DETAILED ACTION 
Response to Arguments
The amendments filed 11/5/2020 have been entered and made of record. 

Applicant's arguments filed 11/5/2020 have been fully considered but they are not persuasive.
	First, Applicant’s Remarks do not make any discussions on Carrier’s disclosures, while claim 1 is rejected under 103 rejections, merely discuss on one of the references Zimmerman without mention and analysis of the combination of Carrier’s disclosure with Zimmerman’s disclosure is improper to overcome 103 rejections;
	As discussed in the Non-Office Action of 8/26/2020, the claim limitations in claim 1 recites receiving two data classifications 1) receiving data classification from end user software {such as by software run within banks, or credit units, and other end user  enterprises…etc.,); and 2) receiving developer data classification from SDLC software; herein SDLC stands for software development lifecycle (SDLC) {see definition of SDLC in Zimmermann’s [0516]; so that above the second element 2) “receiving developer data classification from SDLC software” is interpreted as receiving developer data classification from developer software {such as SaaS applications…developer API, or cyber developer API etc.,}, also in Non-Office Action of 8/26/2020, it’s been pointed out:
Carrier’s data classification is also applicable for developer data classification (see Carrier: e.g., -- a need exists to develop systems, apparatus, methods or the like for classifying personal data at or before a point of entry/exit within an enterprise.  In this regard, the desired system, apparatus, methods or the like should be capable of determining which individuals/customers and/or data associated with the individual/customers requires classification (e.g., which individuals/customers and/or data falls within the context of internal or external regulations) and, subsequently classify and identify the individuals/customers and data within the data file so that subsequent downstream applications or storage locations, in possession of the data, can acknowledge the individuals/customers and data to insure compliance to the regulations and the like.  By providing for classification at or before entry exit--, in [0006]),
	What is missing from Carrier is that Carrier does not explicitly disclose that the software development, or the developer is particularly a software development lifecycle (SDLC) software, so that Zimmermann is relied on in the 103 rejections of this claim limitation,
	Applicant states that Zimmermann does not teach 2) “receiving developer data classification from SDLC software”, 
	However, the Examiner disagrees, because Zimmermann teaches receiving developer data classification from SDLC software (see Zimmermann: e.g., --  The CSF 100 can provide a base level of functionality for each of these solutions, such that a developer may access benefits of all of them, while focusing on an enhanced or extended version of a particular solution. --, in [0116]-[0118], and, --content analysis services (referred to herein in some cases as Content Analysis as a Service (CaaS), content classification services (CCS) or the like) may be undertaken on a file level or may be applied on a block level…. classification services may provide a number of benefits and capabilities, including scalability, extensibility, robustness, avoidance of single points of failure, processing traceability, flexibility, quality of service (QoS), system behavior monitoring, processing efficiency, and componentization.  As to scalability, the system is able to scale to tackle very demanding requests at high volume. …--, in [0327]-[0328], and, -- A policy endpoint 1704 creates or edits a policy (using any policy creation facility, such as of a platform or of the host of the CSF 100 or through the developer API) and delivers it to a policy storage facility 1706, such as a Postgres database….--, in [0374]-[0377], and, -- The searchable application index 2912 may leverage various inputs, such as a community trust rating 2914 and other inputs 2918, such as web scanning, third party rating sources like indexes provided by Checkpoint.TM.  and others, and human research, as well as any other available types of classification.  Classification may be automatic and/or dynamic (such as by tracking access scopes of the application) and may augment, or be augmented by, human classification and classification information from other sources, such as from the cyber security community.  Classification may include observation of the behavior of an application, such that an application that performs actions that increase risk may be classified as malicious.  Applications may also be classified using honeypotting techniques, where applications are allowed access to a secure area (such as one that does not have access to real enterprise data) where their behavior can be observed and their riskiness assessed as part of classification.--, in [0431], and, --  A secure SaaS SDLC service may include developer services, features and resources enabled by development environment providers such as GitHub.TM., Slack.TM.  Hipchat.TM., Bitbucket.TM., Confluence.TM., JIRA.TM., as well as out of the box ("OOTB") Dev Policies and response actions….security is extended beyond usage of an application in production to other phases of the lifecycle of the application, such as during design and development and at runtime.--, in [0516]-[0520]), 
	Such that above cited Zimmermann’s disclosures in cited paragraphs clearly teaches that SDLC provides/generates classification data or classification information. 
	Applicant’s arguments referred to Zimmermann’s content in [0516], regarding CSF 100 is irrelevant to the subject matters of claimed element. Thus, Applicant’s arguments is improper.

	Therefore, claims 1-20 are still not patentably distinguishable over the prior art reference(s). Further discussions are addressed in the prior art rejection section below.
	










Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is rejected under 35 U.S.C. 103 as being unpatentable over Carrier (US 20200210613 A1, DATE FILED: January 2, 2019); and in view of Zimmermann (US 20180027006 A1).
Re Claim 1, Carrier discloses a method for providing data protection (see Carrier: e.g., -- data security and, more specifically, a system that provides for pre-firewall data classification of data being received at or transmitted from an enterprise.--, in [0001], --he second data security classification for the each of the determined data elements define one or more rules associated with the protection of the determined data elements, wherein the one or more rules include at least one of (i) rules defining where a data element can be stored, (ii) rules defining where a data element can be used, (iii) rules defining how a data element can be used, (iv) rules defining entities authorized to access or use a data element, (v) rules defining third-party requests to access or use a data element, (vi) rules defining statistical use of a data element, and (vii) rules defining encryption requirements for a data element.--, in [0015]-[0016], and [0020]-[0021]; and, --determines which data owners and/or data associated with the data owners requires classification (e.g., which individuals/customers and/or data is applicable to internal or external regulations) and, subsequently determines the classifications and identifies the classifications in the data file the data owners and data within the data file so that the data can be routed according to the identified classifications.  In specific embodiments machine-learning processing is used to learn, determine and/or predict which data owners and/or data associated with the individual/customers requires classification and the classifications to assign to those data owners and/or data elements--, in abstract),
comprising: 
in an information processing apparatus comprising at least one computer processor:
receiving a plurality of data classification rules (see Carrier: e.g., --  a trusted internal computing network and a firewall that monitors and controls network traffic (i) inbound to the trusted internal computing network from an untrusted external computing network, and (ii) outbound from the trusted internal computing network to the untrusted external computing network based on predetermined security rules.  The network traffic includes data files comprising a plurality data elements, each data element associated with one of one or more data owners.  The system additionally includes a computing platform including a memory and at least one processor in communication with the memory.  The memory stores instructions that are executable by the at least processor prior to or in-line with the firewall monitoring and controlling the network traffic.  The instructions are configured to receive (i) inbound ones of the data files, and (ii) outbound ones of the data files.  Once the data files have been received, the instructions are configured to determine a first data security classification for at least one of the one or more data owners associated with the data elements in the received data files.  In response to determining a first data security classification for at least one of the data owners, the instructions are configured to determine which of the data elements associated with determined data owners require classification and determine a second data security classification for each of the determined data elements.  The instructions are further configured to identify, within the data file, at least one of (i) the first data security classification for the at least one of the one or more data owners, and (ii) the second data security classification for the each of the determined data elements.--, in [0010], and, --the second data security classification for the each of the determined data elements define one or more rules associated with the protection of the determined data elements, wherein the one or more rules include at least one of (i) rules defining where a data element can be stored, (ii) rules defining where a data element can be used, (iii) rules defining how a data element can be used, (iv) rules defining entities authorized to access or use a data element, (v) rules defining third-party requests to access or use a data element, (vi) rules defining statistical use of a data element, and (vii) rules defining encryption requirements for a data element.--, in [0016]; and, --[0057] In response to determining one or more of the request classification parameters, the instructions 712 determine which request data security classification 902 to assign to the request based on at least one of (i) an entity making the request,… such determinations may be made by accessing a database that lists data owners requiring the data security classification and the data security classification(s) associated with those data owners.  In other embodiments of the system 110, a rules-based engine is implemented to determine which classification rules (and, thus which data security classification) apply to (i) an entity making the request, (ii) an origin (location from which the request originates) associated with the request, (iii) the data owner(s) whose data is being accessed, (iv) one or more actions associated with the request, and/or (v) the data elements (i.e., specific data) that is required to be accessed based on the request.--, in [0057]-[0059]); 
receiving end user data classification from end user software (see Carrier: e.g.,  -- Once the data files have been received, the instructions are configured to determine a first data security classification for at least one of the one or more data owners associated with the data elements in the received data files.--, in [0010], [0016] and [0057-[0059]);
although Carrier’s data classification is also applicable for developer data classification (see Carrier: e.g., -- a need exists to develop systems, apparatus, methods or the like for classifying personal data at or before a point of entry/exit within an enterprise.  In this regard, the desired system, apparatus, methods or the like should be capable of determining which individuals/customers and/or data associated with the individual/customers requires classification (e.g., which individuals/customers and/or data falls within the context of internal or external regulations) and, subsequently classify and identify the individuals/customers and data within the data file so that subsequent downstream applications or storage locations, in possession of the data, can acknowledge the individuals/customers and data to insure compliance to the regulations and the like.  By providing for classification at or before entry exit--, in [0006]),
Carrier however does not explicitly disclose receiving developer data classification from SDLC software;
Zimmermann teaches receiving developer data classification from SDLC software  (see Zimmermann: e.g., --  The CSF 100 can provide a base level of functionality for each of these solutions, such that a developer may access benefits of all of them, while focusing on an enhanced or extended version of a particular solution. --, in [0116]-[0118], and, --content analysis services (referred to herein in some cases as Content Analysis as a Service (CaaS), content classification services (CCS) or the like) may be undertaken on a file level or may be applied on a block level…. classification services may provide a number of benefits and capabilities, including scalability, extensibility, robustness, avoidance of single points of failure, processing traceability, flexibility, quality of service (QoS), system behavior monitoring, processing efficiency, and componentization.  As to scalability, the system is able to scale to tackle very demanding requests at high volume. …--, in [0327]-[0328], and, -- A policy endpoint 1704 creates or edits a policy (using any policy creation facility, such as of a platform or of the host of the CSF 100 or through the developer API) and delivers it to a policy storage facility 1706, such as a Postgres database….--, in [0374]-[0377], and, -- The searchable application index 2912 may leverage various inputs, such as a community trust rating 2914 and other inputs 2918, such as web scanning, third party rating sources like indexes provided by Checkpoint.TM.  and others, and human research, as well as any other available types of classification.  Classification may be automatic and/or dynamic (such as by tracking access scopes of the application) and may augment, or be augmented by, human classification and classification information from other sources, such as from the cyber security community.  Classification may include observation of the behavior of an application, such that an application that performs actions that increase risk may be classified as malicious.  Applications may also be classified using honeypotting techniques, where applications are allowed access to a secure area (such as one that does not have access to real enterprise data) where their behavior can be observed and their riskiness assessed as part of classification.--, in [0431], and, --  A secure SaaS SDLC service may include developer services, features and resources enabled by development environment providers such as GitHub.TM., Slack.TM.  Hipchat.TM., Bitbucket.TM., Confluence.TM., JIRA.TM., as well as out of the box ("OOTB") Dev Policies and response actions….security is extended beyond usage of an application in production to other phases of the lifecycle of the application, such as during design and development and at runtime.--, in [0516]-[0520]);
Carrier and Zimmermann are combinable as they are in the same field of endeavor: provide data protection through data classifications. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify Carrier’s method using Zimmermann’s teachings by including receiving developer data classification from SDLC software to Carrier’s data classification in order to protect data and security as set up by provided by developer software (see Zimmermann: e.g. in [017]-[018], [0327]-[0328], [0374-[0377], and [0431]);
Carrier as modified by Zimmermann further disclose generating a data inventory (see Carrier: e.g., -- In response to identifying the data owners, the instructions 510 determine which of the identified data owners 602 require the first data security classification 606 and determine which first data security classification 606 to assign those data owners 602.  In specific embodiments of the system, such determinations may be made by accessing a database that lists data owners requiring the first data security classification 606 and the first data security classification(s) 606 to be assigned to those data owners 602. --, in [0047] {herein “a database that lists data owners” is a data inventory}); and
applying at least one data protection to the data inventory based on the data classification rules, the end user data classification, and the developer data classification (see Carrier: e.g., -- only data owners that fall within a specific government regulatory standard and/or meet internal classification/categorization guidelines will require classification/categorization.  Data owners 602 may be identified by verifying one or more identifying data elements 604 in the data file 600, such as name, address, telephone number, account number or the like.  Verification may provide for comparing the data elements 604 in the data file 600 to a source of truth, such as database that federates data owners based on previously verified data owner identifying data, such as verified, name, address, telephone number or the like account number. …. such determinations may be made by accessing a database that lists data owners requiring the first data security classification 606 and the first data security classification(s) 606 to be assigned to those data owners 602. --, in [0046]-[0048]; similarly also see Zimmermann: .e.g., -- a service provider may have a content management system implemented on a cloud platform like Google Drive.TM..  The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators.--, in [0107]-[0108] {herein “a service provider” is developer, and “enterprise” is user}).

