DETAILED ACTION
Response to Amendment
This action is in response to amendment filed May 12, 2021 for the application # 16/291,327. Claims 1, 3-9 are pending and are directed toward METHOD OF INTEGRATING AN ORGANIZATIONAL SECURITY SYSTEM.
Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Response to Arguments
Applicant’s arguments with regards to claims 1,3-9 have been fully considered, but they are moot because of new grounds of rejection, and not persuasive in regards to reference of Tokutani.
“before” argument – Applicant argues that claim 1 has been revised to emphasize the timing of the method steps of the present invention. In general terms, the steps of the present invention are preemptive. They take place before a user is granted any access to organizational databases. They take place before a user's profile is created and finalized. They take place before there is 
Response: As preliminary subject matter there is no explicit support for “take place before” and “preemptive” in Applicant’s Specification. Second, it should be appreciated that a user cannot violate rules that were not established. And third, as follows at least from FIG. 5B of Drawings step 514 COMPARE, and step 516 REMOVE happen not before but after SECURITY COMPLIANCE VIOLATIONS 512.
Conclusion -Therefore, in view of the above reasons, Examiner maintains rejections.
Specification
The amendment filed on August 28, 2012 is objected to under 35 U.S.C. 132(a) because it introduces new matter into the disclosure.  35 U.S.C. 132(a) states that no amendment shall introduce new matter into the disclosure of the invention.  The added material which is not supported by the original disclosure is as follows: “before there is any unauthorized access”.
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required:
 Claim 1, includes the recitation “before there is any unauthorized access”, but there is no antecedent basis for the claimed term “before there is any unauthorized access” within the original specification. 
Applicant is required to cancel the new matter in the reply to this Office Action.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), first paragraph:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 1 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Claim 1, includes the limitation “before there is any unauthorized access”, and the Applicant’s amendment does not point to the original specification as providing support for the limitation. Nowhere in the specification does Applicant use term “before there is any unauthorized access”. Consequently, Examiner considers Applicant was not in possession of the claimed invention at the time of the filing date.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the 

