DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1, 5, 7-8, 10-11 are pending.  Claims 2-4, 6, 9 are cancelled.

Claim Objections
Claim 8 is objected to because of the following informalities: 
Claim 8 depends on claim 6, which has been cancelled.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 5, 7, 10-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al (PGPUB 2022/0050828), and further in view of Binkley et al (PGPUB 2020/0110894) and Ganor (PGPUB 2018/0375892).

Regarding Claim 1:
Wu teaches a computerized method for implementing risk discovery with a set of unified security and privacy policies in a cloud-computing platform (abstract, method for asset discovery, data classification, risk evaluation, and data/device security; paragraph 48, cloud server), comprising: 
with at least one processor (paragraph 5, processor):
discovering a set of data and a set of data accesses within an enterprise computing system comprising the cloud-computing platform (paragraph 52, asset discovery manager 135 retrieving data stored at one or more remote locations, summarizing the retrieved data at the one or more remote locations, and transferring the summarized data from the one or more remote locations to one or more computing devices; paragraph 59, data summarization 305 may include identifying detailed cloud data storage file access activities; paragraph 46, enterprise data); 
classifying the set of discovered data and the set of data accesses with an identification that shows which of the data assets are important or critical for the enterprise by (paragraph 37, techniques include and implement advanced machine learning techniques to perform automatic data classification, finding the most probable data type related with each asset without any software agent or human manual inspection; paragraph 55, ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups): 
determining which of the set of discovered data and the set of data accesses have or are associated with sensitive information (paragraph 55, data input module 205 may retrieve data stored at one or more remote locations, summarize the retrieved data at the one or more remote locations, and transfer the summarized data from the one or more remote locations to a computing device (e.g., device 105, or server 110, or database 115, or a network device of network 120, or any combination thereof); discovering the assets includes discovering known assets and unknown assets; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential), 
placing the set of discovered data and the set of data accesses that are associated with sensitive information into a set of discovered information about the infrastructure (paragraph 59, data summarization 305 may include identifying detailed cloud data storage file access activities; paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential), 
determining which of the set of discovered data and the set of data accesses are relevant in the context of a specified governmental data privacy regulation (paragraph 39, techniques allow compliance with GDPR, CCPA; paragraph 57, Table 1, types of data includes health insurance portability and accountability database (i.e. HIPAA); paragraph 72, model interference 435 may use department information to infer a server's data type/classification; when over 50% of the users on this server come from HR department (e.g., the highest user ratio), then model interference 435 may assign the server's data type as HR and data classification as Private; model inference 435 may apply a data type to the server based at least in part on the highest represented organization department; the data type applied to the server may be the organization department that determined to be the highest represented organization department; as per Table 1, data types include HIPAA database), 
placing the set of discovered data and the set of data accesses that are relevant in the context of a specified governmental data privacy regulation into the set of discovered information about the infrastructure (paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; paragraph 72, model inference 435 may apply a data type to the server based at least in part on the highest represented organization department); and 
with the set of discovered information about the infrastructure, mapping the set of discovered information about the infrastructure to a set of deterministic dimensions (paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential; predetermined set of data classification options can be seen as at least one deterministic dimension, thereby comprising a set); and
wherein a deterministic dimension represents a policy or an intent of the enterprise (EXAMINER’S NOTE: broadest reasonable interpretation of “intent of the enterprise” can include tasks or processes which the enterprise means to happen; this would include deliberately classifying data into datasets by a machine learning engine could therefore be considered “intent”; paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, predetermined set of data classification options can be seen as at least one deterministic dimension, thereby comprising a set, which represents “intent” of the enterprise).
Wu does not explicitly teach the method, further comprising: 
enabling the enterprise to select a subset of deterministic dimensions from the set deterministic dimensions to represent a policy or intent;
providing an Open Policy Agent (OPA) as a general-purpose policy engine that implements a set of authorization and admission control to data filtering operations based on the selected subset of deterministic dimensions; and
generating a unified privacy and security OPA policy, wherein the unified privacy and security OPA policy assists enterprises to maintain a desired posture with respect to the specified governmental regulations.
