DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/11/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 14-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claim 14, the limitation “at least one evaluation rating metric” is recited in plural lines. The claim 1 previously introduces “at least one evaluation rating metric” in lines 15-16 and as a result, lacks proper antecedent basis.
Claim 15 is rejected because the term “a system criteria of the system aspect”, “a system mode of the system aspect”, “an evaluation viewpoint of the at least one evaluation viewpoint” and “an evaluation perspective of the least one evaluation perspective” each is recited twice which cause unclarity as to whether the respective same terms are reference to the same thing.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970);and, In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b).
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed  determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp

Claims 1-20 are provisionally rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-21 of copending Application No. 14/042325 [hereinafter ‘325 application ] (see mapping below).
17/305,005 (instant application)
17/247,705 (copending)


1. A method comprises:
determining, by an analysis system that includes one or more computing entities, a system aspect of an enterprise system for system information protection processes and procedures evaluation;

determining, by the analysis system, at least one evaluation perspective for use in performing the system information protection processes and procedures evaluation;
determining, by the analysis system, at least one evaluation viewpoint for use in performing the system information protection processes and procedures evaluation;

obtaining, by the analysis system, system information protection processes and procedures data regarding the system aspect in accordance with the system aspect, the at least one evaluation perspective and the at least one evaluation viewpoint; and
calculating, by the analysis system, an information protection processes and procedures rating regarding the information protection processes and procedures for the system aspect based on the system information protection processes and procedures data, the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric.

1. A method comprises:
determining, by an analysis system that includes one or more computing entities, a system aspect of an enterprise system for a protection evaluation;


determining, by the analysis system, at least one evaluation perspective for use in performing the protection evaluation on the system aspect;

determining, by the analysis system, at least one evaluation viewpoint for use in performing the protection evaluation on the system aspect;


obtaining, by the analysis system, protection data regarding the system aspect in accordance with the at least one evaluation perspective and the at least one evaluation viewpoint; and


calculating, by the analysis system, a protection rating as a measure of protection maturity for the system aspect based on the protection data, the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric.
4. The method of claim 1, wherein determining the system aspect comprises:
determining at least one system element of the enterprise system;
determining at least one system criteria of the enterprise system;
determining at least one system mode of the enterprise system; and
determining the system aspect based on the at least one system element, the at least one system criteria, and the at least one system mode.
2. The method of claim 1, wherein the determining the system aspect comprises:
determining at least one system element of the enterprise system;
determining at least one system criteria of the enterprise system;
determining at least one system mode of the enterprise system; and
determining the system aspect based on the at least one system element, the at least one system criteria, and the at least one system mode.

5. The method of claim 4 further comprises:
a system element of the at least one system element includes an enterprise identifier, an organization identifier, a division identifier, a department identifier, a group identifier, a sub-group identifier, a device identifier, a software identifier, or an internet protocol address identifier;
a system criteria of the at least one system criteria being system guidelines, system requirements, system design, system build, or resulting system; and
a system mode of the at least one system mode being assets, system functions, or security functions.

3. The method of claim 2 further comprises:
a system element of the at least one system element includes an enterprise identifier, an organization identifier, a division identifier, a department identifier, a group identifier, a sub-group identifier, a device identifier, a software identifier, or an internet protocol address identifier;
a system criteria of the at least one system criteria being system guidelines, system requirements, system design, system build, or resulting system; and
a system mode of the at least one system mode being assets, system functions, or security functions.
6. The method of claim 1 further wherein 
an evaluation perspective of the at least one evaluation perspective being an understanding perspective, an implementation perspective, an operation perspective, or a self-analysis perspective.
4. The method of claim 1 further comprises:
an evaluation perspective of the at least one evaluation perspective being an understanding perspective, an implementation perspective, an operation perspective, or a self-analysis perspective.

7. The method of claim 1 wherein the at least one evaluation viewpoint comprises at least one a disclosed viewpoint, a discovered viewpoint, or a desired viewpoint.

5. The method of claim 1 further comprises:
an evaluation viewpoint of the at least one evaluation viewpoint being a disclosed viewpoint, a discovered viewpoint, or a desired viewpoint.
8. The method of claim 1 wherein the at least one evaluation rating metric comprises at least one of a process rating metric, a policy rating metric, a procedure rating metric, a certification rating metric, a documentation rating metric, or an automation rating metric.

