DETAILED ACTION

1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	This corrected allowance of application 16/240470 is in response to a printer rush filed on September 3, 2021 regarding canceled claim 13.

3.	Claims 1-12 and 14-41 are presented for allowance. 

4.	Claim 13 has been canceled, claims 1, 4, 6-12, 14-16, 21, 24, 26-28, 30-36 and 41 have been amended via an Examiner’s Amendment filed initially on August 19, 2021.

Claim Interpretation

5.	Claim 1 recites “control maturity.”  

Instant specification [0017] states “calculating control maturity comprises calculating a control maturity score for a security control”, “calculating the control maturity score comprises: calculating a Control Effectiveness Score (CES) that measures an effectiveness of the security control over a time period; and calculating a Compliance Conformance Score (CCS) that measures how well compliance is being met for the security control in place,” [0018] states “calculating the Control Effectiveness Score (CES) comprises:  calculating a Converge Effectiveness Ratio (CER) that measures a ratio of time that the security control was active in a predefined time period;  calculating an Asset Coverage Ratio (ACR) that measures assets covered by the security control versus a total number of assets in a network domain; and calculating a Business Impact Ratio (BIR) that computes a ratio of a total business impact relative to a maximum possible impact based on the assets covered by the security control and a business impact assigned to each asset,” and [0135] states “the control maturity assessor can calculate a control maturity for the security control based on the control effective scores (CES) and a compliance conformance score (CCS) (e.g., control maturity = CES * CCS).”  

Based on these specification explanations, “control maturity” is a score calculated based on measures an effectiveness of security control over a time period.  

In addition to the instant specification explanations, a brief search reveals Merriam-Webster dictionary and Aycock.

According to Merriam-Webster dictionary, “temporal” is defined as “of or relating to time as opposed to eternity” and “of or relating to [] a distinction of time”.  Since Pollutro et al. (WO 2013166126 A1) specifies throughout that the events are “temporal events”, the definition of “temporal” portion satisfies the calculated “control maturity” being over a period of time.  

 Aycock et al. (US 5765138) (col 3 lines 23-35) states “a selected group of requirements defining quality control standards, also referred to as maturity requirements, are applied on the basis of project objects.  The selected requirements are supplied in a RFP/RFQ as objective criteria to be met by a desired vendor in a project. Upon receiving the supplier responses, each response is provided with a scaled score.  By correlating the scaled score with the relative weight of each of the requirements with respect to the project objectives, the present invention enables an objective evaluation of the supplier response in order to determine a supplier maturity level.”

These explanations provide the interpretation of “control maturity” applied to all the claims.

6.	Claim 1 recites “enriched events.”  Specification [0032] states “to generate the enriched events, the one or more processors are caused to:  match a plurality of portions of the security event to a plurality of event patterns stored in an event pattern database to determine a matching event pattern; and in response to matching the plurality of portions to the event pattern, generate metadata for each matching portion based on data types specified in the event pattern.”  This explanation provides an interpretation for “enriched events.”

Examiner’s Amendment

7.	An examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR § 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the Issue Fee.

8.	Authorization for this Examiner’s Amendment was given by Douglas Hamilton via email to USPTO on August 14, 2021.

9.	The claims have been amended as follows:

1.	(Currently Amended) A method for assessing a control maturity of a plurality of security controls implemented in an Information Technology (IT) environment, comprising: 
receiving a plurality of security events from a plurality of sensors in the IT environment; 
generating a plurality of enriched events corresponding to the plurality of security events, 
wherein each of the plurality of enriched events comprises metadata identifying data types associated with a security event corresponding to a respective one of the plurality of enriched events; 
classifying each of the plurality of security events to a respective one of  a plurality of predetermined security controls based on the corresponding enriched event to yield a plurality of classified security events; 
calculating a plurality of activity metrics for each of the plurality of predetermined security controls  based on each of the plurality of classified security events; 
calculating the control maturity for the plurality of predetermined security controls based on the plurality of activity metrics; and 
providing the calculated control maturity to a user.