However, Binkley teaches the concept of a method comprising:
enabling an enterprise to select a subset of deterministic dimensions from a set deterministic dimensions to represent a policy or intent (paragraph 18, apparatus is further configured to receive, using the processing circuitry, one or more data attributes (i.e. “deterministic dimensions”) associated with the dataset from a metadata repository; receive, using the processing circuitry, one or more data attribute protection policies associated with the one or more data attributes; and enforce, using the processing circuitry, the one or more data attribute protection policies associated with the one or more data attributes by transmitting the one or more data attribute protection policies to a data protection system);
providing an Open Policy Agent (OPA) as a general-purpose policy engine that implements a set of authorization and admission control to data filtering operations based on the selected subset of deterministic dimensions (paragraph 154, the asset integrates with a data protection system, for example the data protection system 106, for authorization; in this regard, in some such embodiments, the data protection system 106 functions as the enforcement point with regard to such authorization; the data protection system 106 may be configured to retrieve and/or otherwise receive data attribute protection policies and/or individual data permissions of use information for use in determining whether to provide authorization); and
generating a unified privacy and security OPA policy, wherein the unified privacy and security OPA policy assists enterprises to maintain a desired posture with respect to specified governmental regulations (paragraph 161, exemplary operations performed by apparatus 200 for enforcing attribute protection policies in accordance with some example embodiments; at operation 902, the apparatus 200 includes means, such as communications circuitry 210, input/output circuitry 212, or the like, for receiving one or more data attributes associated with the dataset from the metadata repository 102B; the data attributes are attribute classifications associated with the dataset; example attributes may be associated with PHI and/or specific sensitive data to be accessible based on policies and/or permissions; in one such example context, example attributes indicate: whether the dataset include social security numbers, whether the dataset include health insurance claim numbers, whether the dataset include biometric identifiers, whether the dataset include genomic data, whether the dataset include names, or whether the dataset include Medicare beneficiary identifiers; paragraph 106, indicator represents whether the dataset associated with the dataset identifier and/or the volume associated with the volume identifier includes Personal Identifiable Information or Protected Health Information under the definition of Health Insurance Portability and Accountability Act (HIPAA)).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the policy based on set of deterministic dimensions teachings of Binkley with the system implementing risk discovery teachings of Wu, in order to provide an enterprise the means to adapt a policy over any type or number of attributes associated with a quantity of data, thereby providing security and access according to the needs of an enterprise at a particular time, and allowing compliance with associated data regulations and preventing accidental disclosure of sensitive materials.
Neither Wu nor Binkley explicitly teaches the method, further comprising: 
generating a Risk criticality (RC) graph based on the subset of deterministic dimensions, and wherein the RC graph quantifies a risk of a service or a data being subject to a cyber attack.
However, Ganor teaches the concept of a method, comprising:
generating a Risk criticality (RC) graph based on a subset of deterministic dimensions (paragraph 65, ECRP system 130 may obtain asset exposure information for peers in the same/similar type of business from multiple sources using, for example, profiling logic/mechanisms associated with identifying similar types of businesses; paragraph 66, assets exposure area 462 provides a bar graph illustrating a percentage risk exposure for various asset types, such as customers' data, internal human resources (HR) data, financial data, upcoming campaigns, production formulas, enterprise resource planning (ERP) datacenter), and
wherein the RC graph quantifies a risk of a service or a data being subject to a cyber attack (paragraph 39, ECRP system 130 tests the enterprise's browsing security controls and/or policies by simulating access to malicious websites, by downloading various types of files from the web, checking what happens with encrypted traffic, and non-standard traffic/ports, etc; ECRP system 130 determines which attacks succeed to determine risk levels in the various scenarios; paragraph 66, assets exposure area 462 provides a bar graph illustrating a percentage risk exposure for various asset types, such as customers' data, internal human resources (HR) data, financial data, upcoming campaigns, production formulas, enterprise resource planning (ERP) datacenter).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the risk criticality graph teachings of Ganor with the system implementing risk discovery teachings of Wu, in order to provide a simple visual means of allowing a user or administrator to visually evaluate risk across a wide range of enterprise assets, giving said user or administrator the ability to rapidly determine which assets were secure and which were not, and focus security and remediation efforts on high impact assets, thereby improving efficiency and enterprise security.

