Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION



Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/25/2022 has been entered.
Claims 1-4, 6-16 and 18-22 are under examination. Claims 5 and 17 have been canceled.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such amendment, it MUST be submit no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone conversation with applicant’s representative, and followed by Email confirmation dated 05/16/2022.

Please replace the current listing of claims with the following:

1.	(Currently Amended) A method of providing security for an application, comprising:
	receiving, by a computer system, a request from an operator to use an application to perform an operation using information;
	in response to receiving the request, determining, by the computer system, an operator identity assurance level of the operator;
	in response to receiving the request, determining, by the computer system, characteristics of the operation using the information;
	determining, by the computer system, a sensitivity level of the request by identifying data sensitivities of the request based on contents of message in the request; 
determining, by the computer system, a sensitivity level of response to the request by identifying data sensitivities of the response to the request based on contents of message in the response to the request;
determining, by the computer system, a sensitivity level for the information by selecting more sensitive of the sensitivity level of the request or the sensitivity level of the response to the request;
	determining, by the computer system, an operation assurance level for the operation based on the characteristics of the operation using the sensitivity level of the information and pre-generated mapping of use case profiles to corresponding required operation assurance levels; 
	determining, by the computer system, whether the operator identity assurance level of the operator satisfies the operation assurance level for the operation; and
	in response to a determination that the operator identity assurance level of the operator satisfies the operation assurance level for the operation, allowing, by the computer system, the operator to use the application to perform the operation using the information.

2.	(Original) The method of claim 1, wherein the operator identity assurance level of the operator is based on a role of the operator.

3.	(Original) The method of claim 1 further comprising:
	receiving, by the computer system, credential information for identifying the operator; and
determining, by the computer system, the operator identity assurance level of the operator using the credential information.

4.	(Original) The method of claim 1, wherein determining the operation assurance level for the operation comprises:
using the characteristics of the operation using the information to classify the operation into a use case profile; and
assigning a required operation assurance level for the use case profile as the operation assurance level for the operation.

5.	(Cancelled) 
	
6.	(Original) The method of claim 1, wherein determining the characteristics of the operation comprises determining how the information will be used by the operation.

7.	(Original) The method of claim 1, wherein determining the characteristics of the operation comprises determining an owner of the information.

8.	(Original) The method of claim 7, wherein determining the characteristics of the operation comprises determining a relationship between the operator and the owner of the information.

9.	(Currently Amended) A method of providing security for an application, comprising:
	receiving, by a computer system, a request from an operator to use an application to perform an operation using information;
	in response to receiving the request, determining, by the computer system, an operator identity assurance level of the operator;
	in response to receiving the request, determining, by the computer system, characteristics of the operation using the information, wherein the characteristics of the operation comprise:
a sensitivity level of the request determined by identifying data sensitivities of the request based on contents of message in the request,
a sensitivity level of response to the request determined by identifying data sensitivities of the response to the request based on contents of message in the response to the request,
a sensitivity level for the information determined by selecting more sensitive of the sensitivity level of the request or the sensitivity level of the response to the request;
how the information will be used by the operation,
an owner of the information, and
a relationship between the operator and the owner of the information;
	determining, by the computer system, an operation assurance level for the operation based on the characteristics of the operation using the information and pre-generated mapping of use case profiles to corresponding required operation assurance levels; 
	determining, by the computer system, whether the operator identity assurance level of the operator satisfies the operation assurance level for the operation; and
	in response to a determination that the operator identity assurance level of the operator satisfies the operation assurance level for the operation, allowing, by the computer system, the operator to use the application to perform the operation using the information.

10.	(Original) The method of claim 9 further comprising:
	receiving, by the computer system, credential information for identifying the operator; and
determining, by the computer system, the operator identity assurance level for the operator using the credential information.

11.	(Original) The method of claim 9, wherein:
determining the sensitivity level of the information comprises determining whether the information is public information, internal use only information of an organization, confidential information, or restricted information;
determining how the operation will use the information comprises determining whether the operation will change the information or only view the information;
determining the owner of the information comprises identifying an individual or an organization that owns the information; and
determining the relationship between the operator and the
owner of the information comprises determining whether the operator is the individual that owns the information, an individual that does not own the information, a member of the organization, or not a member of the organization.

