Nothing Special   »   [go: up one dir, main page]

AU2014280991B2 - System for analyzing security compliance requirements - Google Patents

System for analyzing security compliance requirements Download PDF

Info

Publication number
AU2014280991B2
AU2014280991B2 AU2014280991A AU2014280991A AU2014280991B2 AU 2014280991 B2 AU2014280991 B2 AU 2014280991B2 AU 2014280991 A AU2014280991 A AU 2014280991A AU 2014280991 A AU2014280991 A AU 2014280991A AU 2014280991 B2 AU2014280991 B2 AU 2014280991B2
Authority
AU
Australia
Prior art keywords
database
configuration control
control requirements
requirements
questions
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
AU2014280991A
Other versions
AU2014280991A1 (en
Inventor
Paul M. Barsamian
Stirling T. Goetz
Patrick J. Joyce
Richard B. Levine
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Accenture Global Services Ltd
Original Assignee
Accenture Global Services Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2013201034A external-priority patent/AU2013201034A1/en
Application filed by Accenture Global Services Ltd filed Critical Accenture Global Services Ltd
Priority to AU2014280991A priority Critical patent/AU2014280991B2/en
Publication of AU2014280991A1 publication Critical patent/AU2014280991A1/en
Application granted granted Critical
Publication of AU2014280991B2 publication Critical patent/AU2014280991B2/en
Ceased legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

A system for analyzing security compliance requirements analyzes a linked database that includes data from the Unified Compliance FrameworkTM. The system generates a tiered question structure to obtain information about a particular business offering, wherein questions of a particular tier are based on answers to questions of a preceding tier. Based on the information, the system generates a query and submits the query to the linked database. The query results provide a list of security compliance requirements, leading practices, and/or regulations applicable to the business offering. C:) C:) co LD 2 -0 U) Co 0 CO 7FD C/) a) 0-0 c/) E .2 co c) A". a) cn lauj cn cn LL C\j 0- U) 0 a) 0 E 0 .0 n co 0 (1) (1) co U) -Z-D = 2 2 1 0-0 0 E a- co u

