US20150066577A1 - Method and system for assessing, managing and monitoring information technology risk - Google Patents
Method and system for assessing, managing and monitoring information technology risk Download PDFInfo
- Publication number
- US20150066577A1 US20150066577A1 US14/282,347 US201414282347A US2015066577A1 US 20150066577 A1 US20150066577 A1 US 20150066577A1 US 201414282347 A US201414282347 A US 201414282347A US 2015066577 A1 US2015066577 A1 US 2015066577A1
- Authority
- US
- United States
- Prior art keywords
- risk
- information
- client
- score
- relationship
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
Definitions
- Businesses are required to assess IT risk for their organization and their third party service providers to gauge the level of compliance to these regulations. These assessments must be conducted on a regular basis. There are well known methods in the art to assess IT risk. These methods include providing a risk report and an associated risk score. Each risk report focuses on the risk categories relative to a specific business or application being assessed without the benefit of placing the results in context. Individual IT risk assessments are expensive and time consuming. They are not standardized in a manner to allow comparative analysis or contextual alignment within particular business sectors. Businesses need a simple, sound method to use for deciding whether or not the IT risk posed by internal procedures or by its third party service providers is within its level of risk tolerance analogous to the way financial institutions rely on consumer credit scores to determine whether to fund loans or issue insurance policies.
- the present invention specifically addresses and alleviates the above-identified deficiencies in the art.
- the present invention is directed to a method for information technology (IT) and information asset risk assessment of a business relationship between a client and a third party.
- the method includes establishing a database.
- the database includes a plurality of IT information risk factors.
- the plurality of IT information risk factors stored in the database are associated with certain risks the client may be exposed to based on an action the client follows or based upon who the client uses as their third party provider.
- the database is configured to receive IT risk information.
- the IT risk information is associated with the plurality of IT information risk factors.
- the database is also configured to receive updated IT risk information for storage thereon.
- the plurality of IT information risk factors includes a subset of relationship risk factors.
- the subset of relationship risk factors are utilized for evaluating the business relationship risk between the client and the third party.
- the method also includes receiving IT risk information corresponding to the subset of relationship risk factors.
- the method continues with generating a relationship risk score.
- the relationship risk score is determined in response to evaluating the subset of relationship risk factors using the IT risk information corresponding to the subset of relationship risk factors.
- the method includes monitoring the database for updated IT risk information.
- the updated IT risk information is used to evaluate the subset of relationship factors and generate a revised relationship risk score.
- the database is a server configured to receive the IT risk information from the client or the third party via a computer network.
- Another embodiment in accordance with the present invention includes compiling IT risk information on the database.
- the compiled IT risk information corresponds to a subset of business profile risk factors.
- the subset of business profile risk factors are from the plurality of IT information risk factors.
- the subset of business profile risk factors are used to evaluate the business profile risk of the third party. It is contemplated that the IT risk information corresponding to the subset of business profile risk factors is compiled from public records.
- the IT risk information compiled from the public records is associated with the third party.
- the method may continue by generating a business profile risk score.
- the business profile risk score is generated in response to the evaluation of the subset of business profile risk factors.
- the database may be monitored for updated IT risk information corresponding to the subset of business profile risk factors.
- the updated IT risk information is used to revise the business profile risk score.
- the plurality of IT information risk factors stored on the database includes a subset of IT control risk factors.
- the database is configured to receive IT risk information corresponding to the subset of IT control risk factors.
- the subset of IT control risk factors are evaluated using the received IT risk information associated with the third party.
- the method continues with generating an IT controls risk score.
- the IT controls risk score is generated in response to the evaluation of the subset of IT control risk factors.
- the method also includes monitoring the database for updated IT risk information corresponding to the subset of IT control risk factors. This is accomplished for revising and updating the IT controls risk score.
- an IT risk score is generated.
- the IT risk score is a combination of the relationship risk score, the business profile risk score, and the IT controls risk score.
- the relationship risk score may be associated with the type of service provided by the third party to the client.
- the IT controls score may also be associated with the type of service offered or provided to the client by the third party.
- a client relationship risk tolerance level is evaluated.
- the client relationship risk tolerance level is determined using a plurality of client relationship risk tolerance criteria. Answers to the plurality of client relationship risk tolerance criteria may be provided by the client for determining the client relationship risk tolerance level.
- a plurality of relationship risk mitigation actions are provided that are dependent upon the client relationship risk tolerance level.
- the appropriate relationship risk mitigation action plan may be selected based upon the relationship risk score.
- the method may also include evaluating a client business profile risk tolerance level. Similar to the client relationship risk tolerance level, the client business profile risk tolerance level is based upon answers provided by the client with respect to a plurality of client business profile risk tolerance criteria.
- the client business profile risk tolerance level may correspond to a plurality of business profile risk mitigation actions.
- the method also includes identifying an appropriate business profile risk mitigation action depending upon the business profile risk score.
- a client IT controls risk tolerance level may also be evaluated based upon information responsive to a plurality of client IT controls risk tolerance criteria.
- the IT controls risk tolerance level may correspond to a plurality of IT controls risk mitigation actions.
- the IT controls risk mitigation action preferred may be identified based upon the IT controls risk score
- An aspect of the present invention contemplates IT risk information transmitted to the database from the client.
- IT risk information may also be transmitted to the database from the third party.
- the database may include a web based application.
- the web based application may be configured to automatically search and compile IT risk information available in public records.
- the method may also include receiving IT risk information from an auditor.
- the IT risk information from the auditor corresponds to the subset of IT control risk factors.
- the IT risk information from the auditor may be utilized to validate the IT risk information associated with the third party or IT control risk factors submitted by the third party.
- a revised IT controls risk score may be generated using the validated IT risk information thereby providing more accuracy.
- a plurality of business relationships between the client and a plurality of third parties may be assessed. This provides the client with a method of evaluating a plurality of third parties in a timely and cost efficient manner.
- the present invention also provides a method for assessing compliance associated with a contract between a client and a third party.
- the method also assesses compliance between the client and the third party with respect to a government regulation, a law, or an industry standard.
- the method includes establishing a database.
- the database is utilized for storing a plurality of obligations for the third party associated with the contract, the government regulation, the law, or the industry standard.
- the database is also configured to receive information corresponding to the plurality of obligations.
- the plurality of obligations may be evaluated based upon the received information.
- the method continues with generating a compliance score.
- the compliance score is representative of the fulfillment of the plurality of obligations corresponding to the third party. It is also contemplated that the database is continuously monitored for information corresponding to the plurality of obligations.
- Information corresponding to the plurality of obligations may be provided by the client, the third party, or compiled from public records by the database.
- the method may also include receiving verified information from an auditor corresponding to the plurality of obligations.
- the verified information from the auditor is compared with the information corresponding to the plurality of obligations. Any discrepancy may be updated to reflect the verified information.
- a revised compliance score is generated to reflect the verified information.
- the present invention also provides a risk assessment system accessible to a plurality of clients and plurality of third parties.
- the system is utilized to assess, manage, and monitor risk between at least one client and at least one-third party associated with the client.
- the system includes a database having a plurality of IT information risk factors.
- the database is configured to continuously receive IT risk information for evaluating the plurality of IT information risk factors.
- the system also includes a scoring application in communication with the database.
- the scoring application utilizes the plurality of IT information risk factors to generate a plurality of risk scores.
- the system includes an auditing application configured to receive validated IT risk information from an auditor.
- the validated IT risk information corresponds to the plurality of IT information risk factors.
- the auditing application is in communication with the scoring application for adjusting the plurality of risk scores in response to receiving the validated IT risk information from the auditor.
- the system may also include a risk manager application.
- the risk manager application is accessible to the client and configured to receive IT risk information from the client.
- the IT risk information from the client is used to simulate an adjustment to the plurality of risk scores.
- every application or component such as the risk manager, compliance manger, audit manager may be implemented as a stand-alone software component configured to communicate with the system. In this regard, any single application or component may be licensed separate from the system.
- a method for risk assessment between a client and a third party includes establishing a database having a plurality of IT information risk factors.
- the database is configured to receive IT risk information associated with the plurality of IT information risk factors.
- the IT risk information is evaluated for determining the risk between the client and the third party.
- a risk score is generated representative of the risk assessment between the client and the third party.
- the method also includes validating IT risk information associated with a subset of IT information risk factors from the plurality of IT information risk factors. The method may conclude with revising the risk score to reflect the validated IT risk information.
- FIG. 1 is a block diagram depicting the information technology and information risk assessment system constructed in accordance with the present invention
- FIGS. 2A-B are flow charts representative of a risk report component for risk assessment
- FIG. 3 is a block diagram of the scoring model implemented by the risk report component
- FIG. 4 is a chart illustrating possible action plans based on scores generated by the risk report component
- FIG. 5 is a diagram illustrating transfer of IT information risk utilizing insurance services constructed in accordance with the present invention.
- FIG. 6 is a block diagram incorporating aspects of a compliance manager.
- FIG. 1 a diagram illustrating the various components of the method and system for assessing information technology (IT) and information assets 10 is provided.
- client is understood to refer to the role of a business or enterprise as a requestor of data or services
- third party is understood to refer to the role of the entity providing such data or services. Additionally, it is possible that the clients may request data or services in one transaction and provide data or services in another transaction, thus changing its role from client to third party or vice versa.
- the third party may include entities such as service providers, outsourcers, insurers, auditors by way of example and not of limitation.
- An aspect of the present invention contemplates the integrated platform 12 as a software as a service (SaaS) application.
- SaaS application may be hosted on a server or licensed to a client or third party.
- the integrated platform 12 provides the client and the third party a context from which to determine how IT and information assets relate to industry risk tolerance levels using a standardized IT information risk score.
- the client and the third party may utilize the standardized IT information risk score to determine whether to accept an identified IT information risk without implementing security controls, implementing security controls to mitigate potential risk or transferring the risk to an insurer willing to indemnify the client or the third party from damages resulting from the identified IT information risk.
