DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 


Notice to Applicant

The following is a Final Office action.  In response to Examiner’s Non-Final Action of 0701/2021, Applicant, on 12/01/2021, presented arguments with Claims as originally presented. 
Claims 1-21are pending in this application and have been rejected below.



Response to Amendment

Applicant’s arguments are acknowledged.

The prior 35 USC §101 rejection of Claims maintained despite Applicant’s arguments. 

The prior 35 USC §103 rejection of Claims maintained despite Applicant’s arguments. 



Response to Arguments

Applicant's arguments filed 12/01/2021 have been fully considered but they are found not persuasive. 

With regard to the 35 U.S.C. 101 rejection

Applicant argues (at pp. 8, 11) that the claims have been characterized at a high level of abstraction and that "the new rules state that the alleged abstract ideas must be recited as such in the claims" at step 2A, Prong 1 of the 2019 PEG. 
Examiner respectfully disagrees with the characterization that the claims have been characterized at a high level of abstraction with regard to the 35 U.S.C. 101 rejection. Examiner has identified the specific limitations in the claims under examination that the examiner believes recite an abstract idea (under Broadest Reasonable Interpretation of the claim language), and determined that the identified limitations fall within at least one of the groupings of abstract ideas enumerated in the 2019 PEG (see MPEP 2106.04(a) and http://ptoweb.uspto.gov/patents/exTrain/documents/101-2019-peg-advanced-module.pptx, slide 17). The subject matter of the claimed invention is directed to the abstract idea of Mental Processes (as explained in detail below in this Office Action under the 35 U.S.C. 101 rejection), and is therefore ineligible for patent at step 2A, Prong 1 of the analysis. 

Applicant also argues (at pp. 9-12) that "When the claims are characterized at the appropriate level of abstraction, and the combination of additional elements in the present claims are considered, the current claims are not abstract", that "Applicant contends that the claimed invention is integrated into a practical application", that 
Examiner respectfully disagrees. Examiner notes that the additional elements in the claims (computer, database, software) are merely used as a tool to implement the abstract idea (judicial exception), and the claims are therefore ineligible for patent at step 2A, Prong 2 of the analysis. Examiner notes that adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)), or generally linking the use of the judicial exception to a particular technological environment or field of use (see MPEP 2106.05(h) is not indicative of integration of the abstract idea into a practical application.

Applicant further argues (at pp. 8, 12-13) that the claim language provides "significantly more than the exception itself" at step 2B of the 2019 PEG, and that "Applicant's claimed invention is, as a whole, more than a drafting effort designed to monopolize the exception."
Examiner respectfully disagrees. The claim limitations, taken as a whole and in any ordered combination, do not provide an inventive concept, since the additional elements in the claims are merely used as a tool to implement the abstract idea (judicial exception) as explained above, and the claims are therefore ineligible for patent at step 2B of the analysis (see MPEP 2106.05(f)). 
Examiner respectfully notes furthermore that the Court was concerned not only with the monopolistic preemption of broad areas, but also with the preemption of judicial exceptions in more narrowly constrained abstract ideas. Firstly, a claim cannot avoid the preemption concern by limiting itself to a particular technological environment. See Alice, 134 S. Ct. at 2357-58 (limiting an abstract idea to computer environment does not 

With regard to the 35 U.S.C. 103 rejection

Applicant argues (at pp. 14-21) that "the Office's rejections fail to state a prima facie case of obviousness as the determination of the level of ordinary skill in the art is a required part of an obviousness analysis", that the Office did not apply any of the Graham factors or provide "an explicit analysis (as required by KSR) of how the prior art cited by the Office in the rejections allegedly reflects an appropriate level of skill in the art", and that "Under KSR, for the reasons outlined above, the Office's failure to make an explicit determination of the level of ordinary skill in the art constitutes a failure to make out a prima facie case of obviousness with respect to the claims of the instant application".
Examiner respectfully disagrees. As noted by Applicant, specifying a particular level of skill is not necessary where the prior art itself reflects an appropriate level of skill (see MPEP 2141.03 (II)). Furthermore, as explained below in this Office Action in the rejection of Claim 1 under 35 U.S.C. 103, the Office provided the necessary rationale under KSR as one of teaching, suggestion, or motivation in the prior art that would have led one of ordinary skill to modify the prior art reference or to combine prior art reference teachings to arrive at the claimed invention (see MPEP 2141(II)(C)(III)(G)).