Claims 1, and 3-7 are rejected under 35 U.S.C. 103 as being unpatentable over Tokutani et al. (US 2009/0300711, Pub. Date: Dec. 3, 2009), in view of Gheorghe (Security Policy Enforcement in Service-Oriented Middleware, PhD Dissertation, December 2011, 239 pages), hereinafter referred to as Tokutani and Gheorghe.
As per claim 1, Tokutani teaches a method of integrating an organizational security system (FIG. 1 is a block diagram depicting a configuration example of an integrated security managing system having an access control policy compliance checking mechanism, Tokutani, [0012]) comprising the steps of:
a. providing an access management process for an organization comprising a plurality of servers (an integrated access control information managing unit 110 for distributing/collecting an access control policy (hereinafter referred to as a policy as needed) for performing an access control for servers A, B and C, Tokutani, [0071]) and databases (The resources are management targets of the integrated security managing system 100 according to this embodiment, and are constituent elements that configure each server or run on each server. The resources are, for example, a memory and data files provided in each server, an application running on each server, and the like. Tokutani, [0080]), wherein the access management process creates a matrix of groups from the servers and roles from the databases that can be requested by a user (Each circle within the table indicates that a user can simultaneously use (belong to) two roles indicated by a row and a column in terms of security policy. Each cross indicates that a user is prohibited from simultaneously using two roles indicated by a row and a column in terms of security policy. Tokutani, [0006]) and after approval by the user's manager (Additionally, not only system experts such as system administrators or security management personnel who are well acquainted with the system but also system in experts such as auditors, members responsible for compliance, or the management within an enterprise are involved in the enforcement of internal control. Tokutani, [0067]), and the access management process grants the requested groups and roles to a user to provide access for the user to one or more of the organization servers and databases (The policy checking/modifying unit 116 obtains permission-role information, for example depicted in Table 20, the role-user correspondence table, for example, depicted in Table 21, and access logs, for example, depicted in Table 22 respectively from the RBAC policy storing unit 113, the integrated ID managing unit 120, and the audit log storing unit 130, Tokutani, [0379]);
b. providing a security compliance process comprising sets of security compliance rules that define security configurations for the organization servers and databases and that define groups on the servers and roles in the databases that need to be protected (S303- CALCULATING POLICY COMPLIANCE LEVEL, Tokutani, FIG. 3), and wherein the security compliance process identifies and reports on any violations of the rules in the sets of the security compliance rules by the security configurations and the assigned groups on the servers and the roles in the databases (S304- DISPLAYING RESULTS, Tokutani, FIG. 3);
c. providing an integration tool that operatively marks the matrix of groups from the servers and the roles from the databases as restricted if they have been granted rights that violate the rules in the sets of the security compliance rules (Tokutani, [0009]);
d. wherein the integration tool allows the access management process to highlight restricted groups and roles during an initial user access request or profile creation, during the approval step performed by the user's manager (FIG. 12 is a flowchart depicting a specific example of a process ( step S1002) for detecting a role assignment that violates a role assignment prohibition rules in the embodiment; Tokutani, [0023]), as well as allowing requests for restricted groups and roles to be optionally routed through a second approval step, thereby preventing restricted groups and roles from being accidentally granted to users and eliminating the need to go back later and remove those restricted groups and roles (Tokutani, FIG. 13).
 Tokutani teaches a method of integrating an organizational security system, that identifies files on servers and tables in databases in an organization that require protection so that these files and tables can be added to security compliance rules that are used by an access management process and a security compliance process whereby the organizational servers and tables can be protected before there is any unauthorized access to those files and servers in the sensitive data report; then after producing the sensitive data report (The integrated access control information managing unit 110 includes a setting adapter 111 for distributing/collecting a policy to/from the servers A, B and C, a policy generating unit 112 for generating a policy, an RBAC policy storing unit 113 for storing a generated policy, an RBAC policy, etc., a resource configuration information managing unit 114 for respectively obtaining/managing the configuration information of resources in the servers A, B and C from the servers, a policy check rule storing unit 115 for storing policy check rules, etc., and a policy checking/modifying unit 116 for checking/modifying a policy in accordance with the policy check rules stored in the policy check rule storing unit 115. With this configuration, the integrated access control information managing unit 110 manages (generates, edits, deletes, etc.) an access right to perform an access control consistent in the entire system, and distributes the access right in a format readable by access control mechanisms of the server systems. Tokutani, [0073]) but does not teach a sensitive data search process Gheorghe however teaches first undertaking a sensitive data search process that produces a sensitive data report (The security developers plan to develop their own privacy enforcing process such that all data that is expected to exit the hospital system, from different reporting services, will go through the same point where the sensitive parts are inspected and filtered out. Gheorghe, pages 93-94).
Tokutani in view of Gheorghe are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Tokutani in view of Gheorghe. This would have been desirable because data protection regulations in the economic sector are based on fundamental legal rights; therefore, a system that complies with such regulations can guarantee protection for its IT assets (e.g., data, infrastructure) and clients as well (Gheorghe, page 17).

As per claim 3, Tokutani in view of Gheorghe teaches a method of integrating an organizational security system as described in claim 1, wherein the integration tool comprises a security compliance process that compares the access management requests and profiles with the security compliance violations to determine if any violations of the security compliance rules can be ignored because of a corresponding access management request or profile that has all necessary approvals based on the level of access requested (TABLE3, Tokutani, [0140]).
As per claim 4, Tokutani in view of Gheorghe teaches a method of integrating an organizational security system as described in claim 1, wherein the integration tool comprises an auditing process that compares access attempts to restricted files/tables with a baseline to detect a suspicious access attempt to identify possible intrusion of a protected file/ table, wherein the baseline is the list of previous user access from the same user or users with similar access, thereby concentrating the process on files/ tables that contain sensitive information and not on all files / tables (If the indicator is being calculated for a policy where parameters can be changed, and that have not been respected for correct enforcement, then the corrective actions will be used to adjust these parameters. For instance, it is possible that the parameter “3" when enforcing the policy “After 3 failed login attempts, block the account and alert the administrator" was not complied with and instead of 3, there were 5 login failed attempts before the account was blocked. Gheorghe, page 111).
Tokutani in view of Gheorghe are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Tokutani in view of Gheorghe. This would have been desirable because corrective actions aim to patch the misbehaviour in a way that is most appropriate to the type of misbehaviour. Thus, in essence the main idea when using corrective actions is that of type flags to correlate the corrective actions with the indicators and changes in their values. This flag is associated with the property that an indicator is measuring: correctness of enforcement (i.e. wanted effects happen when certain triggers occur), or robustness (i.e. how the enforcement process deals with faults or errors). (Gheorghe, page 111)

