DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

2.	The information disclosure statement (IDS) submitted on 04/07/2022 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting

3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

4.	Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No.11055415. Although the claims at issue are not identical, they are not patentably distinct from each other (see data table below).

U.S. Patent No.11055415
Ap# 17/337,678
1. A system comprising: a communications interface configured: to receive security practices information from a first computing system via a network, wherein the security practices information characterizes security measures in place at the first computing system, wherein the security practices information comprises a plurality of free-form text passages that are each associated with a respective standardized security question, to receive computing services interaction information from a second computing system via the network, wherein the computing services interaction information characterizes data transmitted from the second computing system to the first computing system, and to transmit a risk assessment message to the second computing system, the risk assessment message including an estimate of an information security risk associated with transmitting the data from the second computing system to the first computing system, the estimate of the information security risk determined at least in part based on an analysis of third-party audit information documenting the result of an audit of the security measures; memory configured to store security information associated with a plurality of vendors providing computing services and a plurality of clients accessing the computing services via the network, the security information including the security practices information and the computing services interaction information, the first computing system being associated with a designated one of the vendors, the second computing system being associated with a designated one of the clients; and
a processor configured to determine a risk profile for the first computing system based on the security practice information and to determine the estimate of the information security risk based on the risk profile and the computing services interaction information, wherein determining the risk profile comprises estimating a dimensional risk factor for each of a plurality of security dimensions based on the security practice information, the dimensional risk factor reflecting a reported security practice associated with the security dimension, the
dimensional risk factor reflecting a level of assurance associated with the reported security practice, wherein determining the estimate of the information security risk comprises determining a weighting value for each of the dimensional risk factors based on the computing services interaction information, the weighting reflecting a relative importance of the dimensional risk factor to the estimate of the information security risk, and wherein
determining the risk profile comprises calculating a weighted average of the dimensional risk factors.
1. A system comprising: a communications interface configured: to receive security practices information from a first computing system via a network, wherein the security practices information characterizes security measures in place at the first computing system, wherein the security practices information comprises a plurality of free-form text passages that are each associated with a respective standardized security question, to receive computing services interaction information from a second computing system via the network, wherein the computing services interaction information characterizes data transmitted from the second computing system to the first computing system, and to transmit a risk assessment message to the second computing system, the risk assessment message including an estimate of an information security risk associated with transmitting the data from the second computing system to the first computing system, the estimate of the information security risk determined at least in part based on an analysis of third-party audit information documenting the result of an audit of the security measures; memory configured to store security information associated with a plurality of vendors providing computing services and a plurality of clients accessing the computing services via the network, the security information including the security practices information and the computing services interaction information, the first computing system being associated with a designated one of the vendors, the second computing system being associated with a designated one of the clients; and a processor configured to determine a risk profile for the first computing system based on the security practice information and to determine the estimate of the information security risk based on the risk profile and the computing services interaction information, wherein determining the risk profile comprises estimating a dimensional risk factor for each of a plurality of security dimensions based on the security practice information, the dimensional risk factor reflecting a reported security practice associated with the security dimension, the dimensional risk factor reflecting a level of assurance associated with the reported security practice, wherein determining the estimate of the information security risk comprises determining a weighting value for each of the dimensional risk factors based on the computing services interaction information, the weighting reflecting a relative importance of the dimensional risk factor to the estimate of the information security risk, and wherein determining the risk profile comprises calculating a weighted average of the dimensional risk factors.



Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


5.	Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Pub.No.: US 2008/0148364 A1 to Hopen et al(hereafter referenced as Hopen), in view of Patent No.: US 8,396,890 B2 to Lim. 
Regarding claim 1, Hopen discloses “a system comprising: a communications interface configured: to receive security practices information from a first computing system via a network”(security practices are received from the policy server [Fig.4/item 401]), “wherein the security practices information characterizes security measures in place at the first computing system”(policy enforcer compiled on client workstation [Fig.4/item 403, 405]), “wherein the security practices information comprises a plurality of free-form text passages that are each associated with a respective standardized security question, to receive computing services interaction information from a second computing system via the network” (to ensure security, queries in the manifest request may be formulated as questions prompting specific prior known answers rather than open ended questions [par.0109]) , “wherein the computing services interaction information characterizes data transmitted from the second computing system to the first computing system”(policy enforcer request policies from policy serve [Fig.22/item 2006, 2008]) , “and to transmit a risk assessment message to the second computing system” (the pre-authentication interrogator agent requires no input, and returns various data to the provisioning server 307. The pre-authentication interrogator agent is used by the server system 301 to determine artifact [par.0087]), “the risk assessment message including an estimate of an information security risk associated with transmitting the data from the second computing system to the first computing system”(The pre-authentication interrogator agent is used by the server system 301 to determine artifact [par.0087]), “the estimate of the information security risk determined at least in part based on an analysis of third-party audit information documenting the result of an audit of the security measures”(policy server[Fig.4] comprising an analysis module [Fig.4/item 401])  ; “memory configured to store security information associated with a plurality of vendors providing computing services and a plurality of clients accessing the computing services via the network”(policy server 311 also may provide literals for client inventory agents, data protection agents, and patch management agents [par.0070]).
 Hopen does not explicitly disclose “the security information including the security practices information and the computing services interaction information, the first computing system being associated with a designated one of the vendors, the second computing system being associated with a designated one of the clients; and a processor configured to determine a risk profile for the first computing system based on the security practice information and to determine the estimate of the information security risk based on the risk profile and the computing services interaction information, wherein determining the risk profile comprises estimating a dimensional risk factor for each of a plurality of security dimensions based on the security practice information, the dimensional risk factor reflecting a reported security practice associated with the security dimension, the dimensional risk factor reflecting a level of assurance associated with the reported security practice, wherein determining the estimate of the information security risk comprises determining a weighting value for each of the dimensional risk factors based on the computing services interaction information, the weighting reflecting a relative importance of the dimensional risk factor to the estimate of the information security risk, and wherein determining the risk profile comprises calculating a weighted average of the dimensional risk factors.”
However, Lim discloses “the security information (policy server rules Lim [Fig.4/item 401]) including the security practices information and the computing services interaction information”(embodiment of the invention centrally manages policies or rules pertaining to the controlling of access to and usage of information including documents Lim [Col.7/lines 35-38]), “the first computing system being associated with a designated one of the vendors”(communication between the various systems shown in FIG. 1. These communication protocols may include TCP/IP, HTTP protocols, wireless application protocol (WAP), vendor-specific protocols, customized protocols, and others Lim[Col.5/lines 41-45]), “the second computing system being associated with a designated one of the clients”(second computing system Lim[Fig.21/2035]); “and a processor (policy server Lim[Fig.4/item 401]) configured to determine a risk profile for the first computing system based on the security practice information (i.e., intelligence server Lim [Fig.5/item 510] receives information from report and analysis module to make a determination) and to determine the estimate of the information security risk based on the risk profile and the computing services interaction information”(reporting and analysis module 502 see also Lim [Col.31-36]), “wherein determining the risk profile comprises estimating a dimensional risk factor for each of a plurality of security dimensions based on the security practice information” (reporting and analysis module 502 see also Lim [Col.31-36]), “the dimensional risk factor reflecting a reported security practice associated with the security dimension” (reporting and analysis module 502 see also Lim [Col.31-36]), “the dimensional risk factor reflecting a level of assurance associated with the reported security practice” (reporting and analysis module 502 see also Lim [Col.31-36]), “wherein determining the estimate of the information security risk comprises determining a weighting value for each of the dimensional risk factors based on the computing services interaction information” (i.e., intelligence server Lim [Fig.5/item 510] receives information from report and analysis module to make a determination), “the weighting reflecting a relative importance of the dimensional risk factor to the estimate of the information security risk”(an analysis tool 504 inter acts with the intelligence server 510 to perform data analysis which includes trend analysis, resource utilization analysis [Col.11/lines 36-38]), “and wherein determining the risk profile comprises calculating a weighted average of the dimensional risk factors.” (i.e., intelligence server Lim [Fig.5/item 510] receives information from report and analysis module to make a determination).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Hopen’s system to control security information in a computer network with Lim’s system to detect behavioral patterns and anomalies in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Hopen discloses a system policy enforcing system, Lim teaches a system that includes an intelligence server for report and analysis, and both are from the same field of endeavor.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/Examiner, Art Unit 2433             

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433