Re Claim 2, Carrier as modified by Zimmermann further disclose wherein the data classification rules are based on at least one of a data use environment, a security context for the data, a subject for the data, and an organizational jurisdiction for the data (see Carrier: e.g., -- only data owners that fall within a specific government regulatory standard and/or meet internal classification/categorization guidelines will require classification/categorization.  Data owners 602 may be identified by verifying one or more identifying data elements 604 in the data file 600, such as name, address, telephone number, account number or the like.  Verification may provide for comparing the data elements 604 in the data file 600 to a source of truth, such as database that federates data owners based on previously verified data owner identifying data, such as verified, name, address, telephone number or the like account number. …. such determinations may be made by accessing a database that lists data owners requiring the first data security classification 606 and the first data security classification(s) 606 to be assigned to those data owners 602. --, in [0046]-[0048]; similarly also see Zimmermann: .e.g., -- a service provider may have a content management system implemented on a cloud platform like Google Drive.TM..  The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators.--, in [0107]-[0108]).

Re Claim 3, Carrier as modified by Zimmermann further disclose the data classification rules are standardized into a single set of classifications (see Carrier: e.g., -- the instructions 710 include formatting/standardization instructions 720 configured to properly format the requests 900 for subsequent analysis.  Formatting and standardization is needed to accommodate the various different data request channels that provide for the requests to be received in different formats, such as text/word format, audio format and the like.--, in [0074]; similarly, also see Zimmermann: e.g., -- A parse function 632 may include parsing various input formats into a common format.  A common format may be a JSON format.  A parse function 632 may include a standardized format for common fields.  Common fields may be timestamps.  A parse function 632 may connect to a raw message bus sub-component 612. [0190] A unify function 634 may unify common fields from different sources into standardized fields.  Standardized fields may include, for example, ip_address and user_login.  A unify function 634 may also unify event types into a common ontology.  A common ontology may include elements like asset_modify (for information on modification of assets as characterized in various platforms), login (for login information as characterized in various platforms) and login_fail (for tracking failed login attempts as they are tracked in various platforms).—in [0189]-[0190], and, -- This may include the ability to express policy in a standardized language (including based on dictionaries or libraries or other knowledge bases relating to or containing policies that are curated by the enterprise or that are ingested from third party sources).  An enterprise can have the policy translated and deployed consistently, via the cloud security fabric 100, with respect to heterogeneous native platforms and applications.--, in [0362]).


Re Claim 4, Carrier as modified by Zimmermann further disclose wherein the data classification rules are stored in a rules store (see Carrier: e.g., --  a trusted internal computing network and a firewall that monitors and controls network traffic (i) inbound to the trusted internal computing network from an untrusted external computing network, and (ii) outbound from the trusted internal computing network to the untrusted external computing network based on predetermined security rules.  The network traffic includes data files comprising a plurality data elements, each data element associated with one of one or more data owners.  The system additionally includes a computing platform including a memory and at least one processor in communication with the memory.  The memory stores instructions that are executable by the at least processor prior to or in-line with the firewall monitoring and controlling the network traffic.  The instructions are configured to receive (i) inbound ones of the data files, and (ii) outbound ones of the data files.  Once the data files have been received, the instructions are configured to determine a first data security classification for at least one of the one or more data owners associated with the data elements in the received data files.  In response to determining a first data security classification for at least one of the data owners, the instructions are configured to determine which of the data elements associated with determined data owners require classification and determine a second data security classification for each of the determined data elements.  The instructions are further configured to identify, within the data file, at least one of (i) the first data security classification for the at least one of the one or more data owners, and (ii) the second data security classification for the each of the determined data elements.--, in [0010], and, --the second data security classification for the each of the determined data elements define one or more rules associated with the protection of the determined data elements, wherein the one or more rules include at least one of (i) rules defining where a data element can be stored, (ii) rules defining where a data element can be used, (iii) rules defining how a data element can be used, (iv) rules defining entities authorized to access or use a data element, (v) rules defining third-party requests to access or use a data element, (vi) rules defining statistical use of a data element, and (vii) rules defining encryption requirements for a data element.--, in [0016]; and, --[0057] In response to determining one or more of the request classification parameters, the instructions 712 determine which request data security classification 902 to assign to the request based on at least one of (i) an entity making the request,… such determinations may be made by accessing a database that lists data owners requiring the data security classification and the data security classification(s) associated with those data owners.  In other embodiments of the system 110, a rules-based engine is implemented to determine which classification rules (and, thus which data security classification) apply to (i) an entity making the request, (ii) an origin (location from which the request originates) associated with the request, (iii) the data owner(s) whose data is being accessed, (iv) one or more actions associated with the request, and/or (v) the data elements (i.e., specific data) that is required to be accessed based on the request.--, in [0057]-[0059]; and, -- only data owners that fall within a specific government regulatory standard and/or meet internal classification/categorization guidelines will require classification/categorization.  Data owners 602 may be identified by verifying one or more identifying data elements 604 in the data file 600, such as name, address, telephone number, account number or the like.  Verification may provide for comparing the data elements 604 in the data file 600 to a source of truth, such as database that federates data owners based on previously verified data owner identifying data, such as verified, name, address, telephone number or the like account number. …. such determinations may be made by accessing a database that lists data owners requiring the first data security classification 606 and the first data security classification(s) 606 to be assigned to those data owners 602. --, in [0046]-[0048]; similarly also see Zimmermann: .e.g., -- a service provider may have a content management system implemented on a cloud platform like Google Drive.TM..  The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators.--, in [0107]-[0108]).