Description

1 SYSTEM FOR ANALYZING SECURITY COMPLIANCE REQUIREMENTS BACKGROUND OF THE INVENTION 1. Technical Field. [0001] This application relates to security compliance. In particular, this application relates to a system for building a security compliance framework customized to a business offering. 2. Related Art [0002] The United Compliance FrameworkTM (UCF) is a compliance database that harmonizes controls from hundreds of international regulatory requirements, standard, and guidelines (such as HIPAA, ISO 17799. PCI, FDA, SOX, etc.) into a single, hierarchal framework. Each of these regulations publishes a list of standards or controls that affected companies must comply with. These lists (also referred to as "authority documents") contain thousands of statements stating how information should be protected, monitored, or presented. Accurately determining which of the hundreds of requirements, standards, and guidelines of the UCF are applicable to a particular business offering can be challenging and time consuming. SUMMARY OF THE INVENTION [0003] In one aspect, the present invention provides a product including a memory, instructions stored in the memory that, when executed, cause a computer processor to, obtain preliminary data from a user defining a business offering and at least one geographic region associated with the business offering, generate a multi tiered question set based on the preliminary data, including, generating a custom set of first tier questions customized at the at least one geographic region associated with the business offering based on the preliminary data and obtaining a set of answers in response to the custom set of first tier questions from the user, generating a first database query based on the set of answers to the custom set of first tier questions from the user, querying a database based on the generated first database query, wherein the database returns security compliance requirements information, generating a custom set of second tier questions customized to the set of answers to the custom 2 set of first tier questions and obtaining a set of answers to the custom set of second tier questions, generate a second database query based on the preliminary data and the sets of answers to the custom set of first tier questions and the custom set of second tier questions, querying the database based on the generated second database query, obtaining from the queried database, in response to the second database query, a set of configuration control requirements imported from a unified compliance framework (UCF) database and tailored to the business offering, wherein the queried database includes the set of configuration control requirements, authority documents and authority document's citations, wherein the UCF database includes the set of configuration control requirements and other configuration control requirements, wherein the set of configuration control requirements and other configuration control requirements include behavioral and/or procedural requirements for the business offering and other business offerings, respectively, providing the results to the user, and automatically integrating the other configuration control requirements from the UCF database with the queried database by, importing, through a communications interface, a UCF file including the other configuration control requirements, wherein the other configuration control requirements include new configuration control requirements, identifying a file type of the UCF file from multiple file types including a compressed file type and uncompressed file type, and when the file type of the UCF file is a compressed file type, extracting the other configuration control requirements from the UCF file, identifying the new configuration control requirements by, comparing the other configuration control requirements with the authority documents and the authority document's citations in the queried database, and determining that the new configuration control requirements are not identified by the authority documents and the authority document's citations, and inserting the new configuration control requirements into the queried database. [0004] In another aspect, the present invention provides a system for security compliance and analysis requirements building, including a computer processor, and a memory connected with the processor, the memory including instructions that, when executed, cause the computer processor to, obtain preliminary data from a user defining a business offering and at least one geographic region associated with the business offering, generate a multi-tiered question set based on the preliminary data, 2a including, generating a custom set of first tier of questions customized to the at least one geographic region associated with the business offering based on the preliminary data and obtaining a set of answers to the custom set of first tier questions from the user, generating a first database query based on the set of answers to the custom set of first tier questions from the user, querying a database based on the generated database query and obtaining security compliance requirements information as a result of the query, generating a custom set of second tier of questions customized to the set of answers to the custom set of first tier questions and obtaining a set of answers to the custom set of second tier questions, generate a second database query based on the preliminary data and the sets of answers to the custom set of first tier questions and the custom set of second tier questions, querying the database based on the generated second database query, obtaining from the queried database a set of configuration control requirements imported from a unified compliance framework (UCF) database in response to the second database query that are tailored to the business offering, wherein the queried database includes the set of configuration control requirements, authority documents and authority document's citations, wherein the UCF database includes the set of configuration control requirements and other configuration control requirements, wherein the set of configuration control requirements and other configuration control requirements include behavioral and/or procedural requirements for the business offering and other business offerings, respectively, providing the results to the user, and automatically integrating other configuration control requirements from the UCF database with the queried database by, importing, through a communications interface, a UCF file including the other configuration control requirements, wherein the other configuration control requirements include new configuration control requirements, identifying a file type of the UCF file from multiple file types including a compressed file type and uncompressed file type, and, when the file type of the UCF file is a compressed file type, extracting the other configuration control requirements from the UCF file, identifying the new configuration control requirements by, comparing the other configuration control requirements with the authority documents and the authority document's citations in the queried database, and determining that the new configuration control requirements are not identified by the authority documents and the authority document's citations, and inserting the new configuration control requirements into the queried database.