Applicant also argues (at pp. 22-25) that "the claimed invention is directed to the broader compliance goal of managing privacy risk, which in part includes managing 
Examiner respectfully disagrees. First of all, the claims in the instant application do not pertain to privacy, but to "assessing risk management and compliance of an entity" (as evidenced in independent Claims 1, 8 and 15). Applicant is reminded that the Broadest Reasonable Interpretation of the claim language is undertaken in light of the specification, but it is improper to import claim limitations from the specification (see MPEP 2111.01(II), MPEP 2145(VI)). Furthermore, the NIST reference teaches risk management and control, as evidenced for example by the second sentence of the Introduction section of the report (at page 1), "IT security assurance is the degree of confidence one has that the managerial, technical and operational security measures work as intended to protect the system and the information it processes"; and the Callahan reference similarly teaches risk assessment and compliance, as evidenced by the Abstract, "Various application modules work together to accomplish risk assessment and compliance monitoring". Thus both of the prior art references are clearly in analogous art with respect to the claimed invention, and their combination demonstrably teaches the claim language in the instant application as detailed below in this Office Action (in the section on the 35 U.S.C. 103 rejection), and they satisfy the requirements of KSR as noted above.

Applicant further argues (at pp. 17-19) that the Office indulged in hindsight analysis because it did not define the level of ordinary skill in the art.
KSR as noted above. See MPEP 2145(X)(A).

The remainder of Applicant's arguments are based on the incorrect assumption that each reference must teach all the limitations in a claim; Applicant is reminded that one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references under 35 U.S.C. 103 (see MPEP 2145(IV).




Claim Rejections - 35 USC § 101

	35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 
Claims 1-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of assessing risk. The claim(s) recite(s):
Obtaining a framework which maps activities to standard activities (e.g. structuring a comparison between actual activities and standard activities-i.e. those activities which should be performed)
Obtaining a second framework which maps controls to standard controls (e.g. structuring a comparison between actual controls and standard controls-i.e. those controls which should be performed)
Accessing (i.e. using) the frameworks to generate risk analyses  (using the comparisons above to identify gaps which suggest greater/lesser degrees of risk)
Identifying previous controls and activities using the analysis  
  
 These are directed to an abstract idea which is a mental process (i.e. mentally processing data in order to make comparisons that identify risks). This judicial exception is not integrated into a practical application because the use of a computer/ database/ software for receiving and processing the data as claimed, and displaying a result is merely implementing the abstract idea steps in the manner of “apply it”.   
Taken individually or in any ordered combination these limitations merely implement the abstract idea using generic computer elements in the manner of “apply it”

i. Receiving or transmitting data over a network, e.g., using the Internet to gather data,
ii. Performing repetitive calculations,
iii. Electronic recordkeeping, (this element implies that records are stored/accessed only in association with those whose data is in the record)
iv. Storing and retrieving information in memory (from Versata which stored information in a database)
 Additionally several court cases have deemed that providing access to database records does not convey eligibility (see MyMedicalRecords, Inc. v.Walgreen Co; Jericho Sys. Corp. v. Axiomatics, Inc.,; OpenTV, Inc. v. Apple Inc; Preservation Wellness Techs., LLC v. Allscripts Healthcare Solutions, Inc.;).  The examiner notes that the specification does not provide any particular database technology for how this is performed.
The claim(s) thus does/do not include additional elements that are sufficient to integrate the abstract idea into a practical application or amount to significantly more than the judicial exception because they, whether taken separately or as a whole, merely use generic computer components to receive, process and display data and thus do not provide an inventive concept in the claims.  The examiner notes that performing risk analyses in the context of auditing compliance and controls is not directed to a technical field but rather answers the long held question by management of “How much risk do our operations incur?”.  
The dependent claims further limit the abstract idea by reciting: 
Using the data analysis to provide tasks (claim 2)  
Cross-referencing (linking) activities with standards (claim 3)  
Comparing controls with activities (claim 4)  
Comparing activities with controls (claim 5)
Characteristics of the generated tasks (claim 6)
Generating a report detailing the analyses (claim 7)
 