6. The method of claim 1 further comprises:
an evaluation rating metric of the at least one evaluation rating metric being a process rating metric, a policy rating metric, a procedure rating metric, a certification rating, a documentation rating metric, or an automation rating metric.
9. The method of claim 1, wherein obtaining the system information protection processes and procedures data comprises:
determining data gathering parameters regarding the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;
identifying system elements of the system aspect based on the data gathering parameters;
obtaining system information protection processes and procedures information from the system elements in accordance with the data gathering parameters; and
recording the system information protection processes and procedures information from the system elements to produce the system information protection processes and procedures data.

7. The method of claim 1, wherein the obtaining the protection data comprises:

determining data gathering parameters regarding the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and the least one evaluation rating metric;
identifying system elements of the system aspect based on the data gathering parameters;
obtaining protection information from the system elements in accordance with the data gathering parameters; and

recording the protection information from the system elements to produce the protection data.

10. The method of claim 9, wherein determining the data gathering parameters comprises:
for the system aspect, ascertaining identity of at least one system element of the enterprise system; and
for the at least one system element:
determining a first data gathering parameter of the data gathering parameters based on at least one system criteria of the system aspect;
determining a second data gathering parameter of the data gathering parameters based on at least one system mode of the system aspect;
determining a third data gathering parameter of the data gathering parameters based on the at least one evaluation perspective;
determining a fourth data gathering parameter of the data gathering parameters based on the at least one evaluation viewpoint; and
determining a fifth data gathering parameter of the data gathering parameters based on the at least one evaluation rating metric.
8. The method of claim 7, wherein the determining the data gathering parameters comprises:
for the system aspect, ascertaining identity of at least one system element of the enterprise system; and
for the at least one system element:
determining a first data gathering parameter of the data gather parameters based on at least one system criteria of the system aspect;
determining a second data gathering parameter of the data gather parameters based on at least one system mode of the system aspect;
determining a third data gathering parameter of the data gather parameters based on the at least one evaluation perspective;
determining a fourth data gathering parameter of the data gather parameters based on the at least one evaluation viewpoint; and
determining a fifth data gathering parameter of the data gather parameters based on the at least one evaluation rating metric.

11. The method of claim 9, wherein identifying the system elements comprises:
activating at least one detection tool based on the system aspect;
when the at least one detection tool identifies a potential system element, determining whether the potential system element is already identified as being a part of the system aspect;
when the potential system element is not identified as being a part of the system aspect, determining whether the potential system element is cataloged as being a part of the enterprise system; and
when the potential system element is cataloged as being a part of the enterprise system, adding the potential system element as a part of the system aspect.
9. The method of claim 7, wherein the identifying the system elements comprises:
activating at least one detection tool based on the system aspect;
when the at least one detection tool identifies a potential system element, determining whether the potential system element is already identified as being a part of the system aspect;
when the potential system element is not identified as being a part of the system aspect, determining whether the potential system element is cataloged as being a part of the enterprise system; and
when the potential system element is cataloged as being a part of the enterprise system, adding the potential system element as a part of the system aspect.

12. The method of claim 11 further comprises:
when the potential system element is not cataloged as being a part of the enterprise system:
obtaining data regarding the potential system element;
verifying the potential system element based on the data; and
when the potential system element is verified, adding the potential system element as a part of the system aspect.

10. The method of claim 9 further comprises:
when the potential system element is not cataloged as being a part of the enterprise system:
obtaining data regarding the potential system element;
verifying the potential system element based on the data; and
when the potential system element is verified, adding the potential system element as a part of the system aspect.
13. The method of claim 9, wherein the obtaining the system information protection processes and procedures information from a system element of the system elements comprises:
probing the system element in accordance with the data gathering parameters to obtain a system element data response;
identifying vendor information from the system element data response; and
tagging the system element data response with the vendor information.