As per claim 5, Tokutani in view of Gheorghe teaches a method of integrating an organizational security system as described in claim 4, wherein the integration tool provides a workflow to allow a security group to be able to accept suspicious access attempts so that the approved access attempts can be added to the approved baseline (If the indicator is being calculated for a policy where parameters can be changed, and that have not been respected for correct enforcement, then the corrective actions will be used to adjust these parameters. For instance, it is possible that the parameter “3" when enforcing the policy “After 3 failed login attempts, block the account and alert the administrator" was not complied with and instead of 3, there were 5 login failed attempts before the account was blocked. Gheorghe, page 111).
Tokutani in view of Gheorghe are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Tokutani in view of Gheorghe. This would have been desirable because corrective actions aim to patch the misbehaviour in a way that is most appropriate to the type of misbehaviour. Thus, in essence the main idea when using corrective actions is that of type flags to correlate the corrective actions with the indicators and changes in their values. This flag is associated with the property that an indicator is measuring: correctness of enforcement (i.e. wanted effects happen when certain triggers occur), or robustness (i.e. how the enforcement process deals with faults or errors). (Gheorghe, page 111)

claim 6, Tokutani in view of Gheorghe teaches a method of integrating an organizational security system as described in claim 1, wherein the integration tool comprises a security compliance process that marks all roles as restricted that have been granted restricted roles (execute an access right management information obtainment process for obtaining access right management information from an access right management information storing unit for storing the access right management information that collectively or partially restricts an access to an arbitrary resource, Tokutani, [0009]), and further wherein the searching process would be performed recursively until all role grants have been searched, thereby ensuring that all roles are marked as restricted that have access to restricted rights through an iterative process of granting roles to other roles creating a chain of access (Tokutani, FIG. 33).
As per claim 7, Tokutani in view of Gheorghe teaches a method of integrating an organizational security system as described in claim 1, wherein the integration tool comprises an access management process that can limit the list of requestable roles or groups to those that do not have a group name and those that have the same group name as the user who is requesting the roles or groups in the access management process (TABLE 31, Tokutani, [0433]).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Tokutani et al. (US 2009/0300711, Pub. Date: Dec. 3, 2009), in view of Gheorghe (Security Policy Enforcement in Service-Oriented Middleware, PhD Dissertation, December 2011, 239 pages), in view of Yancey et al. (US 2011/0246419, Pub. Date: Oct. 6, 2011), hereinafter referred to as Tokutani, Gheorghe and Yancey.
As per claim 8, Tokutani in view of Gheorghe teaches a method of integrating an organizational security system as described in claim 1, but does not teach a list of modified database objects, Yancey however teaches wherein the integration tool provides a reviewable list Yancey, FIG. 3).
Tokutani in view of Gheorghe in view of Yancey are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Tokutani in view of Gheorghe in view of Yancey. This would have been desirable because of reducing down-time during an upgrade of an on-demand database and/or application service (Yancey, [0003]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Tokutani et al. (US 2009/0300711, Pub. Date: Dec. 3, 2009), in view of Gheorghe (Security Policy Enforcement in Service-Oriented Middleware, PhD Dissertation, December 2011, 239 pages), in view of Kennis et al. (US 2008/0082376, Pub. Date: Apr. 3, 2008), hereinafter referred to as Tokutani, Gheorghe and Kennis.
As per claim 9, Tokutani in view of Gheorghe teaches a method of integrating an organizational security system as described in claim 1, but does not teach audit log of failed access attempts, Kennis however teaches wherein the integration tool provides a reviewable audit log of failed access attempts on functions or procedures that access tables with sensitive information (Kennis, [0232]), thereby concentrating the security compliance process on functions or procedures that access sensitive information and not on all functions or procedures within the database (FIG. 21 illustrates a source table in a source ERP database mapped or normalized to a monitoring database target table with fewer fields and metadata, Kennis, [0067]).
Tokutani in view of Gheorghe in view of Kennis are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to y identifying errors, misuse, and abuse in veritable real time, the disclosed system minimizes financial loss by allowing an organization to quickly and decisively respond. In many cases, use of the system allows an enterprise to close a hole before it can be exploited. Finally, with transaction integrity monitoring, the disclosed system empowers enterprises to "trust but verify" its financial transactions. The system allows an enterprise's management team to establish a "tone at the top" regarding expectations of conduct within the organization (Kennis, [0045]).


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/OLEG KORSAK/Primary Examiner, Art Unit 2492