Re Claim 5, Carrier as modified by Zimmermann further disclose wherein the rules to detect an in-scope document are based on one of a data pattern in the document, an attribute of an author of the document, a source of the data, and a creation environment for the document (see Carrier: e.g., --  a trusted internal computing network and a firewall that monitors and controls network traffic (i) inbound to the trusted internal computing network from an untrusted external computing network, and (ii) outbound from the trusted internal computing network to the untrusted external computing network based on predetermined security rules.  The network traffic includes data files comprising a plurality data elements, each data element associated with one of one or more data owners.  The system additionally includes a computing platform including a memory and at least one processor in communication with the memory.  The memory stores instructions that are executable by the at least processor prior to or in-line with the firewall monitoring and controlling the network traffic.  The instructions are configured to receive (i) inbound ones of the data files, and (ii) outbound ones of the data files.  Once the data files have been received, the instructions are configured to determine a first data security classification for at least one of the one or more data owners associated with the data elements in the received data files.  In response to determining a first data security classification for at least one of the data owners, the instructions are configured to determine which of the data elements associated with determined data owners require classification and determine a second data security classification for each of the determined data elements.  The instructions are further configured to identify, within the data file, at least one of (i) the first data security classification for the at least one of the one or more data owners, and (ii) the second data security classification for the each of the determined data elements.--, in [0010], and, --the second data security classification for the each of the determined data elements define one or more rules associated with the protection of the determined data elements, wherein the one or more rules include at least one of (i) rules defining where a data element can be stored, (ii) rules defining where a data element can be used, (iii) rules defining how a data element can be used, (iv) rules defining entities authorized to access or use a data element, (v) rules defining third-party requests to access or use a data element, (vi) rules defining statistical use of a data element, and (vii) rules defining encryption requirements for a data element.--, in [0016]; and, --[0057] In response to determining one or more of the request classification parameters, the instructions 712 determine which request data security classification 902 to assign to the request based on at least one of (i) an entity making the request,… such determinations may be made by accessing a database that lists data owners requiring the data security classification and the data security classification(s) associated with those data owners.  In other embodiments of the system 110, a rules-based engine is implemented to determine which classification rules (and, thus which data security classification) apply to (i) an entity making the request, (ii) an origin (location from which the request originates) associated with the request, (iii) the data owner(s) whose data is being accessed, (iv) one or more actions associated with the request, and/or (v) the data elements (i.e., specific data) that is required to be accessed based on the request.--, in [0057]-[0059] and, -- only data owners that fall within a specific government regulatory standard and/or meet internal classification/categorization guidelines will require classification/categorization.  Data owners 602 may be identified by verifying one or more identifying data elements 604 in the data file 600, such as name, address, telephone number, account number or the like.  Verification may provide for comparing the data elements 604 in the data file 600 to a source of truth, such as database that federates data owners based on previously verified data owner identifying data, such as verified, name, address, telephone number or the like account number. …. such determinations may be made by accessing a database that lists data owners requiring the first data security classification 606 and the first data security classification(s) 606 to be assigned to those data owners 602. --, in [0046]-[0048]; similarly also see Zimmermann: .e.g., -- a service provider may have a content management system implemented on a cloud platform like Google Drive.TM..  The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators.--, in [0107]-[0108]).

Re Claim 6, Carrier as modified by Zimmermann further disclose comprising specifying a data lookup criteria, wherein the data lookup criteria specifies a data match to a logical attribute or data subject based on at least one of a data pattern and a data value (see Zimmermann: e.g., -- a policy API, associated with the policy automation engine 116, comprises one of the members of the family of enterprise APIs 104.  This allows an enterprise to update policy criteria through APIs 104.  As the enterprise continuously updates its policies, the APIs 104 can access the updates and implement a workflow to automatically update policies, including policies implemented by the policy automation engine 116 of the CSF 100.--, in [0104], -- enrich the data stream with various additional data and metadata elements, such as by creating additional layers of data on top of the raw data collected.  The additional layers of data may include data such as geo-location resolution, IP/URL parsing, user-agent parsing, and any user/group data lookups that may be required to augment the event data, such as allowing the downstream subsystems to process the event data with minimal effort.--, in [0169], and, -- The tools for detection of implementation considerations for behavior by an authorized application may be based on quantity, for example an application that does too much may be suspect.  Too much of a quantity may be indicated by too many downloads, too many sharing events and/or too many failed resource access attempts.  The tools for detection or implementation considerations for an authorized application may use rule-based criteria.  In addition application activity can be tracked through the target data or users it is trying to access.--, in [0294]; and, -- For example, such files might be processed based on various criteria, such as file names, metadata, or the like.  The extractors 912 may comprise a parser, such as an Apache Tikka.TM.  parser, Java components, and an interface, which may be a REST interface.  A request may parse text, such as from a file or block from a given cache buffer location.  The extractor may obtain files from the content buffer 910, extract text from files or blocks, and return extracted text, such as to analyzers.--, in [0332]; and, -- 0377] The policy automation engine 116 may apply the policy in connection with input from or information exchanged with a criteria evaluator 1714 and may also interact with the content classification component of the CSF 100 or other content classifier, which is described elsewhere in this disclosure.  In embodiments, the policy automation engine 116 may primarily consist of a class called PolicyEngine.  In embodiments, the class may be instantiated with a list of policies, a URL generator function and a callback to generate content parts.  An evaluate_policies( ) function may then perform the work of evaluating a given entity based on those policies.  The policy automation engine 116 itself may perform two major tasks.  First, it passes the object content or URL to the content classification service of the CSF 100 or other classifier for content scanning (if any content criteria are present in the policies).  Matches from the CaaS, entity data, and ACL data are then passed to a set of CriteriaEvaluators 1714, which evaluate the data in the context of one or more criteria associated with each policy. [0378] If an entity passes criteria for a given policy, it may be passed to a store_incident function, which determines if a new incident should be raised or an existing incident updated.  Based on application of policies, the engine may generate incidents 1720, which may be ingested by the enterprise, such as through APIs, for handling in various incident response systems.--, in [0377]-[0378]).