11. The method of claim 7, wherein the obtaining the protection information from a system element of the system elements comprises:

probing the system element in accordance with the data gathering parameters to obtain a system element data response;
identifying vendor information from the system element data response; and
tagging the system element data response with the vendor information.
14. The method of claim 1, wherein the calculating the information protection processes and procedures rating comprises:
selecting and performing at least two of:
based on the system information protection processes and procedures data and process analysis parameters, generating a process rating in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;
based on system information protection processes and procedures data and the processes analysis parameters, generating a policy rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;
based on the system information protection processes and procedures data and process analysis parameters, generating a documentation rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;
based on the system information protection processes and procedures data and automation analysis parameters, generating an automation rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;
based on the system information protection processes and procedures data and procedure analysis parameters, generating a procedure rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric; and
based on the system information protection processes and procedures data and certification analysis parameters, generating a certification rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric; and
generating the information protection processes and procedures rating based on the selected and performed at least two of the process rating, the policy rating, the documentation rating, the automation rating, the procedure rating, and the certification rating.

12. The method of claim 1, wherein the calculating the protection rating comprises:

selecting and performing at least two of:
based on the protection data and process analysis parameters, generating a process rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;
based on the protection data and policy analysis parameters, generating a policy rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;

based on the protection data and documentation analysis parameters, generating a documentation rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;

based on the protection data and automation analysis parameters, generating an automation rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric;

based on the protection data and procedure analysis parameters, generating a procedure rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric; and

based on the protection data and certification analysis parameters, generating a certification rating for the system aspect in accordance with the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric; and

generating the protection rating based on the selected and performed at least two of the process rating, the policy rating, the documentation rating, the automation rating, the procedure rating, and the certification rating.
15. The method of claim 14, wherein generating the information protection processes and procedures rating comprises:
generating a first information protection processes and procedures rating based on a first combination of a system criteria of the system aspect, of a system mode of the system aspect, of an evaluation perspective of the least one evaluation perspective, and of an evaluation viewpoint of the at least one evaluation viewpoint;
generating a second information protection processes and procedures rating based on a second combination of a system criteria of the system aspect, of a system mode of the system aspect, of an evaluation perspective of the at least one evaluation perspective, and of an evaluation viewpoint of the at least one evaluation viewpoint; and
generating the information protection processes and procedures rating based on the first and second information protection processes and procedures ratings.

13. The method of claim 12, where the generating the process rating comprises:

generating a first process rating based on a first combination of a system criteria of the system aspect, of a system mode of the system aspect, of an evaluation perspective of the least one evaluation perspective, and of an evaluation viewpoint of the at least one evaluation viewpoint;
generating a second process rating based on a second combination of a system criteria of the system aspect, of a system mode of the system aspect, of an evaluation perspective of the least one evaluation perspective, and of an evaluation viewpoint of the at least one evaluation viewpoint; and


generating the process rating based on the first and second process ratings.
16. The method of claim 1 further comprises at least one of:
determining, by the analysis system, a system criteria deficiency of the system aspect based on the system information protection processes and procedures data;
determining, by the analysis system, a system mode deficiency of the system aspect based on the system information protection processes and procedures data;
determining, by the analysis system, an evaluation perspective deficiency of the system aspect based on the system information protection processes and procedures data; and
determining, by the analysis system, an evaluation viewpoint deficiency of the system aspect based on the system information protection processes and procedures data.

14. The method of claim 1 further comprises at least one of:
determining, by the analysis system, a system criteria deficiency of the system aspect based on the protection rating and the protection data;

determining, by the analysis system, a system mode deficiency of the system aspect based on the protection rating and the protection data;

determining, by the analysis system, an evaluation perspective deficiency of the system aspect based on the protection rating and the protection data; and

determining, by the analysis system, an evaluation viewpoint deficiency of the system aspect based on the protection rating and the protection data.
17. The method of claim 1 further comprises:
determining, by the analysis system, a deficiency of the enterprise system based on the system information protection processes and procedures rating and the system information protection processes and procedures data;
determining, by the analysis system, whether the deficiency is auto-correctable; and
when the deficiency is auto-correctable, auto-correcting, by the analysis system, the deficiency.