- the integrated platform 12 may provide real-time analysis and continuous risk activity monitoring to either properly accept, mitigate or transfer risk associated with the business relationship between the client and the third party.
- the integrated platform 12 may be accessible via a secure web portal or gateway.
- the client may access the integrated platform 12 via a web browser.
- the level of access may depend on the client's subscription to the various components by securely logging into the integrated platform 12 using a registered username and password.
- the integrated platform 12 may be divided into a multitude of separate internal applications including a risk and compliance management application 14 , a report and monitoring application 16 , an audit manager application 26 and an insurance application 18 .
- a management services application also included within the integrated platform 12 is a management services application (not shown).
- the integrated platform 12 includes a database (not shown) used to store information obtained from the third party, the client, information generated by the applications, and information obtained from public records.
- the various applications of the integrated platform 12 are configured to be in communication with the database and each other.
- the database is configured to store information for a plurality of business relationships between a plurality of clients and a plurality of third parties. It is contemplated that each application or component hosted on the integrated platform 12 may be implemented as a stand-alone software component independent of the integrated platform 12 .
- the risk and compliance management application 14 may include a risk manager component 20 and a compliance manager component 22 .
- the risk manger component 20 is utilized by the client as an interface for monitoring the client's business relationship with third parties and providing a proactive tool for the client to mitigate IT information risk related to the plurality of third parties.
- the compliance manager component 22 is a tool for use by the client to organize and assess whether various compliance requirements are being followed and/or implemented with respect to industry, regulatory, and contractual obligations.
- the report and monitoring application 16 includes a risk report component 24 , an audit manager component 26 , and a risk monitoring component 28 .
- the internal applications and components are supported and fully integrated with various services. It is contemplated that the integrated platform 12 may function in an auto-policy mode that automates proactive actions for third parties classified as medium to high IT information risks based upon the standardized IT information risk score.
- the integrated platform 12 is designed to be a self-servicing platform for multiple stakeholders including clients, third parties, auditors, insurers, and others by way of example only and not of limitation.
- the integrated platform 12 brings multiple groups such as information security, IT, auditors, third parties, insurance agents, risk managers and compliance managers together to a common risk management and assessment platform.
- the integrated platform 12 allows each identified stakeholder secure access to complete or manage risk assessments, register third parties, run multiple risks and compliance reports or perform third party standardized IT information risk score lookups.
- the integrated platform 12 may be hosted on a web server or it may be licensed and processed at the client.
- the integrated platform 12 is contemplated to provide secure exchange of risk and compliance information among these various groups. This may be accomplished through the use of digital rights management (DRM) tools to secure information on the database.
- DRM digital rights management
- the audit manager component 26 includes the functionality to schedule an audit, develop an audit plan, review IT security control responses from the third party, and review evidence of control compliance as provided by the third party using a secure web based interface.
- the system contemplates the ability to manage multiple audits of different types simultaneously.
- the management services application may provide a workflow system to allow third parties and clients to distribute the workload of the system to different staff members within their organization automatically.
- the management services application is in communication with the database to provide a secured data storage service to allow the client or third party to define access rights to the information stored on the database.
- the management services application further provides automated risk management policy enforcement whereby the client can define the risk tolerance levels and the policy enforcement application will automatically enforce those policies throughout the system.
- the risk report component 24 may utilize a multi-tiered IT information risk assessment to develop the standardized IT information risk score.
- the client may access the integrated platform 12 and utilize a look-up feature to locate the third party the client would like to review.
- the client selects the third party from the plurality of third parties registered with the database 120 .
- the plurality of third parties registered with the database 120 may be referred to as the third party population 110 .
- Clients relying on the third parties to provide the client with products, data or services may review these third parties to determine the level of IT risk present within their operating environments.
- the integrated platform 12 interfaces with the client's risk manager component 20 to load a list of third parties to create a third party pick list from the third party population 110 to streamline the process for initiating IT information risk reviews. If the third party is not found on the pick list, then the client may enter the name, address, tax-id number and other identifying information of the third party the client would like to review into the database 120 via the risk manager component 20 .
- a web application hosted on the integrated platform 12 builds a key using this information to retrieve available public data associated with the third party. The available public data is stored in the database 120 for use in generating a business profile risk score 170 .
- the database 120 includes a plurality of IT information risk factors related to the business relationship between the client and the third party, the available public data associated with the third party, and IT security controls implemented by the third party.
- the plurality of IT information risk factors is evaluated by the risk report component 24 to generate the standardized IT information risk score.
- the plurality of IT information risk factors are normalized, weighed, and integrated into the multi-tiered scoring model that produces the standardized IT information risk score representative of IT information risk and information security exposure associated with the business relationship between the client and the third party.
- a relationship risk assessment 125 is executed for the business relationship between the client and the third party.
- the relationship risk assessment 120 measures the inherent risk the client has on the third party by factoring information specific to the relationship like the type of service offered and/or sensitivity of the information being exchanged.
- IT risk information is received by the database 120 corresponding to the relationship risk assessment 125 .
- the IT risk information may be provided in the form of responses by the client to questions selected from a subset of relationship risk factors from the plurality of IT information risk factors.
- the client may answer a set of questions focused on the relationship with the third party being reviewed.
- the questions and answers aim to quantify the significant aspects of the relationship so that the risk posed by particular IT vulnerabilities can be put into context. If the third party being reviewed is not a major provider of services to the client reviewing it, then perhaps the impact of a high vulnerability of IT information risk is reduced.
- the subset of relationship risk factors associated with the relationship risk assessment 125 may include: nature of the relationship (monetary value, length of relationship, location), contract terms, privacy (content sensitivity, regulated data), business processes, intellectual property competitiveness, fraud, reporting and compliance, relationship insurance coverage.
- the client provides IT risk information for evaluation of each relationship risk factor from the subset of relationship risk factors by answering the set of questions as indicated above.
- the questions may request the client to select the primary type of relationship that exists with the third party (i.e. application development, system monitoring, hosting services, or data processing), how long the relationship has existed as it relates to the scope of service, and monetary value of the relationship.
- the client response to each relationship risk factor from the subset of relationship risk factors is scored and weighted.
- a scoring algorithm is utilized to generate a relationship risk score 130 .
- the relationship risk score 130 is stored in the database 120 .
- the relationship risk score 130 is representative of the IT and information risk exposure associated with the business relationship between the client and the third party.
- the relationship risk score f(revenue reliance, process maturity, industry sector*impact to business of relationship factor)*relationship factor weighting. Results are then normalized by category using standard mathematical normalization processes.
- the next step may include determining if the relationship risk score 130 poses a significant risk 140 to the client.
- the significant risk 140 assessment may be implemented by the risk manager component 20 .
- the client may access the risk manager component 20 wherein a questionnaire to be answered by the client is provided.
- the questionnaire corresponds to a plurality of relationship risk tolerance criteria.
- Based upon the answers provided by the client a client relationship risk tolerance level may be evaluated.
- FIG. 4 a chart representative of relationship risk mitigation actions is provided.
- the risk manager component 20 may include the chart for each client relationship with the plurality of third parties. A relationship risk mitigation action may be identified based upon the relationship risk score 130 .
- the relationship risk mitigation action may advise certifying the business relationship between the client and the third party.
- the client risk tolerance level may suggest certifying the third party with an exception. The exception allows the client to specify a period of time or other factor used to approve the business relationship with the third party although the relationship risk score 130 of the business relationship may be outside the scope of the client's risk tolerance level. Referring again to FIG. 2A , if the business relationship does not pose a significant risk with regard to the client risk tolerance level, the decision to certify is documented 145 on the database 120 .
- a trigger 150 may be provided wherein if the relationship risk score 130 exceeds the trigger 150 further assessment is required. This added function may be implemented through the risk monitoring component 28 . If the relationship risk score 130 between the client and the third party poses a significant risk 140 further evaluation may be required.
- the risk report component 24 may continue by providing an automated way to assess the third party using IT risk information gathered from public records. Further assessment continues with a business profile risk assessment 160 .
- the business profile risk assessment 160 measures the IT information risk associated with doing business with the third party to meet its business objectives.
- the plurality of IT information risk factors stored in the database 120 may include a subset of business profile risk factors associated primarily with the business profile risk assessment 160 . It is contemplated that the IT risk information used to evaluate the subset of business profile risk factors is collected from public records.
- the public records include information regarding prior security breaches, financial history, credit history, and legal history. It is contemplated that a web-based application hosted on the integrated platform 12 is configured to automatically collect IT risk information associated with the subset of business profile risk factors and store the information within the database 120 .
- the scoring algorithm is used to generate a business profile risk score 170 .
- Key areas of measurement contemplated to be encompassed by the subset of business profile risk factors include: geopolitics, locale, regulatory oversight, financial strength. The key areas of measurement listed above are by way of example only and not of limitation.
- the IT risk information collected is used to evaluate each business profile risk factor from the subset of business profile risk factors. Each business profile risk factor is scored and weighted to generate the business profile risk score 170 .
- the business profile risk score 170 is stored in the database 120 .
- the goal is to measure the IT information risk associated with doing business with the third party as indicated by the subset of business profile risk factors, e.g.
- business profile risk factors listed above are by way of example only and not of limitation. Third parties receiving high or medium business profile risk scores 170 would be reviewed in depth using the risk scoring system of the risk reporting component 24 .
- the business profile risk score f(industry, regulatory controls, financial health*potential of material business impact)*Profile Factor Weighting. Results are then normalized by category using standard mathematical normalization processes.
- an IT risk score 175 is calculated.
- the IT risk score 175 is a function of both the relationship risk score 130 and the business profile risk score 170 . Similar to the significant risk 140 assessment for the relationship risk score 130 by the risk manager component 20 , the same may be accomplished in the context of the IT risk score 175 .
- the chart may include risk mitigation actions relating to the business profile risk score 170 individually or in combination with the relationship risk score 130 . For example, if the business profile risk score 170 exceeds 700, the risk mitigation plan may suggest a mandatory control assessment or the risk manager component 20 may be configured to automatically begin the process depending the client's settings. Referring again to FIG.