2b [0005] In yet another aspect, the present invention provides a computer implemented method for security compliance and analysis requirements building, including obtaining preliminary data from a user defining a business offering and at least one geographic region associated with the business offering, generating, using a computer processor, a multi-tiered question set based on the preliminary data, including, generating a custom set of first tier of questions customized to the at least one geographic region associated with the business offering based on the preliminary data and obtaining a set of answers in response to the custom set of first tier questions from the user, generating a first database query based on the set of answers to the custom set of first tier questions from the user, querying a database based on the generated first database query, and obtaining as an output security compliance requirements information, generating a custom set of second tier of questions customized to the set of answers to the custom set of first tier questions and obtaining a set of answers to the custom set of second tier questions wherein the custom set of second tier questions is different for different sets of first tier questions, generating, using the computer processor, a second database query based on the preliminary data and the sets of answers to the custom set of first tier questions and the second tier questions, querying, using the computer processor, the database based on the generated second database query, obtaining from the queried database a set of configuration control requirements imported from a unified compliance framework (UCF) database in response to the second database query that are tailored to the business offering, wherein the queried database includes the set of configuration control requirements, authority documents and authority document's citations, wherein the UCF database includes the set of configuration control requirements and other configuration control requirements, wherein the set of configuration control requirements and other configuration control requirements include behavioral and/or procedural requirements for the business offering and other business offerings, respectively, transmitting the results to the user, and automatically integrating other configuration control requirements from the UCF database with the queried database by, importing, through a communications interface, a UCF file including the other configuration control requirements, wherein the other configuration control requirements include new 2c configuration control requirements, identifying a file type of the UCF file from multiple file types including a compressed file type and uncompressed file type, and, when the file type of the UCF file is a compressed file type, extracting the other configuration control requirements form the UCF file, identifying the new configuration control requirements by, comparing the other configuration control requirements with the authority documents and the authority document's citations in the queried database; and determining that the new configuration control requirements are not identified by the authority documents and the authority document's citations, and inserting the new configuration control requirements into the queried database.
3 BRIEF DESCRIPTION OF THE DRAWINGS [0006] The system may be better understood with reference to the following drawings and description. The elements in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the type model. In the figures, like-referenced numerals designate corresponding features throughout the different views. [0007] Figure 1 shows an example of a method and process flow by which a system for analyzing security compliance requirements security compliance analysis system analyzes client data and derives the applicable industry standard/and or regulatory security compliance requirements. [0008] Figure 2 shows an example of a three-tiered architecture 200 used by a security compliance analysis system. [0009] Figure 3 shows an example of table mapping in the SQL database server. [0010] Figure 4 shows an example of a user interface rendered by a system for analyzing security compliance requirements. [0011] Figures 5-12 illustrate interfaces generated by security compliance analysis system for analyzing security compliance requirements as part of the Create New Report option shown in Figure 4. [0012] Figure 13 illustrates an interface generated by a system for analyzing security compliance requirements security compliance analysis systems part of the Create New Report Using Expert Interface option shown in Figure 4. [0013] Figure 14 illustrates an interface generated by a system for analyzing security compliance requirements security compliance analysis systems part of the View My Reports option shown in Figure 4. [0014] Figure 15 illustrates an interface generated by a system for analyzing security compliance requirements security compliance analysis systems part of the Enter Admin Console option shown in Figure 4. [0015] Figure 16 shows an example of the process flow for importing new UCF data into the SQL database.
4 [0016] Figures 17-27 illustrate additional interfaces generated by a system for analyzing security compliance requirements security compliance analysis systems part of the Enter Admin Console option shown in Figure 4. DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION [0017] Figure 1 shows an example of a method and process flow 100 by which a system for analyzing security compliance requirements security compliance analysis system analyzes client data and derives the applicable industry standard/and or regulatory security compliance requirements. [0018] The system obtains scope selections 102 from a user that defines the scope of a business offering (e.g., location and geography, line of business, etc). Based on the scope selections, the system generates a custom set of questions to be presented to the user. The system generates a query 104 based on the scope selections and answers to the custom set of questions. The query is submitted to a database 106 to extract relevant security regulations, relevant leading practices, and other compliance requirements corresponding to the business offering. The database includes linked data imported from the UCF. The database may also include regulations that are internal to the business linked with the UCF data. The system may implement a SQL Server Reporting Services (SSRS) mechanism 108 to report the query results 110 to the user. In this manner, the system effectively analyzes a business offering to determine the relevant industry and internal regulations, standards, and leading practices for the specific business offering. The applicable data that is fetched from the database may be stored on a file system 110, or intermediate storage, at an instance where authentication is required to process a final report, such as a report generated in an Excel format. For generated reports the database may be integrated to a front end UI. [0019] The disclosed methods, processes, programs, and/or instructions may be encoded in a signal-bearing medium, a computer-readable medium such as a memory, programmed within a device such as on one or more integrated circuits, or processed by a controller or a computer processor. If the methods are performed by software, the software may reside in a memory resident to or interfaced to a communication interface, or any other type of non-volatile or volatile memory. The memory may include an 5 ordered listing of executable instructions for implementing logical functions. A logical function may be implemented through digital circuitry, through source code, through analog circuitry, or through an analog source such as that occurring through an analog electrical, audio, or video signal. The software may be embodied in any computer readable or signal-bearing medium, for use by, or in connection with, an instruction executable system, apparatus, or device. Such a system may include a computer based system, a processor-containing system, or another system that may selectively fetch instructions from an instruction executable system, apparatus, or device that may also execute instructions. [0020] Figure 2 shows an example of a three-tiered architecture 200 used by a security compliance analysis system. The architecture 200 includes a client tier 202, a server tier 204 and a data tier 204. An end user interacts with the security compliance analysis system for analyzing security compliance requirements through a web browser at the client tier 202. The client tier 202 sends user requests to the server tier 204 and received responses from the server tier 204 through the web browser. The server tier 204 includes a web server (e.g., an IIS 7.0 Web server) that, after receiving a request from the client server 202 through the web browser, validates the request and processes a query to the data tier 206. The server tier 204 may include a computer processor and memory that includes instructions or computer programs that, when executed, cause the computer processor to perform the operations of the system described herein. The server tier 204 obtains results from the data tier 206 and sends the results to the client tier 202 for presentation to the end user. The server tier 204 may include one or more computer processors and one or more memories in communication with the one or more computer processors. The one or more memories include instructions and programs that, when executed, cause the computer processor to perform the functions of the security compliance analysis system for analyzing security compliance requirements described below, including rendering the webpages and interfaces described below. [0021] The data tier 206 may include a SQL database server that executes the query received from the server tier 204 and/or procedures stored in the SQL database server and that sends the process results to the server tier 204. The data tier 206 stores data imported from the Unified Compliance Framework T M (UCF). The UCF data reflect information found in hundreds of authority Documents used to create the UCF.