Regarding Claim 5:
Wu in view of Binkley and Ganor teaches the computerized method of claim 1.  In addition, Binkley teaches wherein there are thirty-two (32) deterministic dimensions (paragraph 54, the term “data attributes” refers to one or more items of data representative of one or more classifications associated with secured data in an asset repository; data attributes may be generated by a metadata source based on various sources of truth for attribute classifications; use of the phrase “one or more” implies an overlapping range with the claimed 32 deterministic dimensions (i.e. “attributes”); therefore, Binkley teaches a configuration in which 32 attributes are present).
The rationale to combine Wu and Binkley is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 5.

Regarding Claim 7:
Wu in view of Binkley and Ganor teaches the computerized method of claim 1.  In addition, Ganor teaches wherein the governmental regulation comprises the General Data Protection Regulation (GDPR) (paragraph 79, security policy and procedures logic 320 may obtain security policies and security controls, such as policies associated with particular security standards (e.g., ISO27001, PCI, NIST, GDPR), policies associated with various assets/systems used by enterprise security teams, etc., from other systems/devices (not shown in FIG. 3) and store the security policies).
The rationale to combine Wu and Ganor is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 7.

Regarding Claim 10:
Wu in view of Binkley and Ganor teaches the computerized method of claim 1.  In addition, Wu teaches wherein a deterministic dimension has a cardinality of fixed attributes (paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential; predetermined set of data classification options can be seen as at least one deterministic dimension, thereby comprising a set).

Regarding Claim 11:
Wu in view of Binkley and Ganor teaches the computerized method of claim 10.  In addition, Wu teaches wherein an intent expressed by a specified set of deterministic dimensions is pre-defined (paragraph 52, described techniques include asset discovery manager 135 performing a security action to protect data that resides on an asset of the discovered assets based at least in part on a confidentiality group to which the data on the asset is classified and a calculated risk score of the asset or a calculated risk score of a user of the asset, or both).

Claim(s) 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wu in view of Binkley and Ganor, and further in view of Parthasarathy (PGPUB 2020/0057864).

Regarding Claim 8:
Wu in view of Binkley and Ganor teaches the computerized method of claim 6.
Neither Wu nor Binkley nor Ganor explicitly teaches, wherein the governmental regulation comprises the California Consumer Privacy Act (CCPA).
However, Parthasarathy teaches the concept wherein a governmental regulation comprises the California Consumer Privacy Act (CCPA) (abstract, sensitive data discovery engine; paragraph 122, the SDDE 1601 allows flagging of sensitive data in source systems of an organization and subsequent use of the discovery metadata for data governance initiatives within the organization; similarly, the SDDE 1601 assists in enforcing new regulations, for example, the California Consumer Privacy Act, passed after the GDPR).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the CCPA compliance teachings of Parthasarathy with the system implementing risk discovery teachings of Wu in view of Binkley and Ganor, with the benefit of allowing the system to obtain compliance with additional regulations, thereby allowing the system to operate in regions which would otherwise be inaccessible due to a lack of regulatory compliance.

Conclusion
Response to Arguments
Applicant's arguments filed 11/28/2022 have been fully considered but they are not persuasive. 

Regarding the rejection of claims under 35 USC 112:
Applicant’s amendments have overcome the previous 35 USC 112 rejection, which is therefore withdrawn.

Regarding the rejection of claims under 35 USC 101:
Applicant’s amendments have overcome the previous 35 USC 101 rejection, which is therefore withdrawn.

Regarding the rejection of claims under 35 USC 102/103:
Applicant’s arguments, page 6, consist of the mere assertion that the cited prior art references fail to teach the limitations of the claim as amended.  However, Examiner disagrees: Wu teaches classifying data into confidentiality groups using a machine learning engine (paragraph 55).  This can be seen as the “intent” of the enterprise.  Therefore, the resulting classification categories can be seen as deterministic dimensions which represent said “intent” (paragraph 79). 
	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491