- the decision to certify is documented 185 on the database 120 .
- a trigger 190 may be provided to alert the client when the IT risk score 175 exceeds the trigger 190 .
- the client may then determine through the risk manager 20 component whether further assessment is required.
- the monitoring function may be implemented through the risk monitoring component 28 .
- the risk report component 24 may continue by utilizing responses to a series of IT control measurements covering ISO27001/2 key controls for example.
- the risk report component 24 further contemplates conducting an IT security control assessment 200 .
- the IT security control assessment 200 measures the amount of IT information risk associated with the third party based on the assessment of IT security controls within the third party environment.
- the plurality of IT information risk factors stored on the database 120 further include a subset of IT security control factors associated with the IT security control assessment 200 .
- Some key areas of measurement include: insurance coverage, industry compliance, legal compliance, regulatory compliance, risk management, IT environment, outsourcing, security policy, information security organization, third party management, asset management, information assets, human resources security, physical and environmental security, communications and operations management, system logs, laptops/desktops, mobile devices, information backup, network, removable media, electronic messaging, web applications, access control, password management, secure login and remote access, information systems acquisition, testing security controls, information security incident management, business continuity management, and compliance.
- the key areas of measurement listed above are by way of example only and not of limitation.
- automation is accomplished by using a web based technology to gather information on the maturity of the third party IT security controls.
- the maturities of the third party's IT security controls are assessed to determine if the IT security controls implemented by the third party are adequate to meet the needs of the client.
- the more mature the controls implemented by the third party the less IT information risk exposure vulnerability for the client.
- the scoring process provides decision criteria and accountability for the client. The more reliant the client is on the third party the higher risk a lack of IT security controls places on the client.
- the IT security control assessment 200 focuses on the IT environment of the third party being reviewed.
- the third party is sent password protected logon information and the third party representative logs on to complete the IT security control assessment 200 .
- Multiple questions may be presented based on the ISO027001/2 controls structure, or other similar controls standard, and must be answered before the IT security control assessment 200 is marked complete. Answers to the questions are multiple choices or rely on a selection list to maintain consistency and objectivity. Weights are assigned to each answer and calculations combine answers into specific information security domains to generate individual third party IT control risk scores 210 .
- the generated IT control risk score 210 is stored in the database 120 .
- An alert is sent to the client notifying the client that the IT control risk score 210 is available for review and includes the IT control risk score code number that is associated with the third party that was reviewed.
- the client logs onto the web application using the IT control risk score code and accesses the IT control risk score 210 .
- An aspect of the present invention contemplates using a self-reporting electronic IT security control assessment survey to measure the maturity of the IT controls in place within the third party being reviewed.
- the third party provides information for evaluation of the subset of IT security control factors.
- the third party may be presented with a questionnaire including various questions and answers corresponding to the subset of IT security control factors. Additional data that could indicate the company's ability to manage its IT information risk is gathered from public records.
- the survey may include measurement in all areas of the ISO027001/2 control standards. For example, a survey question may inquire: What percentage of the third party's laptops are protected by encryption? (A. 0%-25%, B. 26%-50%, C. 51%-75%, D. 75%-95%, E.
- the third party's response to each IT security control risk factor from the subset of IT security control risk factors is scored and weighted.
- a scoring algorithm is utilized to generate an IT security control score 210 .
- the IT security control score 210 is then stored in the database 120 . It is also contemplated that the third party may provide evidence electronically through the database 120 to validate or prove that the third party is in compliance with the IT security control risk factors.
- a new IT risk score 215 is calculated.
- the new IT risk score 215 incorporates the relationship risk score 130 , the business profile risk score 170 , and the IT control risk score 210 .
- the IT risk score 215 is assessed to determine whether there is a significant risk 220 to the client based upon client risk tolerance levels. If the IT risk score 215 does not pose a significant risk 220 with regard to the client risk tolerance level, the decision to certify is documented 225 on the database 120 . Further, based on the client risk tolerance level, a trigger 230 may be provided for alerting the client when the IT risk score 215 exceeds the trigger 230 and thus suggesting further assessment.
- This monitoring function may be implemented through the risk monitoring component 28 . Additionally, it is contemplated that unmanaged risk regardless of the actions of the client and the third party may be quantified. The unmanaged risk may be quantified as residual risk 235 . The residual risk 235 may be mitigated through the insurance application 18 as described in further detail below.
- the next step may include control validation 240 .
- the control validation 240 step utilizes the audit manager component 26 .
- the IT risk information used to evaluate the IT security control assessment 200 is audited to determine the accuracy of the information.
- An auditor may conduct an independent audit using the subset of IT security control risk factors.
- the auditor may access the integrated platform 12 and provide the audited IT risk information via the audit manager component 26 . Therefore, the control validation 240 step modifies the IT control risk score 210 into a validated IT control risk score 250 .
- the validated IT control risk score 250 is similar to the IT control risk score 210 , however, the validated IT control risk score 250 utilizes the audited IT risk information.
- IT risk score 255 is calculated incorporating the relationship risks score 130 , the business profile risk score 170 , and the validated IT information risk score 250 .
- the IT risk score 255 is stored in the database 120 .
- the IT risk score 255 is used as a reliable and objective tool by clients to determine the overall relative IT and information risk associated with the third party.
- the IT risk score 255 provides analysis for managing the client's third party relationships including accepting identified risk, implementing controls to mitigate the risk, or transferring risk to a third party insurer via insurance.
- the IT risk score 255 may also be assessed to determine whether there is a significant risk 260 to the client based upon client risk tolerance levels associated with the plurality of IT information risk factors. If the IT risk score 255 does not pose a significant risk 260 with regard to the client risk tolerance level, the decision to certify is documented 265 on the database 120 . Further, based on the client risk tolerance level, a trigger 270 may be provided to alert the client if the IT information risk score 255 exceeds the trigger 270 . If the IT risk score 255 exceeds the trigger 270 , the client may discontinue the business relationship with the third party, not initiate a relationship with the third party, or mitigate the risks.
- automated actions may be taken on behalf of the client by at least one component of the integrated platform 12 .
- the unmanaged risk in relation to the IT risk score 255 may be quantified as residual risk 275 . If the IT risk score 255 is significant with respect to the client tolerance levels, the third party relationship may be discontinued 280 . The decision is documented 290 on the database 120 .
- the IT risk score 255 may also be linked to the type of service being provided to the client for evaluating IT and information risk.
- a standard set of service types are used to determine inherent security risk.
- the present invention provides a method to associate the service type corresponding to the relationship risk with the IT risk score 255 .
- This process also then allows a standard risk definition for third parties by service type.
- This service type risk is continually refined as completed third party risk assessments are categorized by service type.
- service types may include IT service providers, technology product providers, IT outsourcing service providers, consulting/advisory service providers, providers that provide advisory services in enterprise risk management, business process innovation, business planning and internal audit services, IT staffing service providers, healthcare, manufacturing, marketing/publishing, retail, education/training providers.
- the risk report component 24 allows for analysis of the third party using multi-layer assessment criteria.
- the multi-layer assessments may be based on industry standards including for example: FISAP, CoBit, ISO27001/2, and PCI.
- the risk report component 24 may be configured to generate a plurality of different risk scores based on attributes of the business relationship between the client and the third party. For example, an intellectual property risk score, regulated data risk score, country risk score, and application development risk score may be generated based on the attributes of the relationship between the client and the third party.
- the scoring algorithm utilized by the risk report component 24 to generate the relationship risk score 130 , the business profile risk score 170 , the IT control risk score 210 , and the IT risk score 255 is better understood by reviewing the glossary and accompanying equations as follows:
- Rsk Risk factors
- Cat Category scores used to demonstrate risk in broader areas of risk factors
- Kc Key control risk scores used to demonstrate risk in a wide area of risk factors
- Ov The overall score used to demonstrate risk represented by the entire area of risk factors
- RskRS Risk factor raw score
- RskMS Risk factor max score
- RskNS Risk factor normalized score
- RskW Risk factor weight used to determine the probability that a failure of a given risk factor will result in a security breach
- RskWMS Risk factor weighted max score (RskMS*RskW)
- CatRF Category risk factor is the scope of risk factors within a given category
- KcRF Key control risk factor is the scope of risk factors within a given category.
- a risk factor can exist at key control or category level and will be considered together with its respective key control or category siblings.
- the input will have the risk factor raw score, risk factor weight, and category weight.
- the rest of the fields are derived values.
- the weighted RskWS is derived by multiplying the answer raw score that represents the maturity of the control by a weighting factor that represents the probability that a failure in this control would result in an IT security breach. The RskWS is then divided by the max score, and then multiplied by 1000 to obtain a risk factor normalized score (RskNS). The following formula represents the calculation of the RskNS:
- the child set risk factor score is derived by first calculating the weighted risk factor score (RskWS) of each child risk factor.
- the RskWS is derived by multiplying the answer raw score (RskRS) by the risk factor weight (RskW).
- the RskWS are summed for the entire dependent child risk factors and divided by sum of the entire child risk factor weights (RskW).
- Category Score The category risk score is derived by calculating the CatWS. To calculate the CatWS, first calculate the RskWS for each risk factor within the category by multiplying each RskRS by the RskW. Then calculate the CatW by summing the RskW for each of the risk factors in the category. The category raw score is calculated by dividing the CatWS by the CatW. The following formulas represent the calculation of the Category risk score:
- CatRS (CatWS)/(CatW)
- the category max score is derived by first calculating the category weighted max score (CatWMS). To calculate CatWMS first sum the results of the RskMS*RskW for each of the risk factors within the category. Then divide the CatWMS by CatW (described above). This is represented by the following formula:
- the category normalized score is derived by dividing the CatWS by the CatWMS. The result is multiplied by 1000. This is represented by the following formula:
- CatNS (CatWS/CatWMS)*1000.