6 [0022] Data from the UCF is populated into tables stored on the SQL database server with details of authority documents and related control requirements. The UCF data, which is available in XML format, may be imported to the SQL database server using a batch file (.bat). The tables stored in the SQL database server include data related to authority documents, assets lists, citations lists, roles lists, metrics lists, etc. With knowledge from the UCF data, appropriate tables stores in the database are linked together. [0023] Figure 3 shows an example of table mapping 300 in the SQL database server 206. In this example, the tables in the database are mapped in the following hierarchy: regions - countries /states -scope mapper questions - regulations. Based on scope selections (multi regional/regional/leading practices) made by the user, a customized questionnaire is presented through the interface in custom data grids. The user responds to applicable questions that are tracked down to the database. [0024] On selection of a specific region from the region list on a Client Regions page, region specific questions along with multi regional questions are populated in two different pages on the user interface and on the user response. A particular question is mapped to the right regulation in the regulation table of the database. [0025] The tables in the database include regions, countries, states, questionnaires, and regulations tables. When user selects a particular region corresponding table(s) are retrieved from the database; the server tier runs a SQL query as all the countries of that particular region will be selected from the countries table and on selecting a particular country, all the states of that particular country will get populated from the state table. [0026] The questionnaire table and regulation table are mapped on the unique ID's corresponding to the imported UCF data. Questions are displayed for the user to select the response to each of the questions listed to determine the set of regulations that are applicable. The analysis system may implement a decision tree structure that links the questions with possible answers such that subsequent questions are based on the answer given. In this manner the system is able to define the business offering and hone in on the relevant regulations, standards, requirements, leading practices, etc. among the large amount of UCF data.
7 [0027] Returning to Figure 2, the tables stored in the SQL database server include authority documents in-depth reports that provide comprehensive information about each of the individual authority documents tracked by the UCF. Each in-depth report provides an overview of the authority document, the types of controls (behavioral, procedural, configuration, etc.) and how the controls are mapped within the UCF. A complete list of the authority document's citations and citation guidance for the specific controls is references in the UCF. Authority documents and the corresponding reports are named in the database using the unique UCF authority document ID. [0028] Based on scope selections obtained from the client tier 202 that define a scope of a business offering (e.g., location and geography, line of business, etc.), the server tier 204 generates a query and submits the query to the data tier 206. Based on the query, the applicable regulations are identified from the tables in the database and provided to the client tier 202. As shown in Figure 2, communication between the client tier 202 and the server tier 204 may be through http. [0029] Figure 4 shows an example of a user interface 400 rendered by a system for analyzing security compliance requirements ("security compliance analysis system"). After logging in, a user may be presented with the following options: Create New Report 402; Create New Report Using Expert Interface 404; View My Reports 406; and Enter Admin Console 408. [0030] The Create New Report 402 option is described below with respect to Figures 5-12. The Create New Report Using Expert Interface 404 option is described below with respect to Figure 13. The View My Reports 406 option is described below with respect to Figure 14. The Enter Admin Console 408 option is described below with respect to Figures 15-27. [0031] A user that selects the "create new report" option in the interface 400 may be presented with the interface shown in Figure 5. The interface 500 includes fields in which the user inputs contact information, project details and a description of the project engagement. After the user selects the 'next' option, the security compliance analysis system security compliance analysis system presents the user with a 'Client Regions' interface 600, shown in Figure 6, in which the user selects the client operated locations across countries, locations and states. The interface 600 includes various tabs for 8 different regions of the world, however different mechanism may be employed to allow the user to select the client operated locations. [0032] After the applicable locations are selected and the user selects the 'next' option, the security compliance analysis system security compliance analysis system presents the user with a 'Region Specific Regulations' interface 700, shown in Figure 7. Based on the region selections made on the 'Client Region' selection page, the security compliance analysis system security compliance analysis system queries the SQL database to determine applicable questions corresponding to the specific regions selected. These applicable questions are rendered from the database to the 'Region Specific Regulations' interface 700. The user responds to the questionnaire by choosing 'Yes -No' radio buttons provided. By default no may be selected for all the questions. [0033] After responding to the questionnaire rendered to the 'Region-Specific Regulations' interface 700, the security compliance analysis system presents the user with a 'Leading Practices' interface 800, shown in Figure 8, for selecting leading practices that the user would like to include among the compliance requirements, such as NIST Guidance, IT Service Continuity Management, Incident response, Business Continuity etc. The leading practices may be displayed on custom data grids with collapse button to view complete questions and 'Yes -No' radio buttons to respond. The leading practices presented on the 'Leading Practices' interface 800 may be customized to the prior selections made by the user on the 'Client Region' and ' 'Region-Specific Regulations' interfaces 600 and 700. [0034] After the user selects the 'Submit' option at the bottom of the interface 900, the security compliance analysis system generates and presents to the user a report page 900, shown in Figure 9, which includes a summarized report with user details, project name, date along with the report summary having the total number of applicable regulations and internal business security offerings. The report page 900 includes expand-collapse grids including the applicable regulations and internal business security offerings in detail. The security compliance analysis system may also transmit a notification email or SMS message to the user that generated the report. [0035] The report page 900 includes a button 'Download Excel Report' 902 which, if selected, generates a report including all of the applicable regulations and controls in 9 Excel@ format. While the security compliance analysis system is described as generating the report in Excel@ format for the sake of explanation, it will be understood that the security compliance analysis system may generate reports in other spreadsheet and document formats. [0036] The Excel@ document may include two sheets: a report summary sheet and detailed requirements sheet. Figure 10 shows the report summary sheet 1000 and Figure 11 shows the detailed requirements sheet 1100. The report summary sheet 1000 includes summary information such as the client and project name, primary contact, client account lead details, date generated, etc. The report summary sheet also includes the regulations that are applicable and internal business security offerings. [0037] The detailed requirements sheet 1100 includes the applicable control IDs, control description, control hierarchy (control level), security