Re Claim 7, Carrier as modified by Zimmermann further disclose receiving a data description from a developer for the data, wherein the data description describes the data using at least one stable term (see Zimmermann: e.g., --The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators. [0108] Another family of APIs provides connections between the CSF 100 and various cloud platforms (including cloud applications, infrastructure as a service platforms, IDaaS platforms, and others).  These connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them.--, in [0107]-[0108]; --  The CSF 100 can provide a base level of functionality for each of these solutions, such that a developer may access benefits of all of them, while focusing on an enhanced or extended version of a particular solution. --, in [0116]-[0118], and, --content analysis services (referred to herein in some cases as Content Analysis as a Service (CaaS), content classification services (CCS) or the like) may be undertaken on a file level or may be applied on a block level…. classification services may provide a number of benefits and capabilities, including scalability, extensibility, robustness, avoidance of single points of failure, processing traceability, flexibility, quality of service (QoS), system behavior monitoring, processing efficiency, and componentization.  As to scalability, the system is able to scale to tackle very demanding requests at high volume. …--, in [0327]-[0328], and, -- A policy endpoint 1704 creates or edits a policy (using any policy creation facility, such as of a platform or of the host of the CSF 100 or through the developer API) and delivers it to a policy storage facility 1706, such as a Postgres database….--, in [0374]-[0377], and, -- The searchable application index 2912 may leverage various inputs, such as a community trust rating 2914 and other inputs 2918, such as web scanning, third party rating sources like indexes provided by Checkpoint.TM.  and others, and human research, as well as any other available types of classification.  Classification may be automatic and/or dynamic (such as by tracking access scopes of the application) and may augment, or be augmented by, human classification and classification information from other sources, such as from the cyber security community.  Classification may include observation of the behavior of an application, such that an application that performs actions that increase risk may be classified as malicious.  Applications may also be classified using honeypotting techniques, where applications are allowed access to a secure area (such as one that does not have access to real enterprise data) where their behavior can be observed and their riskiness assessed as part of classification.--, in [0431], and, --  A secure SaaS SDLC service may include developer services, features and resources enabled by development environment providers such as GitHub.TM., Slack.TM.  Hipchat.TM., Bitbucket.TM., Confluence.TM., JIRA.TM., as well as out of the box ("OOTB") Dev Policies and response actions….security is extended beyond usage of an application in production to other phases of the lifecycle of the application, such as during design and development and at runtime.--, in [0516]-[0520]).

Re Claim 8, Carrier as modified by Zimmermann further disclose wherein the end user software automatically classifies unstructured data (see Carrier: e.g., -- a need exists to develop systems, apparatus, methods or the like for classifying personal data at or before a point of entry/exit within an enterprise.  In this regard, the desired system, apparatus, methods or the like should be capable of determining which individuals/customers and/or data associated with the individual/customers requires classification (e.g., which individuals/customers and/or data falls within the context of internal or external regulations) and, subsequently classify and identify the individuals/customers and data within the data file so that subsequent downstream applications or storage locations, in possession of the data, can acknowledge the individuals/customers and data to insure compliance to the regulations and the like.  By providing for classification at or before entry exit--, in [0006]; also see Zimmermann: e.g., --The machine learning engine will also be able to classify and identify the sensitive data of a user, a group and/or an organization. ….entity behavioral use cases (e.g. binary classification of usage as human or machine, correlation of entity behaviors, and excessive usage or data extraction by machines); entity access patterns (such as behavior of particular endpoints), including classifying user and entity access, correlation of specific applications where applicable, and providing alerts on anomalies in entity usage; and classification and protection of sensitive information (such as using NLP to surface sensitive topics, tracking access and actions around sensitive documents, and surfacing "out of normal" access to sensitive content.--, in [0568]-[0574]).

Re Claim 9, Carrier as modified by Zimmermann further disclose wherein the end user software automatically classifies unstructured data based a prior classification (see Carrier: e.g., -- a need exists to develop systems, apparatus, methods or the like for classifying personal data at or before a point of entry/exit within an enterprise.  In this regard, the desired system, apparatus, methods or the like should be capable of determining which individuals/customers and/or data associated with the individual/customers requires classification (e.g., which individuals/customers and/or data falls within the context of internal or external regulations) and, subsequently classify and identify the individuals/customers and data within the data file so that subsequent downstream applications or storage locations, in possession of the data, can acknowledge the individuals/customers and data to insure compliance to the regulations and the like.  By providing for classification at or before entry exit--, in [0006]; also see Zimmermann: e.g., -- One such way is using service APIs (with some knowledge of structure behind them), and another way is scanning simpler things like event logs (which are semi-structured).  There is a value one can obtain without understanding the structure.  For example, one can give generic reporting and searching on activities occurring using APIs of various platforms by identified users, including trends, frequency analysis and the like to indicate anomalies.  With a relatively simple layer of field mapping (e.g., mapping a particular user to a particular account and mapping a set of events to event types) one can provide considerable insight into security risks, threats and behavior.  For example, one can provide basic frequency analysis, rules and anomaly detection around login events, which is an easier starting point than trying to understand an entire structure of a file system.  Thus, processing events, such as user behavior modeling, allows one to obtain value from the CSF 100 without fully scanning a file structure.--, in [0110], and, -- An advantage of this approach is that it does not necessitate any external data-structure.  The evaluation tree becomes implicit in the policy criteria themselves. [0398] There are many examples for consolidating criteria evaluation, some of which are provided below.  Perhaps the simplest of existing criteria is the Metadata criteria type.  This criteria evaluates "true" if any key and value in the entity matches any key and value in the criteria extras. [0399] In one example, CriteriaResult is a simple container class for storing the results of a criteria evaluation.  The primary usage of this container is to capture additional metadata about the match that may be produced by content examination, such as context, number of literal matches, or other descriptive information.--, in [0397]-[0399];  --The machine learning engine will also be able to classify and identify the sensitive data of a user, a group and/or an organization. ….entity behavioral use cases (e.g. binary classification of usage as human or machine, correlation of entity behaviors, and excessive usage or data extraction by machines); entity access patterns (such as behavior of particular endpoints), including classifying user and entity access, correlation of specific applications where applicable, and providing alerts on anomalies in entity usage; and classification and protection of sensitive information (such as using NLP to surface sensitive topics, tracking access and actions around sensitive documents, and surfacing "out of normal" access to sensitive content.--, in [0568]-[0574]).