- the key control risk score is derived by first calculating the key control weighted score (KcWS). To calculate the KcWS first calculate the CatWS for each category within the key control by multiplying each CatRS by the CatW. Then calculate the KcW by summing the CatW for each of the categories in the key control. The key control raw score is calculated by dividing the key control weighted score (KcWS) by the KcW. The following formulas represent the calculation of the key control risk score:
- KcRS KcWS/KcW
- the key control max score is derived by first calculating the key control weighted max score (KcWMS). To calculate KcWMS the first sum the results of the category max score (CatMS) times the CatW for each of the categories within the key control. Then divide the KcWMS by KcW. This is represented by the following formulas:
- KcMS KcWMS/KcWMS
- the key control normalized score is derived by dividing the key control weighted score (KcWS) by the key control weighted max score (KcWMS). The result is multiplied by 1000. This is represented by the following formula:
- KcNS (KcWS/KcWMS)*1000.
- the overall score is used by the risk report component 24 to demonstrate risk represented by the entire area of the plurality of IT information risk factors.
- the overall risk score is derived by first calculating the overall weighted score (KcWS). To calculate the OvWS first calculate the KcW. The following formulas represent the calculation of the overall weighted score:
- the overall set max score is derived by first calculating the overall set weighted max score (OvWMS). To calculate OvWMS first sum the results of the key control max score (KcMS) times the key control weight (KcW) for each of the key controls within the overall set. Then divide the OvWMS by OvW. This is represented by the following formula:
- the business profile risk score 300 is a function of more than one variable.
- the IT control score 310 and the relationship risk score 320 are also functions of more than one variable associated with the plurality of IT information risk factors.
- the IT risk score 330 may be quantified as a function of the business profile score 300 and the IT control score 310 .
- the IT risk score 340 is a function of the business profile risk score 300 , the IT control risk score 310 , and the relationship risk score 320 .
- An algorithm may also be utilized to separate the IT risk score 255 into a normalized baseline score and a composite score that adjusts the baseline score up or down depending upon the relationship the third party has with the client.
- the results are then normalized by category using standard mathematical normalization processes.
- the baseline score is stored in the database 120 and is available to other relying clients upon request from the third party associated with the client. Subsequent requests for the baseline score may be adjusted up or down depending upon the relationship the third party has with the requesting client.
- the composite score is utilized to adjust the baseline score up or down depending upon the relationship risk assessment 125 and/or the third party business profile risk assessment 160 .
- the algorithm uses weighted controls to determine specific impact to the client's business due to a control failure.
- the scoring model also provides a method for the client to assess IT information risk reduction based on reducing the normalized baseline score.
- the invention provides the ability to view the major contributors to IT and information risk in a number of meaningful views.
- the relationship risk score 130 may depend upon the client response to the subset of relationship risk factors.
- the business profile risk score 170 depends upon public record information about the third party associated with the subset of business profile risk factors.
- a change to either the client response or the public record information may correspond to a change in the composite score which results in adjusting the baseline score. It may then be assessed what impact a certain action has in reducing or increasing the baseline score. For example, the client may change their response from $1 million to $5 million to a question asking for the relative monetary value of the business relationship.
- the risk report component 24 is used to assess the increase in the IT information risk associated with the particular risk factor.
- the change in response corresponds to a change in the baseline score.
- the risk report component 24 may calculate the risk reduction or increase in risk exposure based upon at least one risk factor from the plurality of IT information risk factors stored on the database 120 .
- the risk monitoring component 28 is contemplated to provide real-time monitoring of the plurality of IT information risk factors associated with the various risk scores generated by the risk report component 24 .
- the risk monitoring component 28 is capable of monitoring of the IT risk information associated with the relationship risk score 130 , the business profile risk score 170 , and the IT control risk score 210 .
- the risk monitoring component 28 may be configured to continuously monitor and update the plurality of IT information risk factors such as the subset of relationship risk factors associated with the relationship risk assessment 125 .
- the risk monitoring component 28 may assess any changes to the type of relationship between the client and the third party, the length of the relationship, the contract terms, or the monetary value.
- the risk monitoring component 28 may transmit information updated in real-time associated with the plurality of IT information risk factors used by the risk report component 24 to generate the relationship risk score 130 .
- the risk report component 24 may generate an updated relationship risk score 130 based on IT risk information identified by the risk monitoring component 28 .
- the risk monitoring component 28 may also be configured to continuously monitor and update the IT risk information associated with the subset of business profile risk factors corresponding to the business profile risk assessment 160 .
- the risk monitoring component 28 may continuously search for IT risk information corresponding to the third party. For example, if a news story is published about an IT security breach corresponding to the third party, the risk monitoring component 28 collects data about such occurrences. This information is then updated within the database 120 and used by the risk report component 24 . The updated IT risk information relates to the subset of business profile risk factors that are associated with the business profile risk assessment 170 of the third party. If an event or IT risk information associated with the third party is made available through public records, the risk monitoring component 28 may record the information and transmit the information to the risk reports component 24 for generating a revised business profile risk score 170 .
- the risk monitoring component 28 may be configured to continuously monitor and update the plurality of IT information risk factors including the subset of IT security control risk factors associated with the IT security control risk assessment 200 .
- the integrated platform 12 is configured to assess IT risk information associated with a plurality of business relationships between the plurality of clients and the plurality of third parties. For example, the IT security control risk assessment 200 may be completed for the third party with respect to a first client. Another IT security control risk assessment 200 may then be conducted for the same third party with respect to a second subsequent client. If the IT control risk assessment 200 for the third party is different than the prior IT security control risk assessment 200 for the third party with respect to the first client, then the IT security control risk assessment 200 may be updated for the first client with the IT security control risk assessment 200 established for the second subsequent client.
- IT risk information pertaining to one client may be updated in real-time from IT risk information pertaining to a different client. It is also contemplated that the plurality of IT information risk factors associated with a different client or different third party may be used to update the plurality of IT information risk factors associated with a particular client. Therefore, the risk monitoring component 28 may continuously monitor and update the plurality of IT information risk factors associated with the IT security control assessment 200 through updates to the IT risk information related to other business relationships. The risk monitor component 28 is configured to transmit the updated IT risk information associated with the plurality of risk factors for IT security control risk assessment 200 to the risk report component 24 for generating an updated IT security control risk score 210 .
- An aspect of the present invention contemplates the risk manager 20 component is a comprehensive solution for managing third party and client relationships.
- the risk manager 20 has the ability to easily catalog and manage third party relationships.
- the risk manager 20 is configured to automate risk reporting and streamlined risk decision making, exposure reporting based on regulation, information type, third party, country, etc.
- the risk manager component 20 provides a graphic user interface for the client to monitor and manage the plurality of business relationships between the client and third parties associated with the client.
- the risk manager 20 component is in communication with the database 120 and the risk report component 24 for receiving information stored within the database 120 and the generated IT risk score 255 . It is also contemplated that the risk manager 20 component is in communication with other components associated with the integrated platform 12 .
- the risk manager 20 component may display or list the third party relationships associated with the client.
- the display may provide such information as to whether the third party is certified by the client, specifies the contract, the expiration of the contract or relationship, the type of service (software development, application hosting, web hosting, data processing, consulting, etc.), the risk level associated with the third party, and any alerts.
- the risk manager 20 component of the present invention may be accessed by the client via a secure login. Additionally, the risk manager 20 is an interactive tool for the client to monitor and manage the plurality of business relationships with the client's third parties. The client may select the third party from the list or display of third parties to obtain more detailed information associated with the selected third party.
- the information may include the relationship risk score 130 , the business profile risk score 170 , the IT control risk score 210 , the IT risk score 255 , remediation plans, and control evidence.
- the control evidence may include documents sufficient to validate certain IT risk information associated with the plurality of IT information risk factors.
- the risk manager component 20 provides the capability of analyzing the risk relationship score 130 by divided the relationship risk score 130 into three different scores that are key indicators and factors associated with the relationship risk assessment 125 .
- the three scores may include data exposure, compliance and reporting exposure, and business process exposure.
- the business profile risk assessment 160 may be selected as well via the risk manager component 20 .
- the business profile risk assessment 160 may also include status information and various action plans. Additionally, the business profile risk score 160 may be divided into three scores to provide more insight into the business profile risk assessment 160 .
- the key indicators may include regulatory oversight, financial strength, and geopolitics. Thus, scores may be assigned to each of these key indicators.
- the risk manager component 20 may further dissect the IT control risk score 210 to obtain an IT control risk report.
- the IT control risk score 210 may be divided into three separate scores to more adequately explain the IT control risk score 210 .
- the key indicators may include ISO27001/2, PCI 1.2, and FISAP (Financial Institution Shared Assessments Program).
- the client or prospective client accesses the integrated platform 12 and may select a third party IT information risk score lookup option.
- the client inputs search criteria for the third party.
- the database 120 is searched for the IT risk score 255 of the 3rd Party. If the IT risk score 255 is available for the third party and the client has been granted access to the third party's risk score the “risk score report” is presented. If the risk scores are available but authorization has not been granted to the client then notification is given that access is denied and a “request for access” form must be submitted.
- the client completes the “request for access” form and submits.
- the “request for access” form may be sent via email to the subscribing client or third party for whom a request for the risk scores has been made.
- the subscribing client receives the “request for access” email, logs onto the integrated platform 12 and either approves or disapproves the request. If access is approved the requesting client is sent an email with a link to the site, logs in and views the risk score report. If access is denied, a denial email is sent to the requesting client.
- the database 120 also provides a real-time searchable repository of standardized IT risk scores 255 by company, industry, service type, location and other attributes.
- the invention quantifies both the business profile risk assessment 160 of the third party and quantifies the risk of the third party IT security control assessment 200 by industry sector. These scores are then provided as searchable data points for clients looking to do business with the third party. This provides tremendous proactive and timely risk insight on potential third parties prior to clients engaging them.