offerings, and applicable leading practices. As shown in Figure 11, the 'auto filter' option is enabled in the detailed requirements sheet 1100 for optimized searching. [0038] The report page 1100 also includes an 'email report' option 1104. If selected, the security compliance analysis system generates a report include a summary of the report along with an attachment of the detailed excel report. Figure 12 shows an example of a report email 1200 generated by the security compliance analysis system and send to the user. [0039] Referring back to the interface shown in Figure 4, the user may also select the option 'Create New Report Using Expert Interface' 404. Figure 13 shows examples of interfaces rendered by the security compliance analysis system if the user selections option 404. This option allows generation of a new report by an expert user that has a more complete knowledge on all the authority documents of the UCF. Initially the expert user would be presented with and fill in the project details page shown in Figure 5. Following that page, the security compliance analysis system renders an 'Authority Documents' interface 1300, shown in Figure 13, where the expert user can select all the applicable regulations that comply with client business and locations. [0040] After the expert user makes and submits the authority document selections, the security compliance analysis system brings the user to the report page 900, shown in Figure 9, on which the expert user may select the 'Download Excel Report' option 10 902 and/or the 'Email Report' option 904. If the expert user selects the 'Download Excel Report' option, security compliance analysis system may generate the Excel@ document described above with respect to Figures 10 and 11. If the expert user selects the 'Email Report' option, the security compliance analysis system may generate the email report described above with respect to Figure 12. [0041] Figure 14 shows an example of an interface 1400 rendered by the security compliance analysis system to view reports generated by the user according to the View My Reports 406 option discussed above with respect to Figure 4. Selecting the View My Reports 406 option may allow the user to view reports previously generated by the user along with reports that are in progress. As shown in Figure 14, a delete option is provided to delete generated reports or in-progress reports. [0042] Figures 15-27 illustrate the Enter Admin Console 408 option discussed above with respect to Figure 4. Figure 15 shows an interface 1500 of an administrative console rendered by the security compliance analysis system. The interface 1500 shows that the administrative console may include five sections which may be accessed by the following tabs shown in Figure 16: import UCF data 1502, manage regulations controls 1504, manage offerings 1506, reporting 1508, and manage users 1510. In Figure 15, the import UCF data 1502 tab is selected. [0043] Through the interface 1500 the user may upload the UCF database to the SQL database of the security compliance analysis system. After uploaded, the security compliance analysis system may integrate the UCF data contained in the UCF database with the existing UCF data stored on the SQL database. [0044] Figure 16 shows an example of the process flow 1600 for importing new UCF data into the SQL database. The process 1600 imports the UCF file. (Step 1602). The UCF database file may be saved along with date and time details in the archive sub folder where extraction of data happens. If the UCF file is a .zip or other compressed file, the process 1600 extracts the UCF data from the compressed file. (Step 1604). [0045] The process 1600 runs a batch file, 'Backupdb.bat' for generating a backup of the existing database used by the security compliance analysis system and saved as, for example, 'ucfdbbackup' with '.bak' extension. (Step 1606). C# code is written to copy three (UCFAuthorityDocumentsList, UCF_CE_List, UCFCitationList) XML 11 files to the xml folder of the UCF import. To delete all the remaining XSLT files except the three mentioned above from the SQL server import XSLT folder. [0046] The process runs a UCF import batch file that move the above-mentioned three SQL files and their tables to UCF SQL file. (Step 1608). These three SGL files will run through a batch file named, for example, 'Run sql script. Bat', which is under a batch file folder. [0047] The process 1600 executes a SQL stored procedure to compare the contents of the three above-referenced tables from the UCF database import with the existing database based on four conditions - SNED (S-same, N-new, E-edit, D-deprecated). The records that are same in both the databases are left untouched where we insert all the new records into the security compliance analysis system database. [0048] In particular, the process 1600 identifies any records in the imported UCF database that are new. (Step 1610) For any imported database record determined to be new, the process 1600 causes the security compliance analysis system to insert each of the new records into the database. (Step 1612). The process 1600 identifies any records in the imported UCF database that are marked to be edits. (Step 1614). The records that are to be edited are updated. (Step 1616). The process 1600 identifies any records marked with 'D', i.e., any records that have deprecated and which are hidden from the display to the users. (Step 1618). A depreciated record may correspond to a record that is no longer valid. For example when a law is repealed, the related regulations, standards, leading practices, etc. may no longer be valid. The process 1600 then updates the records according to the records identified as deprecated (Step 1620), such as by suppressing the deprecated record in the SQL database, or removing the record. [0049] The disclosed methods, processes, programs, and/or instructions may be encoded in a signal-bearing medium, a computer-readable medium such as a memory, programmed within a device such as on one or more integrated circuits, or processed by a controller or a computer processor. If the methods are performed by software, the software may reside in a memory resident to or interfaced to a communication interface, or any other type of non-volatile or volatile memory. The memory may include an ordered listing of executable instructions for implementing logical functions. A logical function may be implemented through digital circuitry, through source code, through 12 analog circuitry, or through an analog source such as that occurring through an analog electrical, audio, or video signal. The software may be embodied in any computer readable or signal-bearing medium, for use by, or in connection with, an instruction executable system, apparatus, or device. Such a system may include a computer based system, a processor-containing system, or another system that may selectively fetch instructions from an instruction executable system, apparatus, or device that may also execute instructions. [0050] Figure 17 shows an example of an interface 1700 in which the manage regulations controls tab 1504 of the administrative console is selected. To manage regulations, an administrator may enter the Authority Document ID (AD ID) and click on 'find' button. [0051] The security compliance analysis system may provide the interfaces 1800 and 1900 in Figures 18 and 19, respectively, to manage regulations-questions with AD ID, published name, parent category, type from the SQL database. [0052] A question may be associated with a regulation, leading practice, law, security requirement, etc. If a definition exists for that particular regulation it is displayed in 'Definition' box. The administrator can add the definition to a regulation if there exists and can also modify it. For a given AD ID, the region and country that a particular regulation belongs to may be seed in the interface 1700. From drop down lists provided in the interface 1700, the administrator can change both the region and country of a regulation. [0053] If the regulation will be identified as a leading practice and the option is made 'yes', then only URL, leading practices name and leading practices category fields will be displayed. The URL of that regulation in the window may be fetched from the database. If the leading practice option is made 'yes,' the security compliance analysis system may provide fields, as shown in Figure 19, for the administrator may enter the leading practices name and select the leading practices category from the dropdown list provided. [0054] Figure 20 shows an interface 2000 that may be rendered by the