2.	(Original)  The method of claim 1, wherein the IT environment comprises a plurality of assets associated with a plurality of network domains, and wherein each sensor is configured to detect a type of security information associated with an asset within a network domain.

3.	(Original)  The method of claim 1, wherein the metadata comprises a network ID, a network domain, a timestamp, sensor event type data, a sensor vendor type, event severity data, or security metadata associated with event assessment and security control activity calculations.

4.	(Currently Amended) The method of claim 1, wherein generating the plurality of enriched events comprises: 
matching a plurality of portions of the security event to a plurality of event patterns stored in an event pattern database to determine a matching event pattern; and 
in response to matching the plurality of portions to the event pattern, generating the metadata for each matching portion based on the data types specified in the event pattern.

5.	(Original) The method of claim 4, wherein the plurality of event patterns comprises a plurality of corresponding regular expressions.

6.	(Currently Amended) The method of claim 1, wherein classifying each of the plurality of security events comprises: 
classifying each of the plurality of security events to a sensor vendor based on the metadata corresponding to the security event; and 
classifying each of the plurality of security events to a respective one of the plurality of predetermined security controls based on the sensor vendor classified for the security event.

7.	(Currently Amended)  The method of claim 1, wherein classifying each of the plurality of security events to a respective one of the plurality of predetermined security controls based on the corresponding enriched event comprises:
classifying of the plurality of security events to an operational function based on  a security control associated with the security event; and 
classifying the security event as having an impact on one or more assets that are associated with the respective one of the plurality of predetermined security controls .

8.	(Currently Amended) The method of claim 1, wherein calculating the plurality of activity metrics for each of the plurality of predetermined security controls: 
generating a plurality of control activity records corresponding to the plurality of predetermined security controls based on each of the plurality of classified security events, 
wherein each control activity record includes an activity count associated with a security control type; and 
storing the plurality of control activity records in a control activity database.

9.	(Currently Amended) The method of claim 1, 
wherein calculating the control maturity comprises calculating a control maturity score for at least one of the plurality of predetermined security controls , and 
wherein calculating the control maturity score comprises: 
calculating a control effectiveness score (CES) that measures an effectiveness of the at least one of the plurality of predetermined security controls  over a predefined time period; and 
calculating a compliance conformance score (CCS) that measures how well compliance is being met for the at least one of the plurality of predetermined security controls  in place.

10.	(Currently Amended) The method of claim 9, wherein calculating the control effectiveness score (CES) comprises: 
calculating a coverage effectiveness ratio (CER) that measures a ratio of time that the security control was active in a predefined time period; 
calculating an asset coverage ratio (ACR) that measures assets covered by  a security control versus a total number of the assets in a network domain; and 
calculating a business impact ratio (BIR) that computes a ratio of a total business impact relative to a maximum possible impact based on the assets covered by the security control and a business impact assigned to each asset.

11.	(Currently Amended) The method of claim 10, 
wherein the CES is calculated by weighting the CER by the ACR and subtracting a value  calculated based on weighting an uncovered ratio by the BIR, 
wherein the uncovered ratio is calculated based on the ACR and represents a portion of the network domain not covered by the security control.

12.	(Currently Amended) The method of claim 9, wherein calculating the compliance conformance score (CCS) comprises: 
calculating an unweighted compliance conformance score (UCCS) that measures a ratio of compliance requirements fulfilled by the security control compared to other compliance requirements that must be fulfilled over the predefined time period.

13.	(Canceled)  

14.	(Currently Amended) The method of claim 1, wherein providing the calculated control maturity to the user comprises: 
displaying a matrix of operational assets crossed with asset  classes, 
wherein each cell in the matrix comprises one or more of the plurality of predetermined security controls mapped to  an operational asset and  an asset class corresponding to the cell; and 
displaying a graphical indication within the  cell of the matrix to indicate the calculated  control maturity of the one or more of the plurality of predetermined security controls corresponding to the  cell.