- the invention provides the method to query the database for third party risk details including IT risk scores 255 for the third party similar to a Dun & Bradstreet search. As third party security reviews are completed and documented, the IT risk scores 255 are added to the database 120 . Existing clients may be alerted as new third parties are added or may just look up third parties to perform research. Prospective clients are allowed to search the database 120 to see if the IT risk score 255 is on file for the third party the prospective client would like to review before subscribing to the service.
- the IT risk score 255 allows clients to be able to do fast, easy direct searches/lookups into a third party risk score repository to get the information needed before engaging with the third party from an IT risk perspective to make the best business decision for their organization.
- the IT risk score 255 is contemplated to be utilized by businesses to determine whether or not the IT information risk posed by its third parties are within the client's risk tolerance comfort level. It may be comparable to a consumer's credit score that is used by banks to decide to either fund a loan or not fund a loan.
- the risk score lookup service extrapolates tolerable information risk levels for various industry sectors by combining a multitude of individual IT information risk scores established for its clients and the third parties that support them using mathematical formulas and algorithms. This process is analogous to the way credit score ranges are created as a byproduct of creating thousands of individual consumer credit scores. By using the weighted average of scores by industry, a range of scores for the industry is extrapolated.
- the insurance application 18 is configured to assess the IT risk score 255 including the relationship risk score 130 , the business profile risk score 170 , and the IT control risk score 210 to determine an appropriate insurance coverage policy for the client.
- the client 410 requests the integrated platform 430 to quantify IT information risk related to the business relationship with the third party as represented by the arrow shown.
- the IT information risk may be transferred to an insurance company 440 .
- the third party 420 may also have the option of transferring risk associated with the third party's business relationship with the client 410 .
- the insurance application 18 is configured to provide the option of transferring the IT information risk to a third party insurer willing to indemnify the client from damages resulting from the identified risk exposure.
- Insurance companies may reply based upon the IT risk score 255 as one data point that feeds into their decision whether or not to assume the identified risk and insure the client against damages resulting from it.
- the insurance application 18 acts as an online brokerage house for multiple insurers for the clients to get a competitive insurance bid.
- the insurer 440 may choose to underwrite policies to insure both the client 410 and the third party 420 or just one or the other based on the underwriting criteria.
- the client 410 is allowed to choose the insurance coverage that best meets their needs.
- the IT risk scores are used to determine the level of risk for underwriting.
- the insurance application 18 provides a plurality of cyber insurance options for the client 410 to mitigate or transfer the risk established by the IT risk scores.
- the cyber insurance options may include network security and privacy liability, digital content and intellectual property infringement liability, property and business income loss, cyber extortion, regulatory defense and crisis management.
- the insurance coverage options are tailored by the insurance application 18 based on the IT information risk exposure. It is also contemplated that the client 410 may conduct risk reduction assessments to determine the impact the IT risk score may have on obtaining insurance coverage through the insurance application 18 . For example, the client may vary responses to the subset of relationship risk factors to determine the corresponding change in the IT risk score 255 . Based upon these changes, the client may determine certain actions that reduced the cost of insurance.
- the compliance manager 22 is contemplated as a graphical user interface the client may view, track, and monitor contractual obligations associated with third party business relationship. Additionally, the compliance manager 22 may monitor regulatory and industry standards.
- An aspect of the present invention contemplates a single platform utilized to manage compliance to key industry regulatory standards.
- the invention creates the ability to create a risk based analysis of the compliance to multiple regulations, industry and technical standards using a flexible controls definition.
- the invention's method performs a common criteria mapping across the multiple regulations and standards (e.g., ISO27001/2, PCI, FISAP, GLBA, HIPPA, FERC) allowing the client to manage compliance of these regulatory standards through the single platform.
- the present invention adds to the process by using risk based analysis to determine the amount of risk associated with non-compliance.
- the compliance manager 22 may keep track of a plurality of contracts 38 . Each contract from the plurality of contracts 38 may include control evidence or reports 42 securely stored on the database.
- the compliance manager 22 is configured to define a plurality of obligations or actions 44 based upon each contract 38 .
- the client 30 and the third party 32 may provide information or responsive answers in the form of controls 40 .
- the compliance manager 22 may then assess the controls 40 provided by the client 30 and the third party 32 with respect to the actions 44 . It is contemplated that the various stakeholders including the client 30 , the third party 32 , the auditor, or an insurer 36 have access to the compliance manager 22 to information associated with a particular contract only as it pertains to the stakeholders role with respect to the contract 38 .
- the present invention also contemplates due diligence and monitoring services that allow for a regulatory compliant, scalable and cost effective third party risk management program.
- the audit manager component 26 contemplates a method for standardizing the IT auditing process into a quantifiable measure of risk.
- the invention provides an auditor the ability to review the controls and evidence as represented by the third party.
- the auditor may track each of their audit assignments.
- the invention contemplates the ability to reduce costs by using lower cost resources through online access to evidence replacing the high-cost local auditors.
- the audit manager component 26 contemplates the capability of storing and securing evidence of controls compliance.
- the integrated platform provides the ability to perform due diligence reviews through an online portal utilized by the auditor.
- the integrated platform 12 is capable of providing an on-site auditor the ability to review physical evidence and indicate audit results to be stored on the database.
- the integrated platform 12 provides a method of funneling the plurality of third parties based upon their business profile risk scores 170 .
- the funneling or risk profiling method is a quick and cost saving method for the client to assess business relationships with a multitude of third parties to determine which third parties are within the client's risk tolerance level and which third parties require further risk assessment.
- the present invention provides a standardized method for comparing the relative business risk across a population of third party relationships. Automation is accomplished by using a web based technology to gather information about the third party which allows the client an easy and simple way to register and catalog all third party relationships and be able to quickly identify and quantify high, medium, and low IT information risk relationships.
- the funneling process reduces the level of effort in identifying and managing the number of third parties that must be reviewed in depth due to their business profile risk assessment 160 . It is contemplated that the subset of business profile risk factors from the plurality of IT information risk factors are evaluated with respect to each third party. The subset of business profile risk factors are assigned corresponding weighting factors to generate the business profile risk score 170 and then used to eliminate third parties that are not within the client IT information risk tolerance level. Eliminated third parties are documented and included in audit reports to provide evidence of the client's due diligence.
- request IT risk score 255 and validation for medium or high risk profile scores. It is also contemplated that the IT risk score 255 may be provided at each stage or level of assessment rather than a total score.
- the invention provides a method in which wherever the client is in the risk management process, the client is presented with the IT risk score at each stage. This differs from the “all or nothing” risk scoring function available in most reviews. Based on the results of the funneling process, more in depth reviews can be scheduled. The third parties that pose minimal or acceptable levels of IT information risk are noted and the documentation can be used to support audits.
- the funneling process results in a list of third parties that have completed as many as four levels of analysis until the third parties that pose the greatest IT information risk to the client are identified.
- the funneling method also provides for dynamic policy management and enforcement.
- An automated risk management component provides an exception process against policy non-compliance for short-term risk acceptance until the exception expires in which the risk has to be mitigated or transferred.
- the invention contemplates a pre-defined policy template based on IT risk score 255 .
Abstract
Description
- The present application is a continuation of U.S. patent application Ser. No. 12/593,987, filed Sep. 30, 2009 and issued as U.S. Pat. No. 8,744,894 on Jun. 3, 2014, that is a national stage entry of PCT Application Serial No. PCT/US2008/005519, filed Apr. 30, 2008, that claims priority to U.S. Provisional Application No. 60/915,001, filed Apr. 30, 2007, the disclosures of which are hereby incorporated by reference in their entirety.
- Not Applicable
- Many businesses increase their dependency on outsourcers, third party technology products and services, electronic commerce, contractors, third party service providers and partners to gain a competitive advantage in the marketplace. This increase in reliance of the business with various third party entities or providers results in an increased risk to their information assets. The information assets at risk may include valuable electronic data such as intellectual property and customer data. These information assets are exchanged between the business and their third party entities and may be at risk of theft or tampering. The need to proactively manage this electronic or “eBusiness” risk associated with these relationships is being driven by State and Federal regulations, industry standards and customer pressures. Investors, regulators, and customers must have assurance that the businesses understand and manage the risk associated with housing and exchanging critical information assets.
- Through business transformation, businesses have been migrating to outsourced services, leveraging third party products and services or relying on business partners to reduce costs. The migration away from in-house solutions to external solutions has intensified the need for stringent security controls on both sides of an information exchange. The requirement to actively manage information technology (IT) information risk is growing rapidly in scope and is extending beyond the business itself to include risks related to third party entities providing a service, product, or other solution to the business. Based on the steady growth of complex business relationships where digital information assets are exchanged between businesses, gaining visibility into risks associated with trusted third parties is becoming imperative. Business need a scalable method to assess the cost and efficiency associated with a particular action or plan to reduce or eliminate risk associated with their information assets as it pertains to a particular third party or a plurality of third parties. Furthermore, businesses require an acceptable and defendable method for quantifying the value of their information assets and the risk of exposing these assets in a particular business relationship or across all of their relationships based on either internal or current commercial solutions in the marketplace.
- Increased public demand for businesses to take responsibility for protecting consumer data from unauthorized access has resulted in a corresponding increase in the number of regulatory requirements placed on them. Businesses are required to assess IT risk for their organization and their third party service providers to gauge the level of compliance to these regulations. These assessments must be conducted on a regular basis. There are well known methods in the art to assess IT risk. These methods include providing a risk report and an associated risk score. Each risk report focuses on the risk categories relative to a specific business or application being assessed without the benefit of placing the results in context. Individual IT risk assessments are expensive and time consuming. They are not standardized in a manner to allow comparative analysis or contextual alignment within particular business sectors. Businesses need a simple, sound method to use for deciding whether or not the IT risk posed by internal procedures or by its third party service providers is within its level of risk tolerance analogous to the way financial institutions rely on consumer credit scores to determine whether to fund loans or issue insurance policies.