security compliance analysis system when the manage controls tab 1506 is selected. To manage a control, the administrator may input the 'control id' in the textbox and click 13 'find' button. A window titled 'control-offering mapping' may be rendered, as shown in Figure 20, along with the control id, control title, company security offering, and parent control details. The administrator may change the sub offerings by clicking on the radio button, as well as the levels of the control. Changes made by the administrator are saved to the SQL database. [0055] As part of the manage controls option 1506, the security compliance analysis system may render the interface 2100 which provides the administrator with the option to delete or edit each company security offering. The edit option allows the administrator to edit the existing security offering. If the administrator selects the edit options for a particular offering, the security compliance analysis system may render an 'Edit Offerings' pop-up window 2200 (shown in Figure 22). The details of that particular offering such as URL, sub-offering and sub-offering URL are retrieved from the database. Editing of the existing details can be done in the editable textboxes provided in Figure 22. [0056] In the same window 2200, the administrator can edit the 'Regional SME Contacts' details also. As shown in Figure 22, each of the four (Global, NA, EALA, APAC) regions are displayed with the entire email id, first and last name, URL of the SME profile in 'https: //people.[host].com' web site. All the fields are in editable textboxes and can be edited. [0057] The interface 2100 also provides the following additional options: Add New Offering, and Add / Edit Contacts. Upon selecting the 'Add New Offering' option, the security compliance analysis system may render the pop-up window shown in Figure 23, which would initially be rendered with all the fields declared blank. The administrator can add the new offering by providing all the details like offering, URL, sub-offering and sub-offering URL in the text boxes. Regional SME Contacts can also be added by selecting the emails id's from all the four regions. Clicking on 'save' button will save all the details in to the database. [0058] Upon selecting the 'Add / Edit Contacts' option, the security compliance analysis system may render the pop-up window 2400 shown in Figure 24. In the window 2400 the administrator can edit add a new SME contact and edit an existing SME contact. The page will have all the first and last name of the contact, their email id and the url of their profile in 'https://people.[host].com' with edit and delete options 14 against each contact. Clicking on delete prompts for the administrator for confirmation of whether to delete the contact info or not. After confirmation, the contact details will be permanently removed from the SQL database. When the edit button is selected, the details of that contact will be displayed in the editable text boxes above to edit. The contact details added and edited will be saved in the SQL database. [0059] Figure 25 shows an interface 2500 that may be rendered by the security compliance analysis system when the reporting tab 1508 of the administrative console is selected. The interface 2500 provides two options: system report 2502 and Security Report 2504. In Figure 25 the system report 2502 option is selected. Figure 26, described below, shown an interface 2600 in which the Security Report option 2504 is selected. [0060] In the interface 2500 security compliance analysis system displays the reports generated between a particular period based on 'from' and 'to' dates that may be selected by the administrator. The security compliance analysis system may display a consolidated list of all the reports for that selected period along with a status of each report, including whether it is in progress or completed. The interface 2500 also provides a pane zoom option along with refresh, print and export options. To export the report list, the administrator may select a preferred format (Excel or Pdf) and click on 'Export'; the security compliance analysis system will then generate the list in the selected format. The interface 2500 also provides a 'print' option to print the consolidated report. [0061] In the interface 2600 shown in Figure 26, the Security Report option 2504 is selected. A selection may be made by selecting 'from' and 'to' dates indicating a particular period of time. The security compliance analysis system may display the security report, including the user names, enterprise id, privileges, user type, created by and created date, edited by and edited date along with deleted by and deleted date. As the with the report page 2500, a zoom option is provided in addition to the export and print option. [0062] Figure 27 shows an interface 2700 that may be rendered by the security compliance analysis system when the manage users tab 1510 of the administrative console is selected. The interface 2700 allows the administrator to manage the users listed on the page. The interface 2700 includes an 'Add New User' button that, if 15 selected, allows the administrator to add a new user and specify the user type, whether user can be an 'Admin', 'Security Expert' or 'Super Admin' by providing the name and enterprise id. [0063] The user that is going to be assigned as an administrator may have privileges for data mapping and report generation. A security expert may be authorized to access the expert interface and a super administrator will have control to all user interfaces rendered by the system. A 'Save' button is provided to save the newly added list to the database. In some embodiments, only the 'Super Admin' will have the rights to delete the users with the 'delete' button provided against each user. [0064] Exemplary aspects, features, and components of the system are described above. However, the system may be implemented in many different ways. For example, although some features are shown stored in computer-readable memories (e.g., as logic implemented as computer-executable instructions or as data structures in memory), all or part of the system and its logic and data structures may be stored on, distributed across, or read from other machine-readable media. The media may include hard disks, floppy disks, CD-ROMs, a signal, such as a signal received from a network or received over multiple packets communicated across the network. [0065] The system may be implemented with additional, different, or fewer components. As one example, a processor may be implemented as a microprocessor, a microcontroller, a DSP, an application specific integrated circuit (ASIC), discrete logic, or a combination of other types of circuits or logic. As another example, memories may be DRAM, SRAM, Flash or any other type of memory. The processing capability of the system may be distributed among multiple components, such as among multiple processors and memories, optionally including multiple distributed processing systems. Parameters, databases, and other data structures may be separately stored and managed, may be incorporated into a single memory or database, may be logically and physically organized in many different ways, and may implemented with different types of data structures such as linked lists, hash tables, or implicit storage mechanisms. Logic, such as programs or circuitry, may be combined or split among multiple programs, distributed across several memories and processors, and may be implemented in a library, such as a shared library (e.g., a dynamic link library (DLL)). The DLL, for example, may store code that prepares intermediate mappings or 16 implements a search on the mappings. As another example, the DLL may itself provide all or some of the functionality of the system, tool, or both. [0066] While various embodiments of the invention have been described, it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the invention. Accordingly, the invention is not to be restricted except in light of the attached claims and their equivalents. [0067] Throughout this specification and claims which follow, unless the context requires otherwise, the word "comprise", and variations such as "comprises" and "comprising", will be understood to imply the inclusion of a sated integer or step or group of integers or steps, but not the exclusion of any other integer or step or group; of integers or steps. [0068] The reference to any prior art in this specification is not, and should not be taken as, an acknowledgement or any suggestion that the prior art forms part of the common general knowledge in Australia.