15.	(Currently Amended) The method of claim 1, wherein providing the calculated control maturity to the user comprises: 
providing to the user a report that indicates control maturity gaps with respect to a matrix of operational assets crossed with asset  classes, 
wherein each cell in the matrix comprises one or more of the plurality of predetermined security controls mapped to  an operational asset and  an asset class corresponding to the  cell.

16.	(Currently Amended) The method of claim 1, comprising: generating a security alert based on the calculated control maturity to notify the user of control maturity gaps or to notify the user of an abnormal change in the control maturity or a compliance conformance.

17.	(Original) The method of claim 16, comprising: detecting an indication of the abnormal change based on a plurality of rules, a heuristic, or a classifier.

18.	(Original) The method of claim 1, comprising: initiating an automated action based on the calculated control maturity to decrease risk and improve security resilience of the IT environment.

19.	(Original) The method of claim 18, wherein the automated action comprises reconfiguring one or more security policies.

20.	(Original) The method of claim 1, comprising: generating a model of a security environment corresponding to the IT environment.

21.	(Currently Amended)  A system for assessing a control maturity of security controls in an Information Technology (IT) environment, comprising one or more processors, memory, and one or more programs stored in the memory that when executed by the one or more processors cause the one or more processors to: 
receive a plurality of security events from a plurality of sensors in the IT environment; 
generate a plurality of enriched events corresponding to the plurality of security events, 
wherein each enriched event comprises metadata identifying data types associated with a security event corresponding to the enriched event; 
classify each of the plurality of security events to a respective one of  a plurality of predetermined security controls based on the corresponding enriched event to yield a plurality of classified security events; 
calculate a plurality of activity metrics for each of the plurality of predetermined security controls based on each of the plurality of classified security events; and 
calculate the control maturity for each of the plurality of predetermined security controls based on the plurality of activity metrics; and 
provide the calculated control maturity to a user.


22.	(Original) The system of claim 21, 
wherein the IT environment comprises a plurality of assets associated with a plurality of network domains, and 
wherein each sensor is configured to detect a type of security information associated with an asset within a network domain.

23.	(Original) The system of claim 21, wherein the metadata comprises a network ID, a network domain, a timestamp, sensor event type data, a sensor vendor type, event severity data, or security metadata associated with event assessment and security control activity calculations.

24.	(Currently Amended) The system of claim 21, wherein to generate the plurality of enriched events, the one or more processors are caused to: 
match a plurality of portions of the security event to a plurality of event patterns stored in an event pattern database to determine a matching event pattern; and 
in response to matching the plurality of portions to the event pattern, generate the metadata for each matching portion based on the data types specified in the event pattern.

25.	(Original) The system of claim 24, wherein the plurality of event patterns comprises a plurality of corresponding regular expressions.

26.	(Currently Amended) The system of claim 21, wherein to classify each of the plurality of security events, the one or more processors are caused to: 
classify each of the plurality of security events to a sensor vendor based on the metadata corresponding to each of the plurality of security events; and 
classify each of the plurality of security events to the respective one of the plurality of predetermined security controls based on the sensor vendor classified for the security event.

27.	(Currently Amended) The system of claim 21, wherein to classify each of the plurality of security events to a respective one of the  plurality of predetermined security controls based on the corresponding one of the plurality of enriched events, the one or more processors are caused to: 
classify each of the plurality of security events to an operational function based on the security control associated with the security event; and 
classify each of the plurality of security events as having an impact on one or more assets that are associated with the respective one of the plurality of predetermined security controls .

28.	(Currently Amended) The system of claim 21, wherein to calculate the plurality of activity metrics for each of the plurality of predetermined security controls, the one or more processors are caused to: 
generate a plurality of control activity records corresponding to the plurality of predetermined security controls based on each of the plurality of classified security events, 
wherein each of the plurality of control activity records  includes an activity count associated with a security control type; and 
store the plurality of control activity records in a control activity database.