12.	(Original) The method of claim 9, wherein determining the operation assurance level for the operation comprises:
using the characteristics of the operation using the information to classify the operation into a use case profile; and
assigning a required operation assurance level for the use case profile as the operation assurance level for the operation.

13.	(Currently Amended) A system for providing security for an application, comprising:
	a computer system;
one or more processors running on the computer system, wherein the one or more processors are configured to execute program instructions to cause the computer system to:
		receiving a request from an operator to use an application to perform an operation using information;
		in response to receiving the request, determining an operator identity assurance level of the operator;
		in response to receiving the request, determining characteristics of the operation using the information;
		determining a sensitivity level of the request by identifying data sensitivities of the request based on contents of message in the request; 
           determining a sensitivity level of response to the request by identifying data sensitivities of the response to the request based on contents of message in the response to the request;
           determining a sensitivity level for the information by selecting more sensitive of the sensitivity level of the request or the sensitivity level of the response to the request;
		determining an operation assurance level for the operation based on the characteristics of the operation using the sensitivity level of the information and pre-generated mapping of use case profiles to corresponding required operation assurance levels; 
		determining whether the operator identity assurance level of the operator satisfies the operation assurance level for the operation; and
		in response to a determination that the operator identity assurance level of the operator satisfies the operation assurance level for the operation, allowing the operator to use the application to perform the operation using the information.

14.	(Previously Presented) The computer system of claim 13, wherein the operator identity assurance level of the operator is based on a role of the operator.

15.	(Previously Presented) The computer system of claim 13, wherein the one or more processors are further configured to execute the program instructions to:
receiving credential information for identifying the operator; and
determining the operator identity assurance level of the operator using the credential information.

16.	(Previously Presented) The computer system of claim 13, wherein determining the operation assurance level for the operation comprises:
using the characteristics of the operation using the information to classify the operation into a use case profile; and
assigning a required operation assurance level for the use case profile as the operation assurance level for the operation.
	
17.	(Cancelled) 

18.	(Previously Presented) The computer system of claim 13, wherein determining the characteristics of the operation comprises determining how the information will be used by the operation.

19.	(Previously Presented) The computer system of claim 13, wherein determining the characteristics of the operation comprises determining an owner of the information.

20.	(Previously Presented) The computer system of claim 19, wherein determining the characteristic of the operation comprises determining a relationship between the operator and the owner of the information.

21.	(Cancelled) 

22.	(Cancelled) 


Allowable Subject Matter
Claims 1-4, 6-16 and 18-20 are allowed.
The following is an examiner's statement of reasons for allowance: The following is an examiner's statement of reasons for allowance: This communication warrants No Examiner's Reason for Allowance, applicant's reply make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e). Specifically, applicant’s arguments filed on 03/25/2022 and Examiner’s amendment make the record clear as to the reasons for allowance for this application, as such the reasons for allowance are in all probability evident from the record and no statement is deemed necessary (see MPEP 1302.14).
Any comments Applicants considers necessary must be submitted no later than the payment of the Issue Fee and to avoid processing delays, should preferable accompany the Issue Fees. Such submission should be clearly labeled "Comments on Statement of Reasons for Allowance". In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB's Customer Service if any questions at (703) 305-8497.




Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure: 
US 7039951 B1		System and method for confidence based incremental access authentication
US 20040044655 A1		Row-level security in a relational database management system
US 20130122864 A1		METHODS AND APPARATUS FOR PROVIDING MANAGEMENT CAPABILITIES FOR ACCESS CONTROL CLIENTS
US 20040139349 A1		Method and system for secure pervasive access
US 10032326 B1		Accessing a secure region of an environment using visually identified behaviors relative to an access control device
US 20140143843 A1		SECURITY BYPASS ENVIRONMENT FOR CIRCUMVENTING A SECURITY APPLICATION IN A COMPUTING ENVIRONMENT
US 20100251360 A1		ACCESSING A PROCESSING DEVICE

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON CHIANG/Primary Examiner, Art Unit 2431