- This, combined with the multitude of regulations and requirements, is placing an increased burden on businesses and their many third party providers regarding risk assessment, auditing, and compliance management. It is apparent that both businesses and their third party providers will incur greater costs as a result of this increased scrutiny on IT security controls. Considering that each business may have many third party relationships, the assessment process adds additional requirements for manpower and financial resources to track, collect and verify the outsourced third party's IT security. These businesses are limited in their ability to effectively monitor and manage new and existing relationships. Additionally, businesses may have a limited understanding of regulatory and/or contractual obligations governing information assets. There are a variety of well-known methods for assessing eBusiness risk in the art. However, current methods of assessing eBusiness risk associated with a risk score are vague, non-actionable and do not accurately quantify the IT information risk of a business relationship. Current methods do not appear to offer visibility or alternatively, offer a very limited view into the risks associated with these business relationships, thereby providing ineffective or incomplete solutions for managing the risk exposure. Businesses do not have a scalable, cost efficient, and secure method for meeting the compliance requirements associated with contracts and regulations governing their management of information assets risk. Additionally, IT auditors do not have a quantifiable method for reporting results associated with the audit of controls surrounding information assets. Further, the methods known for assessing eBusiness risk do not appear to provide insurance companies a method for quantifying information asset risk for purposes of underwriting.
- Thus, there is a need in the art for an improved method and system for assessing risk exposure for a business exchanging information assets with a plurality of third parties associated with the business.
- The present invention specifically addresses and alleviates the above-identified deficiencies in the art. In this regard, the present invention is directed to a method for information technology (IT) and information asset risk assessment of a business relationship between a client and a third party. The method includes establishing a database. The database includes a plurality of IT information risk factors. The plurality of IT information risk factors stored in the database are associated with certain risks the client may be exposed to based on an action the client follows or based upon who the client uses as their third party provider. The database is configured to receive IT risk information. The IT risk information is associated with the plurality of IT information risk factors. The database is also configured to receive updated IT risk information for storage thereon. The plurality of IT information risk factors includes a subset of relationship risk factors. The subset of relationship risk factors are utilized for evaluating the business relationship risk between the client and the third party. The method also includes receiving IT risk information corresponding to the subset of relationship risk factors. The method continues with generating a relationship risk score. The relationship risk score is determined in response to evaluating the subset of relationship risk factors using the IT risk information corresponding to the subset of relationship risk factors. The method includes monitoring the database for updated IT risk information. The updated IT risk information is used to evaluate the subset of relationship factors and generate a revised relationship risk score. It is contemplated that the database is a server configured to receive the IT risk information from the client or the third party via a computer network.
- Another embodiment in accordance with the present invention includes compiling IT risk information on the database. The compiled IT risk information corresponds to a subset of business profile risk factors. The subset of business profile risk factors are from the plurality of IT information risk factors. The subset of business profile risk factors are used to evaluate the business profile risk of the third party. It is contemplated that the IT risk information corresponding to the subset of business profile risk factors is compiled from public records. The IT risk information compiled from the public records is associated with the third party. The method may continue by generating a business profile risk score. The business profile risk score is generated in response to the evaluation of the subset of business profile risk factors. The database may be monitored for updated IT risk information corresponding to the subset of business profile risk factors. The updated IT risk information is used to revise the business profile risk score.
- In yet another embodiment of the present invention, the plurality of IT information risk factors stored on the database includes a subset of IT control risk factors. The database is configured to receive IT risk information corresponding to the subset of IT control risk factors. The subset of IT control risk factors are evaluated using the received IT risk information associated with the third party. The method continues with generating an IT controls risk score. The IT controls risk score is generated in response to the evaluation of the subset of IT control risk factors. The method also includes monitoring the database for updated IT risk information corresponding to the subset of IT control risk factors. This is accomplished for revising and updating the IT controls risk score.
- In one embodiment of the present invention, an IT risk score is generated. The IT risk score is a combination of the relationship risk score, the business profile risk score, and the IT controls risk score.
- To further standardize the relationship risk score, the relationship risk score may be associated with the type of service provided by the third party to the client. The IT controls score may also be associated with the type of service offered or provided to the client by the third party.
- In one embodiment of the present invention, a client relationship risk tolerance level is evaluated. The client relationship risk tolerance level is determined using a plurality of client relationship risk tolerance criteria. Answers to the plurality of client relationship risk tolerance criteria may be provided by the client for determining the client relationship risk tolerance level. After determining the client relationship risk tolerance level, a plurality of relationship risk mitigation actions are provided that are dependent upon the client relationship risk tolerance level. The appropriate relationship risk mitigation action plan may be selected based upon the relationship risk score. The method may also include evaluating a client business profile risk tolerance level. Similar to the client relationship risk tolerance level, the client business profile risk tolerance level is based upon answers provided by the client with respect to a plurality of client business profile risk tolerance criteria. The client business profile risk tolerance level may correspond to a plurality of business profile risk mitigation actions. The method also includes identifying an appropriate business profile risk mitigation action depending upon the business profile risk score. A client IT controls risk tolerance level may also be evaluated based upon information responsive to a plurality of client IT controls risk tolerance criteria. The IT controls risk tolerance level may correspond to a plurality of IT controls risk mitigation actions. The IT controls risk mitigation action preferred may be identified based upon the IT controls risk score
- An aspect of the present invention contemplates IT risk information transmitted to the database from the client. IT risk information may also be transmitted to the database from the third party. Additionally, the database may include a web based application. The web based application may be configured to automatically search and compile IT risk information available in public records. The method may also include receiving IT risk information from an auditor. The IT risk information from the auditor corresponds to the subset of IT control risk factors. The IT risk information from the auditor may be utilized to validate the IT risk information associated with the third party or IT control risk factors submitted by the third party. A revised IT controls risk score may be generated using the validated IT risk information thereby providing more accuracy. In one embodiment, a plurality of business relationships between the client and a plurality of third parties may be assessed. This provides the client with a method of evaluating a plurality of third parties in a timely and cost efficient manner.
- The present invention also provides a method for assessing compliance associated with a contract between a client and a third party. The method also assesses compliance between the client and the third party with respect to a government regulation, a law, or an industry standard. The method includes establishing a database. The database is utilized for storing a plurality of obligations for the third party associated with the contract, the government regulation, the law, or the industry standard. The database is also configured to receive information corresponding to the plurality of obligations. The plurality of obligations may be evaluated based upon the received information. The method continues with generating a compliance score. The compliance score is representative of the fulfillment of the plurality of obligations corresponding to the third party. It is also contemplated that the database is continuously monitored for information corresponding to the plurality of obligations. This allows for updating the compliance score when requested. Information corresponding to the plurality of obligations may be provided by the client, the third party, or compiled from public records by the database. The method may also include receiving verified information from an auditor corresponding to the plurality of obligations. The verified information from the auditor is compared with the information corresponding to the plurality of obligations. Any discrepancy may be updated to reflect the verified information. A revised compliance score is generated to reflect the verified information.
- The present invention also provides a risk assessment system accessible to a plurality of clients and plurality of third parties. The system is utilized to assess, manage, and monitor risk between at least one client and at least one-third party associated with the client. The system includes a database having a plurality of IT information risk factors. The database is configured to continuously receive IT risk information for evaluating the plurality of IT information risk factors. The system also includes a scoring application in communication with the database. The scoring application utilizes the plurality of IT information risk factors to generate a plurality of risk scores. The system includes an auditing application configured to receive validated IT risk information from an auditor. The validated IT risk information corresponds to the plurality of IT information risk factors. It is contemplated that the auditing application is in communication with the scoring application for adjusting the plurality of risk scores in response to receiving the validated IT risk information from the auditor. The system may also include a risk manager application. The risk manager application is accessible to the client and configured to receive IT risk information from the client. The IT risk information from the client is used to simulate an adjustment to the plurality of risk scores. It is contemplated that every application or component such as the risk manager, compliance manger, audit manager may be implemented as a stand-alone software component configured to communicate with the system. In this regard, any single application or component may be licensed separate from the system.
- A method is also provided for risk assessment between a client and a third party. The method includes establishing a database having a plurality of IT information risk factors. The database is configured to receive IT risk information associated with the plurality of IT information risk factors. The IT risk information is evaluated for determining the risk between the client and the third party. A risk score is generated representative of the risk assessment between the client and the third party. The method also includes validating IT risk information associated with a subset of IT information risk factors from the plurality of IT information risk factors. The method may conclude with revising the risk score to reflect the validated IT risk information.
- The present invention will be best understood by reference to the following detailed description when read in conjunction with the accompanying drawings.
- These and other features and advantages of the various embodiments disclosed herein will be better understood with respect to the following description and drawings, in which like numbers refer to like parts throughout, and in which:
-
FIG. 1 is a block diagram depicting the information technology and information risk assessment system constructed in accordance with the present invention; -
FIGS. 2A-B are flow charts representative of a risk report component for risk assessment; -
FIG. 3 is a block diagram of the scoring model implemented by the risk report component; -
FIG. 4 is a chart illustrating possible action plans based on scores generated by the risk report component; -
FIG. 5 is a diagram illustrating transfer of IT information risk utilizing insurance services constructed in accordance with the present invention; and -
FIG. 6 is a block diagram incorporating aspects of a compliance manager. - The above description is given by way of example, and not limitation. Given the above disclosure, one skilled in the art could devise variations that are within the scope and spirit of the invention disclosed herein, including various ways of analyzing information technology (IT) and information assets associated with a business relationship between a client and a third party. Further, the various features of the embodiments disclosed herein can be used alone, or in varying combinations with each other and are not intended to be limited to the specific combination described herein. Thus, the scope of the claims is not to be limited by the illustrated embodiments. It is further understood that the use of relational terms such as clients and third party, and the like are used to distinguish one from another entity without necessarily requiring or implying any actual such relationship or order between such entities.