 Claims 8-21 recite similar limitations with generic hardware/software elements for performing the method steps.  These generic limitations similarly fail to integrate the abstract idea steps into a practical application or provide significantly more since they merely implement the abstract idea in the manner of ‘apply it’. Taken as a whole and in any ordered combination, the claim limitations recite an abstract idea without significantly more.
The claimed invention is directed to the abstract idea of mapping/analyzing data - see Figures 7c and 7d
           
    PNG
    media_image1.png
    367
    1003
    media_image1.png
    Greyscale
	


    PNG
    media_image2.png
    485
    978
    media_image2.png
    Greyscale


What the claimed invention is directed to is a way of analyzing management activities in order to identify risks (e.g. are the activities / controls compliant with known standards/regulations).  This is a mental process which could be performed by gathering data and thinking about relationships in the data (i.e. or using pencil and paper to analyze the data and create the graphical constructs above manually).  The recitations of the use of  computer elements (i.e. generic computer processor with memory and databases) merely implement the abstract idea in the manner of apply it and do not integrate the abstract idea into a practical application or provide significantly more.
Since the claimed invention embodies an abstract idea whose embodiment on a computer is not integrated into a practical application and does not provide significantly more, the claimed invention is patent ineligible under 35 USC 101.



Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
35 U.S.C. 103 forms the basis for all obviousness rejections set forth in this Office action.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over 
“Security Self-Assessment Guide for Information Technology Systems”, NIST Special Publication 800-26, Marianne Swanson, Aug 2001, (hereinafter NIST) 
  in view of Callahan US 7,853,468 (hereinafter Callahan)

	Regarding Claim 1, NIST teaches
1. A method for utilizing a combinatorial framework system for assessing risk management and compliance of an entity, comprising:
[[obtaining a master framework database for automating the management of a risk management and compliance program, the master framework database including a first framework database]] directed to mapping activities of the entity, the first framework also including comparable selected standard activities, and

         
    PNG
    media_image3.png
    442
    816
    media_image3.png
    Greyscale
	
	Here the procedures (i.e. activities) of the firm are mapped to the desired activities for that particular objective.
 the master framework database including a second framework database directed to mapping controls of the entity, 
	page  14

    PNG
    media_image4.png
    247
    980
    media_image4.png
    Greyscale

	Here the controls of the entity are mapped to an action plan in order to remedy these controls.
the second framework also including comparable selected standard controls, the first and second framework databases including cross referenced data elements;

accessing the first framework database to generate a first risk management and compliance analysis of the activities of the entity compared with selected standard activities applicable to the entity; and
page 10:

    PNG
    media_image5.png
    226
    981
    media_image5.png
    Greyscale

	The questionnaires provide for generation of a risk management and compliance analysis of the activities of the entity compared with standard activities (i.e. what the entity should be doing with regard to the questions of the questionnaire).
accessing the second framework database to generate a second risk management and compliance analysis of the controls of the entity compared with selected standard controls applicable to the entity;
	The risk management plan discussed above is the generation of a risk management and compliance analysis (i.e. what needs to be done in order to be compliant based on controls applicable to that entity)
wherein during the first and second risk management and compliance analysis of the activities and the controls of the entity, utilizing the cross referenced data elements to identify previously implemented activities and controls of the entity.


	NIST teaches the separate frameworks as discussed above, however NIST does not teach, however Callahan teaches
obtaining a master framework database for automating the management of a risk management and compliance program, the master framework database including a first and second database.
	Column 2:
	
    PNG
    media_image6.png
    262
    519
    media_image6.png
    Greyscale

	Here Callahan teaches a database for automating the management of a risk and compliance program.  Callahan further teaches that the database can be split into separate databases:
	Column 10:
	
    PNG
    media_image7.png
    92
    516
    media_image7.png
    Greyscale

	(See column 9 line 50-55 where multiple databases can be integrated).

	It would have been obvious to one of ordinary skill in the art to have modified the teachings of NIST to have including using the database system of Callahan because it would have provided the benefit of using a computer system to automate the method steps taught by NIST with the understood result of making the method steps performed faster and more efficiently through the use of a system with distributed databases to manage the storage and retrieval of the gathered data.  This would make subsequent analyses by management to understand their compliance/risk/controls environment easier than performing the analyses manually.  Given the computer system of Callahan is directed to tracking/managing risk/compliance, there is a reasonable expectation of success in modifying it to perform the steps taught by NIST.