Re Claim 10, Carrier as modified by Zimmermann further disclose confirming the end user software automatic classification (see Zimmermann: e.g., -- The searchable application index 2912 may leverage various inputs, such as a community trust rating 2914 and other inputs 2918, such as web scanning, third party rating sources like indexes provided by Checkpoint.TM.  and others, and human research, as well as any other available types of classification.  Classification may be automatic and/or dynamic (such as by tracking access scopes of the application) and may augment, or be augmented by, human classification and classification information from other sources, such as from the cyber security community.  Classification may include observation of the behavior of an application, such that an application that performs actions that increase risk may be classified as malicious.  Applications may also be classified using honeypotting techniques, where applications are allowed access to a secure area (such as one that does not have access to real enterprise data) where their behavior can be observed and their riskiness assessed as part of classification.  The index 2912 can include the mapping 2928 of the destinations by which the application can be accessed, such as URLs in cloud environments 2902, network addresses (e.g., IP addresses) on an enterprise network 2904, and addresses used by various services 2908 to access the application.  In many cases an address doesn't clearly say what the application is, or what the address really is.  For example, it might be a string like "dfb/docx/app1." The mapping facility 2928 may be used to map a string used to access an application to what it really is (e.g., a particular application accessed on a Dropbox domain).  The mapping facility 2928 allows mapping various identifiers to an application, so that all of them can be shown as relating to one application.  In embodiments, mapping of such information may be automated, such as by providing natural language processing, which may be aided by human input, such as by training a machine learning facility to recognize and classify addresses as being associated with an application, using examples that are validated by human classifiers.  Mapping of applications and URLs may include using sets of attributes that work as signatures for an application (such as recognizable features), which in turn can be used to unify entities, such as associating various URLs with an application, or associating various versions of an application (such as on different platforms) as being associated with the same application.  In embodiments, an automated categorization engine may be used to categorize applications, such as based on feature that can be extracted automatically from on-network and cloud environments, such as URLs, attributes, and categories.  In embodiments, users may update the application index 2912 directly, such as by indicating information that has been obtained based on actual experience with an application.  For example, an application that is not widely trusted by the community, because it is new, may be upgraded to an improved risk score if the security personnel or other users of an enterprise have confirmed that the application is safe for the enterprise.--, in [0431]-[0433]; and, -- the platform 6500 can be used to generate an activity map 66300, which can identify that particular applications are accessing enterprise data, and even that some access is by a human using an application, while other access is by a machine-to-machine connection.  This can be accomplished by training the machine learning engine 6510 to classify different types of access, such as by feeding it data sets for large numbers of access events across various platforms and feeding it confirmed classifications for events that have known classifications (such as ones that have been done manually, such as classifying one access type as by a human and another as by a machine).  To enable machine learning, various attributes may be associated with collected event data for access events, so that the machine learning system can operate on the different attributes to learn what combinations of attributes tend to correspond to a given classification.  Events and pre-determined classifications are used to seed the learning model, which iterates on additional data to attempt to classify additional events.  These classification events are validate or not, such as by human feedback, and the learning model iterates (such as by adjusting weights given to different attributes), until it becomes sufficiently effective to provide an automated classification of the access type.--, in [0563]).

Re Claim 11, Carrier as modified by Zimmermann further disclose wherein the developer data classification comprises a developer classification and a datastore discovery classification (see Zimmermann: e.g., --The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators. [0108] Another family of APIs provides connections between the CSF 100 and various cloud platforms (including cloud applications, infrastructure as a service platforms, IDaaS platforms, and others).  These connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them.--, in [0107]-[0108]; --  The CSF 100 can provide a base level of functionality for each of these solutions, such that a developer may access benefits of all of them, while focusing on an enhanced or extended version of a particular solution. --, in [0116]-[0118], and, --content analysis services (referred to herein in some cases as Content Analysis as a Service (CaaS), content classification services (CCS) or the like) may be undertaken on a file level or may be applied on a block level…. classification services may provide a number of benefits and capabilities, including scalability, extensibility, robustness, avoidance of single points of failure, processing traceability, flexibility, quality of service (QoS), system behavior monitoring, processing efficiency, and componentization.  As to scalability, the system is able to scale to tackle very demanding requests at high volume. …--, in [0327]-[0328], and, -- A policy endpoint 1704 creates or edits a policy (using any policy creation facility, such as of a platform or of the host of the CSF 100 or through the developer API) and delivers it to a policy storage facility 1706, such as a Postgres database….--, in [0374]-[0377], and, -- The searchable application index 2912 may leverage various inputs, such as a community trust rating 2914 and other inputs 2918, such as web scanning, third party rating sources like indexes provided by Checkpoint.TM.  and others, and human research, as well as any other available types of classification.  Classification may be automatic and/or dynamic (such as by tracking access scopes of the application) and may augment, or be augmented by, human classification and classification information from other sources, such as from the cyber security community.  Classification may include observation of the behavior of an application, such that an application that performs actions that increase risk may be classified as malicious.  Applications may also be classified using honeypotting techniques, where applications are allowed access to a secure area (such as one that does not have access to real enterprise data) where their behavior can be observed and their riskiness assessed as part of classification.--, in [0431], and, --  A secure SaaS SDLC service may include developer services, features and resources enabled by development environment providers such as GitHub.TM., Slack.TM.  Hipchat.TM., Bitbucket.TM., Confluence.TM., JIRA.TM., as well as out of the box ("OOTB") Dev Policies and response actions….security is extended beyond usage of an application in production to other phases of the lifecycle of the application, such as during design and development and at runtime.--, in [0516]-[0520]).