- With reference to
FIG. 1 , a diagram illustrating the various components of the method and system for assessing information technology (IT) andinformation assets 10 is provided. Anintegrated platform 12 for assessing IT and information asset risk associated with the business relationship between the client and the third party. In this regard, the term “client” is understood to refer to the role of a business or enterprise as a requestor of data or services, while the term “third party” is understood to refer to the role of the entity providing such data or services. Additionally, it is possible that the clients may request data or services in one transaction and provide data or services in another transaction, thus changing its role from client to third party or vice versa. It is contemplated that the third party may include entities such as service providers, outsourcers, insurers, auditors by way of example and not of limitation. - An aspect of the present invention contemplates the
integrated platform 12 as a software as a service (SaaS) application. The SaaS application may be hosted on a server or licensed to a client or third party. Theintegrated platform 12 provides the client and the third party a context from which to determine how IT and information assets relate to industry risk tolerance levels using a standardized IT information risk score. The client and the third party may utilize the standardized IT information risk score to determine whether to accept an identified IT information risk without implementing security controls, implementing security controls to mitigate potential risk or transferring the risk to an insurer willing to indemnify the client or the third party from damages resulting from the identified IT information risk. - The
integrated platform 12 may provide real-time analysis and continuous risk activity monitoring to either properly accept, mitigate or transfer risk associated with the business relationship between the client and the third party. Theintegrated platform 12 may be accessible via a secure web portal or gateway. In this respect, the client may access theintegrated platform 12 via a web browser. The level of access may depend on the client's subscription to the various components by securely logging into theintegrated platform 12 using a registered username and password. Theintegrated platform 12 may be divided into a multitude of separate internal applications including a risk andcompliance management application 14, a report andmonitoring application 16, anaudit manager application 26 and aninsurance application 18. Also included within theintegrated platform 12 is a management services application (not shown). Additionally, theintegrated platform 12 includes a database (not shown) used to store information obtained from the third party, the client, information generated by the applications, and information obtained from public records. The various applications of theintegrated platform 12 are configured to be in communication with the database and each other. Furthermore, it is contemplated that the database is configured to store information for a plurality of business relationships between a plurality of clients and a plurality of third parties. It is contemplated that each application or component hosted on theintegrated platform 12 may be implemented as a stand-alone software component independent of theintegrated platform 12. - The risk and
compliance management application 14 may include arisk manager component 20 and acompliance manager component 22. Therisk manger component 20 is utilized by the client as an interface for monitoring the client's business relationship with third parties and providing a proactive tool for the client to mitigate IT information risk related to the plurality of third parties. Thecompliance manager component 22 is a tool for use by the client to organize and assess whether various compliance requirements are being followed and/or implemented with respect to industry, regulatory, and contractual obligations. - The report and
monitoring application 16 includes arisk report component 24, anaudit manager component 26, and arisk monitoring component 28. The internal applications and components are supported and fully integrated with various services. It is contemplated that theintegrated platform 12 may function in an auto-policy mode that automates proactive actions for third parties classified as medium to high IT information risks based upon the standardized IT information risk score. Theintegrated platform 12 is designed to be a self-servicing platform for multiple stakeholders including clients, third parties, auditors, insurers, and others by way of example only and not of limitation. Theintegrated platform 12 brings multiple groups such as information security, IT, auditors, third parties, insurance agents, risk managers and compliance managers together to a common risk management and assessment platform. Theintegrated platform 12 allows each identified stakeholder secure access to complete or manage risk assessments, register third parties, run multiple risks and compliance reports or perform third party standardized IT information risk score lookups. Theintegrated platform 12 may be hosted on a web server or it may be licensed and processed at the client. Theintegrated platform 12 is contemplated to provide secure exchange of risk and compliance information among these various groups. This may be accomplished through the use of digital rights management (DRM) tools to secure information on the database. - The
audit manager component 26 includes the functionality to schedule an audit, develop an audit plan, review IT security control responses from the third party, and review evidence of control compliance as provided by the third party using a secure web based interface. The system contemplates the ability to manage multiple audits of different types simultaneously. - The management services application may provide a workflow system to allow third parties and clients to distribute the workload of the system to different staff members within their organization automatically. The management services application is in communication with the database to provide a secured data storage service to allow the client or third party to define access rights to the information stored on the database. The management services application further provides automated risk management policy enforcement whereby the client can define the risk tolerance levels and the policy enforcement application will automatically enforce those policies throughout the system.
- Referring now to
FIG. 2 a, a flow chart illustrates a method for generating the standardized IT information risk score in accordance with an embodiment of the present invention. Therisk report component 24 may utilize a multi-tiered IT information risk assessment to develop the standardized IT information risk score. To initiate thereview process 100, the client may access theintegrated platform 12 and utilize a look-up feature to locate the third party the client would like to review. The client then selects the third party from the plurality of third parties registered with thedatabase 120. The plurality of third parties registered with thedatabase 120 may be referred to as thethird party population 110. Clients relying on the third parties to provide the client with products, data or services may review these third parties to determine the level of IT risk present within their operating environments. Theintegrated platform 12 interfaces with the client'srisk manager component 20 to load a list of third parties to create a third party pick list from thethird party population 110 to streamline the process for initiating IT information risk reviews. If the third party is not found on the pick list, then the client may enter the name, address, tax-id number and other identifying information of the third party the client would like to review into thedatabase 120 via therisk manager component 20. A web application hosted on theintegrated platform 12 builds a key using this information to retrieve available public data associated with the third party. The available public data is stored in thedatabase 120 for use in generating a business profile risk score 170. - The
database 120 includes a plurality of IT information risk factors related to the business relationship between the client and the third party, the available public data associated with the third party, and IT security controls implemented by the third party. The plurality of IT information risk factors is evaluated by therisk report component 24 to generate the standardized IT information risk score. The plurality of IT information risk factors are normalized, weighed, and integrated into the multi-tiered scoring model that produces the standardized IT information risk score representative of IT information risk and information security exposure associated with the business relationship between the client and the third party. Arelationship risk assessment 125 is executed for the business relationship between the client and the third party. Therelationship risk assessment 120 measures the inherent risk the client has on the third party by factoring information specific to the relationship like the type of service offered and/or sensitivity of the information being exchanged. IT risk information is received by thedatabase 120 corresponding to therelationship risk assessment 125. The IT risk information may be provided in the form of responses by the client to questions selected from a subset of relationship risk factors from the plurality of IT information risk factors. In other words, the client may answer a set of questions focused on the relationship with the third party being reviewed. The questions and answers aim to quantify the significant aspects of the relationship so that the risk posed by particular IT vulnerabilities can be put into context. If the third party being reviewed is not a major provider of services to the client reviewing it, then perhaps the impact of a high vulnerability of IT information risk is reduced. - The subset of relationship risk factors associated with the
relationship risk assessment 125 by way of example, may include: nature of the relationship (monetary value, length of relationship, location), contract terms, privacy (content sensitivity, regulated data), business processes, intellectual property competitiveness, fraud, reporting and compliance, relationship insurance coverage. The client provides IT risk information for evaluation of each relationship risk factor from the subset of relationship risk factors by answering the set of questions as indicated above. The questions may request the client to select the primary type of relationship that exists with the third party (i.e. application development, system monitoring, hosting services, or data processing), how long the relationship has existed as it relates to the scope of service, and monetary value of the relationship. These questions are by way of example only and not meant to limit the type and quantity of questions related to the subset of relationship risk factors associated with therelationship risk assessment 125. The client response to each relationship risk factor from the subset of relationship risk factors is scored and weighted. A scoring algorithm is utilized to generate arelationship risk score 130. Therelationship risk score 130 is stored in thedatabase 120. Therelationship risk score 130 is representative of the IT and information risk exposure associated with the business relationship between the client and the third party. In one embodiment, the relationship risk score=f(revenue reliance, process maturity, industry sector*impact to business of relationship factor)*relationship factor weighting. Results are then normalized by category using standard mathematical normalization processes. - The next step may include determining if the
relationship risk score 130 poses asignificant risk 140 to the client. Thesignificant risk 140 assessment may be implemented by therisk manager component 20. The client may access therisk manager component 20 wherein a questionnaire to be answered by the client is provided. The questionnaire corresponds to a plurality of relationship risk tolerance criteria. Based upon the answers provided by the client, a client relationship risk tolerance level may be evaluated. Referring now toFIG. 4 , a chart representative of relationship risk mitigation actions is provided. Therisk manager component 20 may include the chart for each client relationship with the plurality of third parties. A relationship risk mitigation action may be identified based upon therelationship risk score 130. For example, if therelationship risk score 130 ranges between 500 and 700, the relationship risk mitigation action may advise certifying the business relationship between the client and the third party. Alternatively, if therelationship risk score 130 is greater than 700, the client risk tolerance level may suggest certifying the third party with an exception. The exception allows the client to specify a period of time or other factor used to approve the business relationship with the third party although therelationship risk score 130 of the business relationship may be outside the scope of the client's risk tolerance level. Referring again toFIG. 2A , if the business relationship does not pose a significant risk with regard to the client risk tolerance level, the decision to certify is documented 145 on thedatabase 120. Further, based on the client risk tolerance level, atrigger 150 may be provided wherein if therelationship risk score 130 exceeds thetrigger 150 further assessment is required. This added function may be implemented through therisk monitoring component 28. If therelationship risk score 130 between the client and the third party poses asignificant risk 140 further evaluation may be required. - The