29.	(Currently Amended) The system of claim 21, 
wherein calculating the control maturity comprises calculating a control maturity score for a security control, and 
wherein to calculate the control maturity score, the one or more processors are caused to: 
calculate a control effectiveness score (CES) that measures an effectiveness of the security control over a predefined time period; and 
calculate a compliance conformance score (CCS) that measures how well compliance is being met for the security control in place.

30.	(Currently Amended) The system of claim 29, wherein to calculate the control effectiveness score (CES), the one or more processors are caused to: 
calculate a coverage effectiveness ratio (CER) that measures a ratio of time that the security control was active in a predefined time period; 
calculate an asset coverage ratio (ACR) that measures assets covered by the security control versus a total number of the assets in a network domain; and 
calculate a business impact ratio (BIR) that computes a ratio of a total business impact relative to a maximum possible impact based on the assets covered by the security control and a business impact assigned to each asset.

31.	(Currently Amended) The system of claim 30, 
wherein the CES is calculated by weighting the CER by the ACR and subtracting a value  calculated based on weighting an uncovered ratio by the BIR, 
wherein the uncovered ratio is calculated based on the ACR and represents a portion of the network domain not covered by the security control.

32.	(Currently Amended) The system of claim 29, wherein to calculate the compliance conformance score (CCS), the one or more processors are caused to: 
calculate an unweighted compliance conformance score (UCCS) that measures a ratio of compliance requirements fulfilled by the security control compared to other compliance requirements that must be fulfilled over the predefined time period.

33.	(Currently Amended) The system of claim 29, wherein to calculate the compliance conformance score (CCS), the one or more processors are caused to: 
calculate a weighted compliance conformance that measures a ratio of compliance requirements fulfilled by the security control compared to other compliance requirements that must be fulfilled over the predefined time period, 
wherein each compliance requirement fulfillment is weighted based on the security control.

34.	(Currently Amended) The system of claim 21, wherein to provide the calculated control maturity to the user, the one or more processors are caused to: 
display a matrix of operational assets crossed with  asset classes, 
wherein each cell in the matrix comprises one or more of the plurality of predetermined security controls mapped to  an operational asset and the asset class corresponding to  the cell; and 
display a graphical indication within  the cell of the matrix to indicate  the calculated control maturity of the one or more of the plurality of predetermined security controls corresponding to  the cell.

35.	(Currently Amended) The system of claim 21, wherein to provide the calculated control maturity to the user, the one or more processors are caused to: 
provide to the user a report that indicates control maturity gaps with respect to a matrix of operational assets crossed with  asset classes, 
wherein each cell in the matrix comprises one or more of the plurality of predetermined security controls mapped to  an operational asset and  an asset class corresponding to  the cell.

36.	(Currently Amended) The system of claim 21, wherein the one or more processors are caused to: generate a security alert based on the calculated control maturity to notify the user of control maturity gaps or to notify the user of an abnormal change in the control maturity or a compliance conformance.

37.	(Original) The system of claim 36, wherein the one or more processors are caused to: detect an indication of the abnormal change based on a plurality of rules, a heuristic, or a classifier.

38.	(Original) The system of claim 21, wherein the one or more processors are caused to: initiate an automated action based on the calculated control maturity to decrease risk and improve security resilience of the IT environment.

39.	(Original) The system of claim 38, wherein the automated action comprises reconfiguring one or more security policies.

40.	(Original)  The system of claim 21, wherein the one or more processors are caused to generate a model of a security environment corresponding to the IT environment.