Re Claim 12, Carrier as modified by Zimmermann further disclose the SDLC classification comprises an enduser classification and a filestore discovery classification (see Zimmermann: e.g., -- A secure SaaS SDLC service may include developer services, features and resources enabled by development environment providers such as GitHub.TM., Slack.TM.  Hipchat.TM., Bitbucket.TM., Confluence.TM., JIRA.TM., as well as out of the box ("OOTB") Dev Policies and response actions.  Other features may include application awareness, EC2 logging (such as for UBA), packaging and onboarding, and key management (such as for each platform).  In embodiments, security is extended beyond usage of an application in production to other phases of the lifecycle of the application, such as during design and development and at runtime.  For example, resources used by developers (like github.TM.) to store code files may be scanned for sensitive content during the software design process, conversations in forums like Slack.TM.  can be scanned for sensitive content, and tickets in ticketing systems like Jira.TM.  can be tracked.--, in [0516]).

Re Claim 13, Carrier as modified by Zimmermann further disclose the data inventory comprises the end user classification and the SDLC classification for the data(see Zimmermann: e.g., --The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators. [0108] Another family of APIs provides connections between the CSF 100 and various cloud platforms (including cloud applications, infrastructure as a service platforms, IDaaS platforms, and others).  These connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them.--, in [0107]-[0108]; --  The CSF 100 can provide a base level of functionality for each of these solutions, such that a developer may access benefits of all of them, while focusing on an enhanced or extended version of a particular solution. --, in [0116]-[0118], and, --content analysis services (referred to herein in some cases as Content Analysis as a Service (CaaS), content classification services (CCS) or the like) may be undertaken on a file level or may be applied on a block level…. classification services may provide a number of benefits and capabilities, including scalability, extensibility, robustness, avoidance of single points of failure, processing traceability, flexibility, quality of service (QoS), system behavior monitoring, processing efficiency, and componentization.  As to scalability, the system is able to scale to tackle very demanding requests at high volume. …--, in [0327]-[0328], and, -- A policy endpoint 1704 creates or edits a policy (using any policy creation facility, such as of a platform or of the host of the CSF 100 or through the developer API) and delivers it to a policy storage facility 1706, such as a Postgres database….--, in [0374]-[0377], and, -- The searchable application index 2912 may leverage various inputs, such as a community trust rating 2914 and other inputs 2918, such as web scanning, third party rating sources like indexes provided by Checkpoint.TM.  and others, and human research, as well as any other available types of classification.  Classification may be automatic and/or dynamic (such as by tracking access scopes of the application) and may augment, or be augmented by, human classification and classification information from other sources, such as from the cyber security community.  Classification may include observation of the behavior of an application, such that an application that performs actions that increase risk may be classified as malicious.  Applications may also be classified using honeypotting techniques, where applications are allowed access to a secure area (such as one that does not have access to real enterprise data) where their behavior can be observed and their riskiness assessed as part of classification.--, in [0431], and, --  A secure SaaS SDLC service may include developer services, features and resources enabled by development environment providers such as GitHub.TM., Slack.TM.  Hipchat.TM., Bitbucket.TM., Confluence.TM., JIRA.TM., as well as out of the box ("OOTB") Dev Policies and response actions….security is extended beyond usage of an application in production to other phases of the lifecycle of the application, such as during design and development and at runtime.--, in [0516]-[0520]).

Re Claim 14, Carrier as modified by Zimmermann further disclose the data inventory comprises a protection state for the data (see Carrier: e.g., -- provides for data protection (i.e., data or data owners that require classification/categorization is performed before the data (i) enters the trusted internal computing network 200 from the untrusted external computing network 400, and/or (ii) exits the internal computing network 200 to the untrusted external computing network 400.  Such classification/categorization of data requiring such classification/categorization at the point of entry (i.e., in-line with or prior to the firewall 310) adds a level of assurance that once the data enters and/or exits the trusted internal computing network, the data is accessed/stored or meets or other criteria associated with the classification/categorization regardless of which internal application/system receives the data and/or which external entity receives the data.--, in [0043]; also see Zimmermann: e.g., -- the platform 500 architecture, data that may be exposed and collected as snapshot information due to API, vendor or commercial limitations may be translated and injected into a unified event stream that may be inspected by all interested parties, for example, it may be used in a Policy Engine for policy violations.  Incidents may be based off of events, which may relate to specific states of files, documents or other pieces of data.--, in [0249]).

Re Claim 15, Carrier as modified by Zimmermann further disclose the data inventory comprises a compliance state for the data (see Carrier: e.g., -- provides for data protection (i.e., data or data owners that require classification/categorization is performed before the data (i) enters the trusted internal computing network 200 from the untrusted external computing network 400, and/or (ii) exits the internal computing network 200 to the untrusted external computing network 400.  Such classification/categorization of data requiring such classification/categorization at the point of entry (i.e., in-line with or prior to the firewall 310) adds a level of assurance that once the data enters and/or exits the trusted internal computing network, the data is accessed/stored or meets or other criteria associated with the classification/categorization regardless of which internal application/system receives the data and/or which external entity receives the data.--, in [0043]; --determining which individuals/customers and/or data associated with the individual/customers requires classification (e.g., which individuals/customers and/or data is applicable to internal or external regulations) and, subsequently classify and identify the individuals/customers and data within the data file so that the data can be routed according to the identified classifications (i.e., subsequent downstream applications or storage locations, in possession of the data, can acknowledge the individuals/customers and data to insure compliance to the regulations and the like).  By providing for classification in-line with or pre-firewall the present invention is able to insure that data which requires special handling is not distributed throughout the enterprise absent knowledge of the need to implement the rules associated with the internal/external standards and regulations. --, in [0006], [0009], and [0039]; also see Zimmermann: e.g., --Important cyber security use cases and features may also include privilege management, configuration management, dealing with Oauth spearphisihing, cyber security management, risk management, education, incident management, API integration, visualization of user behavior, risk assessment, adaptive security management, community features, forensics and compliance.--, in [0134]; -- the platform 500 architecture, data that may be exposed and collected as snapshot information due to API, vendor or commercial limitations may be translated and injected into a unified event stream that may be inspected by all interested parties, for example, it may be used in a Policy Engine for policy violations.  Incidents may be based off of events, which may relate to specific states of files, documents or other pieces of data.--, in [0249]).