Claims (17)

1. A product including: a memory; instructions stored in the memory that, when executed, cause a computer processor to: obtain preliminary data from a user defining a business offering and at least one geographic region associated with the business offering; generate a multi-tiered question set based on the preliminary data, including: generating a custom set of first tier questions customized at the at least one geographic region associated with the business offering based on the preliminary data and obtaining a set of answers in response to the custom set of first tier questions from the user; generating a first database query based on the set of answers to the custom set of first tier questions from the user; querying a database based on the generated first database query, wherein the database returns security compliance requirements information; generating a custom set of second tier questions customized to the set of answers to the custom set of first tier questions and obtaining a set of answers to the custom set of second tier questions; generate a second database query based on the preliminary data and the sets of answers to the custom set of first tier questions and the custom set of second tier questions; querying the database based on the generated second database query; obtaining from the queried database, in response to the second database query, a set of configuration control requirements imported from a unified compliance framework (UCF) database and tailored to the business offering, wherein the queried database includes the set of configuration control requirements, authority documents and authority document's citations, 18 wherein the UCF database includes the set of configuration control requirements and other configuration control requirements, wherein the set of configuration control requirements and other configuration control requirements include behavioral and/or procedural requirements for the business offering and other business offerings, respectively; providing the results to the user; and automatically integrating the other configuration control requirements from the UCF database with the queried database by: importing, through a communications interface, a UCF file including the other configuration control requirements, wherein the other configuration control requirements include new configuration control requirements; identifying a file type of the UCF file from multiple file types including a compressed file type and uncompressed file type, and: when the file type of the UCF file is a compressed file type, extracting the other configuration control requirements from the UCF file; identifying the new configuration control requirements by: comparing the other configuration control requirements with the authority documents and the authority document's citations in the queried database; and determining that the new configuration control requirements are not identified by the authority documents and the authority document's citations; and inserting the new configuration control requirements into the queried database.
2. A product according to claim 1, wherein the custom set of second tier questions include questions related to industry leading practices.
3. A product according to either claim 1 or claim 2, wherein the database further includes security requirements corresponding to internal business practices 19 corresponding to the business offering, wherein the internal security requirements are integrated with data imported from an external database.
4. A product according to any one of the preceding claims, wherein each question of the custom sets of first and second tier questions is mapped to at least one security compliance requirement obtained via a database query.
5. A system for security compliance and analysis requirements building, including: a computer processor; and a memory connected with the processor, the memory including instructions that, when executed, cause the computer processor to: obtain preliminary data from a user defining a business offering and at least one geographic region associated with the business offering; generate a multi-tiered question set based on the preliminary data, including: generating a custom set of first tier of questions customized to the at least one geographic region associated with the business offering based on the preliminary data and obtaining a set of answers to the custom set of first tier questions from the user; generating a first database query based on the set of answers to the custom set of first tier questions from the user; querying a database based on the generated database query and obtaining security compliance requirements information as a result of the query; generating a custom set of second tier of questions customized to the set of answers to the custom set of first tier questions and obtaining a set of answers to the custom set of second tier questions; generate a second database query based on the preliminary data and the sets of answers to the custom set of first tier questions and the custom set of second tier questions; querying the database based on the generated second database query; obtaining from the queried database a set of configuration control requirements imported from a unified compliance framework (UCF) 20 database in response to the second database query that are tailored to the business offering, wherein the queried database includes the set of configuration control requirements, authority documents and authority document's citations, wherein the UCF database includes the set of configuration control requirements and other configuration control requirements, wherein the set of configuration control requirements and other configuration control requirements include behavioral and/or procedural requirements for the business offering and other business offerings, respectively: providing the results to the user; and automatically integrating other configuration control requirements from the UCF database with the queried database by: importing, through a communications interface, a UCF file including the other configuration control requirements, wherein the other configuration control requirements include new configuration control requirements; identifying a file type of the UCF file from multiple file types including a compressed file type and uncompressed file type, and: when the file type of the UCF file is a compressed file type, extracting the other configuration control requirements from the UCF file; identifying the new configuration control requirements by: comparing the other configuration control requirements with the authority documents and the authority document's citations in the queried database; and determining that the new configuration control requirements are not identified by the authority documents and the authority document's citations; and 21 inserting the new configuration control requirements into the queried database.
6. A system according to claim 5, wherein the second tier questions include questions related to industry leading practices.
7. A system according to claim 5, wherein the database includes data imported from an external database.
8. A system according to claim 7, wherein the database further includes security requirements corresponding to internal business practices corresponding to the business offering, wherein the internal security requirements are integrated with leading practice and regulatory compliance data.
9. A system according to either claim 7 or claim 8, wherein each question of the custom sets of first and second tier questions is mapped to at least one security requirement obtained via a database query.
10. A computer-implemented method for security compliance and analysis requirements building, including: obtaining preliminary data from a user defining a business offering and at least one geographic region associated with the business offering; generating, using a computer processor, a multi-tiered question set based on the preliminary data, including: generating a custom set of first tier of questions customized to the at least one geographic region associated with the business offering based on the preliminary data and obtaining a set of answers in response to the custom set of first tier questions from the user; generating a first database query based on the set of answers to the custom set of first tier questions from the user; querying a database based on the generated first database query, and obtaining as an output security compliance requirements information; generating a custom set of second tier of questions customized to the set of answers to the custom set of first tier questions and obtaining a set of answers 22 to the custom set of second tier questions wherein the custom set of second tier questions is different for different sets of first tier questions; generating, using the computer processor, a second database query based on the preliminary data and the sets of answers to the custom set of first tier questions and the second tier questions; querying, using the computer processor, the database based on the generated second database query; obtaining from the queried database a set of configuration control requirements imported from a unified compliance framework (UCF) database in response to the second database query that are tailored to the business offering, wherein the queried database includes the set of configuration control requirements, authority documents and authority document's citations, wherein the UCF database includes the set of configuration control requirements and other configuration control requirements, wherein the set of configuration control requirements and other configuration control requirements include behavioral and/or procedural requirements for the business offering and other business offerings, respectively; transmitting the results to the user; and automatically integrating other configuration control requirements from the UCF database with the queried database by: importing, through a communications interface, a UCF file including the other configuration control requirements, wherein the other configuration control requirements include new configuration control requirements; identifying a file type of the UCF file from multiple file types including a compressed file type and uncompressed file type, and: when the file type of the UCF file is a compressed file type, extracting the other configuration control requirements form the UCF file; identifying the new configuration control requirements by: comparing the other configuration control requirements with the authority documents and the authority document's citations in the queried database; and 23 determining that the new configuration control requirements are not identified by the authority documents and the authority document's citations; and inserting the new configuration control requirements into the queried database.
11. A method according to claim 10, wherein the second tier questions include questions related to industry leading practices.
12. A method according to either claim 10 or claim 11, wherein the database includes data imported from an external database.
13. A method according to claim 12, wherein the database further includes security requirements corresponding to internal business practices corresponding to the business offering, wherein the internal security requirements are integrated with leading practice and regulatory compliance requirements data.
14. A method according to either claim 12 or 14, wherein each question of the custom sets of first and second tier questions is mapped to at least one security requirement obtained via a database query.
15. A method according to any one of claims 10 to 14, wherein the set of configuration control requirements includes attributes of security requirements for the business offering.
16. A product according to any one of claims 1 to 4, wherein the set of configuration control requirements includes attributes of security requirements for the business offering.
17. A system according to any one of claims 5 to 9, wherein the set of configuration control requirements includes attributes of security requirements for the business offering.
AU2014280991A 2012-02-24 2014-12-31 System for analyzing security compliance requirements Ceased AU2014280991B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2014280991A AU2014280991B2 (en) 2012-02-24 2014-12-31 System for analyzing security compliance requirements

