said particular accessor; and
a protective measure subsystem operative to provide at least one automatic protective measure to said enterprise computer network in at least near real time when said monitoring access output indicates that said actual access may be problematic. 




providing audit data including at least data relating to time stamps of at least two actual accesses of a particular accessor and IP addresses of computers used for said two actual accesses of said particular accessor; 
receiving at least a part of said audit data relating to said actual accesses of said accessor; 
automatically searching said enterprise computer network in order to find at least one useful data source outside of said enterprise computer network;
utilizing said at least part of said audit data for automatically retrieving, in response to said audit output data, additional data relating to said actual accesses of said accessor from said at least one useful data source outside of said enterprise computer network, said additional data comprising physical location data corresponding to said IP addresses of said computers used for said two actual accesses of said particular accessor, said additional data not being part of said audit output data; 
utilizing a combination of at least said part of said audit output data and said additional data relating to said actual accesses of said accessor from said at least one data source outside of said enterprise computer network for said monitoring said actual access to said data elements in said enterprise computer network; 
providing a monitoring access output for said actual access indicating whether a time difference between said time stamps and a geographical separation between said physical locations of said at least two actual accesses of said particular accessor may feasibly correspond one to another in view of a minimum time duration required to physically travel between said physical locations of said at least two actual accesses of said particular accessor; and
providing at least one automatic protective measure to said enterprise computer network in at least near real time when said monitoring access output indicates that said actual access of said accessor may be problematic. 

20. (Currently amended) A method according to claim 16 and wherein said providing a monitoring access output comprises providing said monitoring access output




59. (New) A system according to claim 58 and wherein said alert is provided to an IT security manager.

60. (New) A method according to claim 6 and wherein said providing at least one automatic protective measure comprises providing an alert.

61. (New) A method according to claim 60 and wherein said providing an alert comprises providing said alert to an IT security manager. 

62. (New) A system according to claim 11 and wherein said at least one automatic protective measure comprises an alert.

63. (New) A system according to claim 62 and wherein said alert is provided to an IT security manager.

64. (New) A method according to claim 16 and wherein said providing at least one automatic protective measure comprises providing an alert.

65. (New) A method according to claim 64 and wherein said providing an alert comprises providing said alert to an IT security manager.


Allowable Subject Matter
Claims 1, 6, 9, 11-14, 16-17, 19-20 and 58-65 are allowed.
The following is a statement of reasons for the indication of allowable subject matter:  In interpreting the currently amended claims, in light of the specification as well arguments presented in the .
Wittenberg et al.  (US Pre-Grant Publication No. 2016/0105801-A1, hereinafter “Wittenberg”) teaches an acceptability model to determine the acceptability of a communication originating from a specified location and to evaluating the acceptability of a received communication. Using a computer system accesses a communication history for an electronic device, a similar user's communication history and similar locations based on geographic topology data, where the communication history includes at least one previous communication between the electronic device and a computer system. 
Faitelson et al. (US Patent Publication No. 8,578,507 B2, hereinafter “Faitelson”) teaches for operating an enterprise computer network including multiple network objects for monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of the network objects. 
Kumar et al. (US Patent Publication No. 9,853,992”, hereinafter “Kumar”) teaches filtering detected anomalies in cloud service usage activities associated with an enterprise uses a trusted location analysis to filter detected anomalies. The trusted location determination is used to filter the detected anomalies that are associated with trusted locations and non-trusted locations to determine the level of risk associating with anomalies. 
Zimmermann et al. (US Pre-Grant Publication No. 2018/0027006-A1, hereinafter “Zimmermann”) teaches event logs, which may be inspected to classify users, activities, applications and data and the like that relate to data usage and control data usage and include various automated response actions, such as automatically sending an alert to a user, automatically alerting a manager, automatically encrypting sensitive data, or automatically triggering a wide range of response actions that are available in disparate security systems, such as threat management systems. 


Thus the prior art, when taken individually or in combination, does not fairly teach or suggest the limitations as a whole set forth in claims 1, 6, 11 and 16 thus these claim are considered allowable. The dependent claims which further limit claims 1, 6, 11 and 16 are also allowed by virtue of their dependency.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VU V TRAN whose telephone number is (571)270-1708.  The examiner can normally be reached on M-F, 8 AM- 4 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/VU V TRAN/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491