	Regarding Claim 2, NIST teaches
2. The method of claim 1 further comprising responsive to the risk management and compliance analysis of the activities and the controls of the entity, utilizing the cross referenced data elements to provide tasks for implementing activities and controls for the entity.
Page 13

    PNG
    media_image8.png
    248
    979
    media_image8.png
    Greyscale



Regarding Claim 3, NIST teaches
3. The method of claim 1 wherein the comparable selected standard activities included in the first framework database are cross referenced with the comparable selected standards of the second framework database.
The standard activities to be implemented as part of the remediation plan discussed above are cross referenced with the standard activities (i.e. those activities the entity should be doing as part of the questionnaire).

Regarding Claim 4, NIST teaches
4. The method of claim 3 further comprising comparing the mapped controls of the entity with the comparable selected standard activities of the first framework database utilizing the cross references between the second and first framework databases.
	Page 13 section 4.2, the mapped controls of the entity (i.e. the action plan to put controls in place based on the deficiency identified) are compared with the deficiencies identified (i.e. standard activities of the first database) based on the linkages identified (which are identified to correct the deficiencies identified in the questionnaire).
 
Regarding Claim 5, NIST teaches
5. The method of claim 3 further comprising comparing mapped activities of the entity with the selected standard controls of the second framework database utilizing the cross references between the first and second framework databases.
Page 13 section 4.2, the mapped controls of the entity (i.e. the action plan to put controls in place based on the deficiency identified) are compared with the deficiencies identified (i.e. standard activities of the first database) based on the linkages identified (which are identified to correct the deficiencies identified in the questionnaire).

Regarding Claim 6, NIST teaches
6. The method of claim 3 wherein tasks generated to address identified risks of mapped activities of the entity concurrently address identified risks of mapped controls of the entity utilizing the cross references between the first and second framework databases.
	The identified activities in the action plan address both risks of the deficient activities and those of deficient controls which are identified.

Regarding Claim 7, NIST teaches
7. The method of claim 1 further comprising generating [[a drillable on-line]] report illustrating the risk management and compliance analysis of the activities of the entity compared with selected standard activities applicable to the entity, 
Page 13:

    PNG
    media_image9.png
    251
    990
    media_image9.png
    Greyscale

	The action plan provides a report illustrating the risk mgmt/compliance analysis (i.e. as per the deficiencies identified in the activities/controls) compared to the selected standard activities applicable to the entity (i.e. those activities the entity should have in place).
and illustrating the risk management and compliance analysis of the controls of the entity compared with selected standard controls applicable to the entity.
	As per above, the follow-up reviews illustrate the analysis of the entity with the applicable controls of the entity. 

	Callahan teaches a networked computer system which provides a drillable report:
	Column 6:
	
    PNG
    media_image10.png
    224
    526
    media_image10.png
    Greyscale

	 It would have been obvious to one of ordinary skill in the art to have modified the teachings of NIST to have included the system of Callahan where an executive can drill down to identify risk/compliance information of those employees because it would have provided the benefit of making the information salient to that executive easily available.

Claims 8-21 recite similar limitations to those addressed by the rejection of claims 1-7 above and are therefore rejected under the same rationale.

	Furthermore regarding claim 8, Callahan teaches a data processing system with a processor and memory; claim 15 regarding software (see column 8 line 25 through 40).  It would have been obvious to have modified the teachings of NIST to have included performing the method steps using the system and software elements of Callahan because it would have provided the benefit of with the understood benefit of making the method steps performed faster and more efficiently through the use of distributed databases to manage the storage and retrieval of the gathered data.



Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure:
Schlarman (US Patent Number 8,478,628 B1) describes a method and system for risk assessment of compliance, using a database which contains mapped compliance data components related to regulations, requirements, policies and standards, controls, and assets;
Cobb et al. (US Patent Publication 20070288253 A1) describes a method and system for managing internal controls within a heterogeneous enterprise environment, using an open and extensible standards-based architecture that can create, monitor, test, or otherwise manage internal controls by capturing, organizing, translating, and exchanging controls data, tests, and test results across organizational boundaries and between an enterprise and its external auditors;
.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARJIT S BAINS whose telephone number is 571 270 0317. The examiner can normally be reached on Monday-Friday from 9:00 am to 5:30 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUTAO WU, can be reached on (571) 272-6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice .

/SARJIT S BAINS/Examiner, Art Unit 3623                                                                                                                                                                                                        
/WILLIAM S BROCKINGTON III/Primary Examiner, Art Unit 3623