41.	(Currently Amended) A non-transitory computer-readable storage medium comprising instructions for assessing a control maturity of security controls in an Information Technology (IT) environment, wherein the instructions, when executed by a computer having one or more processors, cause the one or more processors to perform the instructions comprising: 
receiving a plurality of security events from a plurality of sensors in the IT environment; 
generating a plurality of enriched events corresponding to the plurality of security events, 
wherein each enriched event comprises metadata identifying data types associated with a security event corresponding to the enriched event; 
classifying each of the plurality of security events  to a security control from a plurality of predetermined security controls based on the corresponding enriched event to yield a plurality of classified security events; 
calculating a plurality of activity metrics for each of the plurality of predetermined security controls  based on each of the plurality of classified security events; and 
calculating the control maturity for the plurality of predetermined security controls based on the plurality of activity metrics; and 
providing the calculated control maturity to a user.

Reason for Allowance
10.	Claims 1, 21 and 41 of the present invention are directed towards assessing a control maturity of a plurality of security controls implemented in an Information Technology (IT) environment.  Independent claims 1, 21 and 41 each identify the uniquely distinct combination of features:
assessing a control maturity of a plurality of security controls implemented in an Information Technology (IT) environment 
receiving a plurality of security events from a plurality of sensors in the IT environment
generating a plurality of enriched events corresponding to the plurality of security events
wherein each of the plurality of enriched events comprises metadata identifying data types associated with a security event corresponding to a respective one of the plurality of enriched events
classifying each of the plurality of security events to a respective one of a plurality of predetermined security controls based on the corresponding enriched event to yield a plurality of classified security events
calculating a plurality of activity metrics for each of the plurality of predetermined security controls based on each of the plurality of classified security events
calculating the control maturity for the plurality of predetermined security controls based on the plurality of activity metrics 
providing the calculated control maturity to a user.

11.	Regarding allowed claims 1, 21 and 41 presented above, the following is an examiner’s statement of reasons for allowance.  The following are the closest prior art:
	
Lim et al. (US Pub 20180053064) teach sensor and metadata.
	
Yi et al. (US Pub 2012013761) teach classify an event.

Kim et al. (KR 20170102785A) teach to classify the pieces of a state information (metadata) received from a plurality of IoT devices to detect occurrence of an event.

Purcell et al. (US Pub 20110161848) teach to classify an event as a security event if it occurs at a different time of day.

Choudhary et al. (US 10057285) (col 4 lines 49-58) teach “metadata used to enrich a particular event may include one or more tags that originate from an external source,” and (col 7 lines 7-10) teach “pluggable event correlation system may enforce internal policies, manage security risks, and ensure regulatory compliance across an organizational information technology infrastructure.”

Natarajan et al. (US 10601872) teach events are broadly classified as security violations.
 
Ladnai et al. (US Pub 20170300690) teach filtering of data dependent upon the type of security event detected.  Details include event graph based on memory limits, user parameters, security event type, or any other object metrics or inputs.

Johnson (US Pub 20160048782) teach automatically selecting and applying access management controls based on maturity score targets and other maturity information associated with an IT environment.

Beresnevichiene et al. (US Pub 20110252479) teach control maturity model can be applied through performing interviews and examining supporting documentation for each property of a control.  Controls can be deployed based on the level of control maturity required to accommodate an organization’s budget and appetite for risk.

Lang et al. (US Pub 20090260086) teach a Control Maturity Model (CMM) that may define the control environment in measure and overall strategy.  

Pollutro et al., WO 2013166126 A1 (PCT/US2013/039033).

According to WhatIs.com, “a security event is a change in the everyday operations of a network or information technology service indicating that a security policy may have been violated or a security safeguard may have failed.”

According to Merriam-Webster, “metrics” is defined as “a standard of measurement.”

12.	In summary, nowhere do the prior art disclose the unique combination of elements listed above.  The unique combination of steps/elements listed above are a novel combination.  The definitions, presented above, provide an explanation/clarification to some critical features (e.g., security event, metrics).  The prior art, either singularly or in combination fails to anticipate or render obvious the present invention.  

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

13.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992.  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the Public PAIR system, see http://portal.uspto.gov/pair/PublicPair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



	/ONDREJ C VOSTAL/           Primary Examiner, Art Unit 2452                                                                                                                                                                                             
	September 10, 2021