15. The method of claim 1 further comprises:
determining, by the analysis system, a deficiency of the system aspect based on the protection rating and the protection data;


determining, by the analysis system, whether the deficiency is auto-correctable; and
when the deficiency is auto-correctable, auto-correcting, by the analysis system, the deficiency.
18,21-28
16-22 and 29-30



Although the conflicting claims are not identical, they are not patentably distinct from each other because the steps recited in claim 1 of the instant application are encompassed by steps recited in claim 1 and 2 of the copending application. The difference is claim 1 of the instant application is for "system information protection processes and procedures evaluation” while claim 1 of the copending application is for  “a protection evaluation” with no functional difference. It is clear that the scope of claim 1 of the instant application is encompassed by steps recited in claim 1 of the copending application. Therefore, claim 1 of the instant application and claim 1 of the copending application are not patentably distinct from each other.
As per independent claims 18 and 16 they are also directed to the same subject matter recited in claim 1 above.  Accordingly, they are provisionally rejected under the judicially created doctrine of obviousness-type double patenting.
This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1-8, 16, 18-25 and 27 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Bennett et al. (Pub. No.: US 2010/0275263, hereinafter Bennett).
Regarding claim 1: Bennett discloses A method comprises:
determining, by an analysis system that includes one or more computing entities, a system aspect of an enterprise system for system information protection processes and procedures evaluation (Bennett - [0087]: In the controls analysis step the user selects any number of security assessments (i.e., assessment projects) from the assessment module to include in the risk analysis);
determining, by the analysis system, at least one evaluation perspective for use in performing the system information protection processes and procedures evaluation (Bennett - [0088]: This control analysis step establishes the scope of the risk analysis); 
determining, by the analysis system, at least one evaluation viewpoint for use in performing the system information protection processes and procedures evaluation (Bennett - [0088]: the relationship between the assets involved, the involved assets' classification, and the assessment control scores related to the involved assets);
obtaining, by the analysis system, system information protection processes and procedures data regarding the system aspect in accordance with the system aspect, the at least one evaluation perspective and the at least one evaluation viewpoint (Bennett - [0089]: In the vulnerability analysis step, the user selects a set of technical scans from a list of technical scans. In a specific implementation, the system displays the technical scans associated with the involved or selected assets); and
calculating, by the analysis system, information protection processes and procedures rating regarding the information protection processes and procedures for the system aspect based on the system information protection processes and procedures data, the at least one evaluation perspective, the at least one evaluation viewpoint, and at least one evaluation rating metric (Bennett - [0092]: in the likelihood determination step, the system maps the assessment results (e.g., assessment of controls based on CoBIT or other standards) against the severity of the technical scans (e.g., Qualys vulnerabilities) to determine a likelihood score or measurement. [0091]: Likelihood is defined as the probability of an event or occurrence (e.g., the probability of an adverse event)). 
Regarding claim 2: Bennett discloses wherein the system information protection processes and procedures data comprises data relating to at least one of: baseline configuration IT/industrial controls establishment and management; system life cycle management; configuration control processes establishment; information backup implementation; policy & regulations for physical operation environment establishment; protection processes improvements; communication regarding effective protection technologies; response and recovery plans; cybersecurity in human resources; or vulnerability management plans (Bennett - [0155]: Within the third portion of the screen, there is a standard score widget 616, a severity widget 618, and a likelihood level widget 620. Each of these widgets includes an edit button for the user to adjust or change the information in the widget, i.e., change the likelihood configuration options. When the information in the widget is changed the risk level matrix is updated to reflect the change).
Regarding claim 3: Bennett discloses wherein the information protection processes and procedures rating regarding the information protection processes and procedures of the enterprise system, or portion thereof, is based on at least one of: system information protection processes and procedures information; system information protection processes and procedures data; system information protection processes and procedures processes; system information protection processes and procedures policies; system information protection processes and procedures documentation; or system information protection processes and procedures automation (Bennett - [0117]: The user evaluates the current security procedures used to protect the server. The evaluation is performed by comparing the procedures outlined in a specific standard with the current procedures).
Regarding claim 4: Bennett discloses wherein the determining the system aspect comprises:
determining at least one system element of the enterprise system (Bennett - [0079]: Input or collection of asset information);
determining at least one system criteria of the enterprise system (Bennett - [0125]: parameters than can be edited include … regulatory requirements, threats, activities, and the like);