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US13/405,229 2012-02-24
AU2013201034A AU2013201034A1 (en) 2012-02-24 2013-02-22 System for analyzing security compliance requirements
AU2014280991A AU2014280991B2 (en) 2012-02-24 2014-12-31 System for analyzing security compliance requirements

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
AU2013201034A Division AU2013201034A1 (en) 2012-02-24 2013-02-22 System for analyzing security compliance requirements

Publications (2)

Publication Number Publication Date
AU2014280991A1 AU2014280991A1 (en) 2015-01-22
AU2014280991B2 true AU2014280991B2 (en) 2015-11-12

Family

ID=52392457

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2014280991A Ceased AU2014280991B2 (en) 2012-02-24 2014-12-31 System for analyzing security compliance requirements

Country Status (1)

Country Link
AU (1) AU2014280991B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220067769A1 (en) * 2020-08-28 2022-03-03 Dell Products L. P. Training a machine learning algorithm to create survey questions

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110246382A1 (en) * 2009-07-17 2011-10-06 Annemaria Allen License Tracking System and Related Software for Complex License and Compliance Requirements

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110246382A1 (en) * 2009-07-17 2011-10-06 Annemaria Allen License Tracking System and Related Software for Complex License and Compliance Requirements

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220067769A1 (en) * 2020-08-28 2022-03-03 Dell Products L. P. Training a machine learning algorithm to create survey questions
US11710145B2 (en) * 2020-08-28 2023-07-25 Dell Products L.P. Training a machine learning algorithm to create survey questions

Also Published As

Publication number Publication date
AU2014280991A1 (en) 2015-01-22

Similar Documents

Publication Publication Date Title
CA2807053C (en) System for analyzing security compliance requirements
US11360988B2 (en) Systems, methods and user interfaces in a patent management system
US10540153B2 (en) Spreadsheet-based software application development
CN101878461B (en) Method and system for analysis of system for matching data records
CN110325961A (en) Software application exploitation based on electrical form
US8839232B2 (en) Customer relationship management portal system and method
EP4231137A1 (en) Spreadsheet-based software application development
US20130086044A1 (en) System and method for patent activity profiling
US20090282062A1 (en) Data protection and management
US11698944B2 (en) System and method for creation and handling of configurable applications for website building systems
US20050240562A1 (en) Method, computer program product and device for importing a plurality of data sets into a system
US20090198668A1 (en) Apparatus and method for displaying documents relevant to the content of a website
US8615733B2 (en) Building a component to display documents relevant to the content of a website
US10942732B1 (en) Integration test framework
CN113608955A (en) Log recording method, device, equipment and storage medium
EP3523732B1 (en) Systems and methods for efficiently distributing alert messages
AU2014280991B2 (en) System for analyzing security compliance requirements
US20150199779A1 (en) Patent management systems and methods having expert docketing
US20230111193A1 (en) Uniform hierarchical view over diverse data formats
US20190251637A1 (en) Materiality determination and indication system
Nasr et al. Datahub for AURIN and ANDS Project
US11640637B2 (en) Systems and methods for geo mapping
US20050251498A1 (en) Method, computer program and device for executing actions using data sets
Baumgartner et al. Integrating semi-structured data into business applications: a web intelligence example
KR20110066758A (en) Xml automatic generation system and method thereof

Legal Events

Date Code Title Description
FGA Letters patent sealed or granted (standard patent)
MK14 Patent ceased section 143(a) (annual fees not paid) or expired