Re Claim 16, Carrier as modified by Zimmermann further disclose wherein the data protection that is applied is a data protection level selected from the group consisting of baseline protection, enhanced protection, and full lifecycle data protection (see Carrier: e.g., -- provides for data protection (i.e., data or data owners that require classification/categorization is performed before the data (i) enters the trusted internal computing network 200 from the untrusted external computing network 400, and/or (ii) exits the internal computing network 200 to the untrusted external computing network 400.  Such classification/categorization of data requiring such classification/categorization at the point of entry (i.e., in-line with or prior to the firewall 310) adds a level of assurance that once the data enters and/or exits the trusted internal computing network, the data is accessed/stored or meets or other criteria associated with the classification/categorization regardless of which internal application/system receives the data and/or which external entity receives the data.--, in [0043]; also see Zimmermann: e.g., -- the platform 500 architecture, data that may be exposed and collected as snapshot information due to API, vendor or commercial limitations may be translated and injected into a unified event stream that may be inspected by all interested parties, for example, it may be used in a Policy Engine for policy violations.  Incidents may be based off of events, which may relate to specific states of files, documents or other pieces of data.--, in [0249]).

Re Claim 17, Carrier as modified by Zimmermann further disclose an encryption level is associated with each data protection level (see Carrier: e.g., -- the second data security classification for the each of the determined data elements define one or more rules associated with the protection of the determined data elements, wherein the one or more rules include at least one of (i) rules defining where a data element can be stored, (ii) rules defining where a data element can be used, (iii) rules defining how a data element can be used, (iv) rules defining entities authorized to access or use a data element, (v) rules defining third-party requests to access or use a data element, (vi) rules defining statistical use of a data element, and (vii) rules defining encryption requirements for a data element.--, in [0016], and claim 13).

Re Claim 18, Carrier as modified by Zimmermann further disclose integrating the applied data protection with a third party (see Carrier: e.g., -- data security and, more specifically, a system that provides for pre-firewall data classification of data being received at or transmitted from an enterprise.--, in [0001], --he second data security classification for the each of the determined data elements define one or more rules associated with the protection of the determined data elements, wherein the one or more rules include at least one of (i) rules defining where a data element can be stored, (ii) rules defining where a data element can be used, (iii) rules defining how a data element can be used, (iv) rules defining entities authorized to access or use a data element, (v) rules defining third-party requests to access or use a data element, (vi) rules defining statistical use of a data element, and (vii) rules defining encryption requirements for a data element.--, in [0015]-[0016], and [0020]-[0021]; also (see Zimmermann: e.g., --The provider may possess enriched data that could be used in connection with applying policies managed by the CSF 100.  In such a case, the policy automation engine 116 of the CSF 100 can use the criteria defined in the CSF 100, but it can also be configured to use a third party source for additional policy criteria.  Thus, a feed of additional sources of policy criteria can be defined and accessed by a policy API, and one can define that API to pull down those criteria.  Then, the various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies, such as, for example, information relating to the particular classification of information in a given enterprise, as it relates to the policies of that enterprise.  For this example the enterprise policy API may be used to specify an additional external evaluator for the policy, which will then be used to enrich policy evaluators. [0108] Another family of APIs provides connections between the CSF 100 and various cloud platforms (including cloud applications, infrastructure as a service platforms, IDaaS platforms, and others).  These connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them.--, in [0107]-[0108]).

Re Claim 19, Carrier as modified by Zimmermann further disclose defining a plurality of rules to detect an in-scope document (see Zimmermann: e.g., -- Each ACL may map a scope a user, usually and a role.  A scope may be a user.  A role may be an owner, viewer, editor and the like. [0230] An incident may be a result of a policy that was triggered upon the review of a certain piece of data.  An incident may have various date stamps, type, severity, cardinality, and a plurality of references into a single entity, a policy that triggered it and a product application. [0231] An incident may have multiple incident detail records associated with it.  These multiple incident detail records may be individual matches for a policy, such as social security numbers or credit card numbers. 
[0232] An entity may be recorded in the platform 500 only when an incident is created that may rely upon the entity. --, in [0229]-[0233], and, -- The tools for detection of implementation considerations for behavior by an authorized application may be based on quantity, for example an application that does too much may be suspect.  Too much of a quantity may be indicated by too many downloads, too many sharing events and/or too many failed resource access attempts.  The tools for detection or implementation considerations for an authorized application may use rule-based criteria.  In addition application activity can be tracked through the target data or users it is trying to access.--, in [0294]).

Re Claim 20, Carrier as modified by Zimmermann further disclose the data protection specifies at least one of who can access the data, where the data may be stored, transmitted, or transacted, a maximum and minimum data retention period, and technical controls placed on the data (see Zimmermann: e.g., -- UBA use cases may include a compromised account use case, an unusual activity use case, a malicious applications use case, an inactive accounts use case, a crawler/bot activity use case and a collection and retention use case.--, in [0263], and, -- A collection and retention use case may collect and retain event log data from SaaS vendors.  Enterprises may require access to raw event log data made available by SaaS vendors for long periods dictated by compliance, forensics and vaulting requirements.--, in [0312]-[0319]).







Conclusion
Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WEI WEN YANG whose telephone number is (571)270-5670.  The examiner can normally be reached on 8:00 - 5:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matthew Bella can be reached on 571-272-7778.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/WEI WEN YANG/Primary Examiner, Art Unit 2667