determining at least one system mode of the enterprise system (Bennett - [0086]: For example, the user can select any number of specific business units, subnets, assets, or combinations of these to include in a risk analysis); and
determining the system aspect based on the at least one system element, the at least one system criteria, and the at least one system mode (Bennett - [0086]: The user can select a subset of information from the asset module to include in the risk analysis. For example, the user can select any number of specific business units, subnets, assets, or combinations of these to include in a risk analysis).
Regarding claim 5: Bennett discloses further comprises:
a system element of the at least one system element includes an enterprise identifier, an organization identifier, a division identifier, a department identifier, a group identifier, a sub-group identifier, a device identifier, a software identifier, or an internet protocol address identifier (Bennett - [0075]: an asset is defined by identifying its host name, IP address, location (e.g., geographical location), asset type, business unit);
a system criteria of the at least one system criteria being system guidelines, system requirements, system design, system build, or resulting system (Bennett - [0125]: parameters than can be edited include … regulatory requirements, threats, activities, and the like); and
a system mode of the at least one system mode being assets, system functions, or security functions (Bennett - [0086]: For example, the user can select any number of specific business units, subnets, assets, or combinations of these to include in a risk analysis).
Regarding claim 6: Bennett discloses further comprises:
an evaluation perspective of the at least one evaluation perspective being an understanding perspective, an implementation perspective, an operation perspective, or a self-analysis perspective (Bennett - [0088]: This control analysis step establishes the scope of the risk analysis).
Regarding claim 7: Bennett discloses further comprises:
an evaluation viewpoint of the at least one evaluation viewpoint being a disclosed viewpoint, a discovered viewpoint, or a desired viewpoint (Bennett - [0088]: the relationship between the assets involved, the involved assets' classification, and the assessment control scores related to the involved assets).
Regarding claim 8: Bennett discloses further comprises:
an evaluation rating metric of the at least one evaluation rating metric being a process rating metric, a policy rating metric, a procedure rating metric, a certification rating, a documentation rating metric, or an automation rating metric (Bennett - [0100]: Metrics includes tools to gather the business metrics (e.g., cost, time spent) and security metrics (e.g., number of vulnerabilities, risk calculations) from the asset. See also [0101]).
Regarding claim 16: Bennett discloses further comprises at least one of:
determining, by the analysis system, a system criteria deficiency of the system aspect based on the system information protection processes and procedures data;
determining, by the analysis system, a system mode deficiency of the system aspect based on the system information protection processes and procedures data;
determining, by the analysis system, an evaluation perspective deficiency of the system aspect based on the system information protection processes and procedures data; and
determining, by the analysis system, an evaluation viewpoint deficiency of the system aspect based on the system information protection processes and procedures data (Bennett - [0119]: the likelihood is determined based on a vulnerability scan. The vulnerability scan is used to detect potential vulnerabilities of the server).
Regarding claims 18, 21-25 and 27: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1, 4-8 and 16. Therefore, claims 18, 21-25 and 27 are also rejected for similar reasons set forth in claims 1, 4-8 and 16. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 17 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Bennett et al. (Pub. No.: US 2010/0275263, hereinafter Bennett) in view of Ramasamy et al. (Pub. No.: US 2021/0173935).
Regarding claims 17 and 28: Bennett discloses further comprises:
determining, by the analysis system, a deficiency of the enterprise system based on the system information protection processes and procedures rating and the system information protection processes and procedures data (Bennett - [0098]: In the risk determination step, the system determines the risk score per asset and averages them by business unit for an overall risk ranking The risk score is calculated by multiplying the likelihood and impact scores (i.e., risk=impact×likelihood). Thus, risk is measured with respect to the impact of an event and the likelihood of the event);
However Bennett doesn’t explicitly teach, but Ramasamy discloses:
determining, by the analysis system, whether the deficiency is auto-correctable (Ramasamy - [0036]: the auto correction engine 102 may analyze scan results 116 for a container image 111 and update the image 111 based on the scan results 116); and
when the deficiency is auto-correctable, auto-correcting, by the analysis system, the deficiency (Ramasamy - [0036]: That initial container 113 may be modified to rectify security vulnerabilities 112 identified in the scan results 116).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Bennett with Ramasamy so that security vulnerabilities is auto-corrected when the result is analyzed. The modification would have allowed the system to enhance security. 

Allowable Subject Matter
Claims 9-15 and 26 are objected to as being dependent upon a rejected base claim, but would be allowable if the 112b rejection, set forth in this Office action, are overcome and if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Park et al. (Pub. No.: US 2017/0331839) - CYBER-SECURITY PRESENCE MONITORING AND ASSESSMENT
Norrman et al. (Patent No.: US 10,592,938) - System And Methods For Vulnerability Assessment And Provisioning Of Related Services And Products For Efficient Risk Suppression
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437