risk report component 24 may continue by providing an automated way to assess the third party using IT risk information gathered from public records. Further assessment continues with a business profile risk assessment 160. The business profile risk assessment 160 measures the IT information risk associated with doing business with the third party to meet its business objectives. The plurality of IT information risk factors stored in thedatabase 120 may include a subset of business profile risk factors associated primarily with the business profile risk assessment 160. It is contemplated that the IT risk information used to evaluate the subset of business profile risk factors is collected from public records. The public records include information regarding prior security breaches, financial history, credit history, and legal history. It is contemplated that a web-based application hosted on theintegrated platform 12 is configured to automatically collect IT risk information associated with the subset of business profile risk factors and store the information within thedatabase 120. - Similar to the
relationship risk score 130, the scoring algorithm is used to generate a business profile risk score 170. Key areas of measurement contemplated to be encompassed by the subset of business profile risk factors include: geopolitics, locale, regulatory oversight, financial strength. The key areas of measurement listed above are by way of example only and not of limitation. The IT risk information collected is used to evaluate each business profile risk factor from the subset of business profile risk factors. Each business profile risk factor is scored and weighted to generate the business profile risk score 170. The business profile risk score 170 is stored in thedatabase 120. The goal is to measure the IT information risk associated with doing business with the third party as indicated by the subset of business profile risk factors, e.g. history of a security breach, or is in financial stress and may not be able to maintain the controls required by the client. The subset of business profile risk factors listed above are by way of example only and not of limitation. Third parties receiving high or medium business profile risk scores 170 would be reviewed in depth using the risk scoring system of therisk reporting component 24. In one embodiment of the present invention, the business profile risk score=f(industry, regulatory controls, financial health*potential of material business impact)*Profile Factor Weighting. Results are then normalized by category using standard mathematical normalization processes. - Following the generation of the business profile risk score 170, an
IT risk score 175 is calculated. TheIT risk score 175 is a function of both therelationship risk score 130 and the business profile risk score 170. Similar to thesignificant risk 140 assessment for therelationship risk score 130 by therisk manager component 20, the same may be accomplished in the context of theIT risk score 175. Referring again toFIG. 4 , the chart may include risk mitigation actions relating to the business profile risk score 170 individually or in combination with therelationship risk score 130. For example, if the business profile risk score 170 exceeds 700, the risk mitigation plan may suggest a mandatory control assessment or therisk manager component 20 may be configured to automatically begin the process depending the client's settings. Referring again toFIG. 2A , if theIT risk score 175 does not pose asignificant risk 180 with regard to the client risk tolerance level, the decision to certify is documented 185 on thedatabase 120. Further, based on the client risk tolerance level, a trigger 190 may be provided to alert the client when theIT risk score 175 exceeds the trigger 190. The client may then determine through therisk manager 20 component whether further assessment is required. The monitoring function may be implemented through therisk monitoring component 28. - The
risk report component 24 may continue by utilizing responses to a series of IT control measurements covering ISO27001/2 key controls for example. Therisk report component 24 further contemplates conducting an ITsecurity control assessment 200. The ITsecurity control assessment 200 measures the amount of IT information risk associated with the third party based on the assessment of IT security controls within the third party environment. The plurality of IT information risk factors stored on thedatabase 120 further include a subset of IT security control factors associated with the ITsecurity control assessment 200. Some key areas of measurement by way of example include: insurance coverage, industry compliance, legal compliance, regulatory compliance, risk management, IT environment, outsourcing, security policy, information security organization, third party management, asset management, information assets, human resources security, physical and environmental security, communications and operations management, system logs, laptops/desktops, mobile devices, information backup, network, removable media, electronic messaging, web applications, access control, password management, secure login and remote access, information systems acquisition, testing security controls, information security incident management, business continuity management, and compliance. The key areas of measurement listed above are by way of example only and not of limitation. - In one embodiment, automation is accomplished by using a web based technology to gather information on the maturity of the third party IT security controls. By using a series of IT security control factors the maturities of the third party's IT security controls are assessed to determine if the IT security controls implemented by the third party are adequate to meet the needs of the client. The more mature the controls implemented by the third party, the less IT information risk exposure vulnerability for the client. The scoring process provides decision criteria and accountability for the client. The more reliant the client is on the third party the higher risk a lack of IT security controls places on the client. An aspect of the present invention contemplates an IT
control risk score 210=f((implemented IT security controls, reliability controls implemented, scalability controls implemented, detection controls implemented, recovery controls implemented*probability of breakdown in this control leading to a security breach)*impact to the business of a breach from this control). Results are then normalized by category using standard mathematical normalization processes. - The IT
security control assessment 200 focuses on the IT environment of the third party being reviewed. The third party is sent password protected logon information and the third party representative logs on to complete the ITsecurity control assessment 200. Multiple questions may be presented based on the ISO027001/2 controls structure, or other similar controls standard, and must be answered before the ITsecurity control assessment 200 is marked complete. Answers to the questions are multiple choices or rely on a selection list to maintain consistency and objectivity. Weights are assigned to each answer and calculations combine answers into specific information security domains to generate individual third party IT control risk scores 210. The generated ITcontrol risk score 210 is stored in thedatabase 120. An alert is sent to the client notifying the client that the ITcontrol risk score 210 is available for review and includes the IT control risk score code number that is associated with the third party that was reviewed. The client logs onto the web application using the IT control risk score code and accesses the ITcontrol risk score 210. - An aspect of the present invention contemplates using a self-reporting electronic IT security control assessment survey to measure the maturity of the IT controls in place within the third party being reviewed. It is contemplated that the third party provides information for evaluation of the subset of IT security control factors. For example, the third party may be presented with a questionnaire including various questions and answers corresponding to the subset of IT security control factors. Additional data that could indicate the company's ability to manage its IT information risk is gathered from public records. The survey may include measurement in all areas of the ISO027001/2 control standards. For example, a survey question may inquire: What percentage of the third party's laptops are protected by encryption? (A. 0%-25%, B. 26%-50%, C. 51%-75%, D. 75%-95%, E. >96%). The third party's response to each IT security control risk factor from the subset of IT security control risk factors is scored and weighted. A scoring algorithm is utilized to generate an IT
security control score 210. The ITsecurity control score 210 is then stored in thedatabase 120. It is also contemplated that the third party may provide evidence electronically through thedatabase 120 to validate or prove that the third party is in compliance with the IT security control risk factors. - Following the IT
control risk score 210, a newIT risk score 215 is calculated. The newIT risk score 215 incorporates therelationship risk score 130, the business profile risk score 170, and the ITcontrol risk score 210. Referring now toFIG. 2 b, theIT risk score 215 is assessed to determine whether there is asignificant risk 220 to the client based upon client risk tolerance levels. If theIT risk score 215 does not pose asignificant risk 220 with regard to the client risk tolerance level, the decision to certify is documented 225 on thedatabase 120. Further, based on the client risk tolerance level, atrigger 230 may be provided for alerting the client when theIT risk score 215 exceeds thetrigger 230 and thus suggesting further assessment. This monitoring function may be implemented through therisk monitoring component 28. Additionally, it is contemplated that unmanaged risk regardless of the actions of the client and the third party may be quantified. The unmanaged risk may be quantified asresidual risk 235. Theresidual risk 235 may be mitigated through theinsurance application 18 as described in further detail below. - If a further assessment is required after generating the
IT risk score 215, the next step may includecontrol validation 240. Thecontrol validation 240 step utilizes theaudit manager component 26. The IT risk information used to evaluate the ITsecurity control assessment 200 is audited to determine the accuracy of the information. An auditor may conduct an independent audit using the subset of IT security control risk factors. The auditor may access theintegrated platform 12 and provide the audited IT risk information via theaudit manager component 26. Therefore, thecontrol validation 240 step modifies the ITcontrol risk score 210 into a validated ITcontrol risk score 250. The validated ITcontrol risk score 250 is similar to the ITcontrol risk score 210, however, the validated ITcontrol risk score 250 utilizes the audited IT risk information. -
IT risk score 255 is calculated incorporating the relationship risks score 130, the business profile risk score 170, and the validated ITinformation risk score 250. TheIT risk score 255 is stored in thedatabase 120. TheIT risk score 255 is used as a reliable and objective tool by clients to determine the overall relative IT and information risk associated with the third party. TheIT risk score 255 provides analysis for managing the client's third party relationships including accepting identified risk, implementing controls to mitigate the risk, or transferring risk to a third party insurer via insurance. - The
IT risk score 255 may also be assessed to determine whether there is asignificant risk 260 to the client based upon client risk tolerance levels associated with the plurality of IT information risk factors. If theIT risk score 255 does not pose asignificant risk 260 with regard to the client risk tolerance level, the decision to certify is documented 265 on thedatabase 120. Further, based on the client risk tolerance level, atrigger 270 may be provided to alert the client if the ITinformation risk score 255 exceeds thetrigger 270. If theIT risk score 255 exceeds thetrigger 270, the client may discontinue the business relationship with the third party, not initiate a relationship with the third party, or mitigate the risks. It is also contemplated that automated actions may be taken on behalf of the client by at least one component of theintegrated platform 12. The unmanaged risk in relation to theIT risk score 255 may be quantified asresidual risk 275. If theIT risk score 255 is significant with respect to the client tolerance levels, the third party relationship may be discontinued 280. The decision is documented 290 on thedatabase 120. - The
IT risk score 255 may also be linked to the type of service being provided to the client for evaluating IT and information risk. A standard set of service types are used to determine inherent security risk. The present invention provides a method to associate the service type corresponding to the relationship risk with theIT risk score 255. This process also then allows a standard risk definition for third parties by service type. This service type risk is continually refined as completed third party risk assessments are categorized by service type. For example, service types may include IT service providers, technology product providers, IT outsourcing service providers, consulting/advisory service providers, providers that provide advisory services in enterprise risk management, business process innovation, business planning and internal audit services, IT staffing service providers, healthcare, manufacturing, marketing/publishing, retail, education/training providers. - The
risk report component 24 allows for analysis of the third party using multi-layer assessment criteria. The multi-layer assessments may be based on industry standards including for example: FISAP, CoBit, ISO27001/2, and PCI. Further, therisk report component 24 may be configured to generate a plurality of different risk scores based on attributes of the business relationship between the client and the third party. For example, an intellectual property risk score, regulated data risk score, country risk score, and application development risk score may be generated based on the attributes of the relationship between the client and the third party. - In accordance with an embodiment of the present invention, the scoring algorithm utilized by the
risk report component 24 to generate therelationship risk score 130, the business profile risk score 170, the ITcontrol risk score 210, and theIT risk score 255 is better understood by reviewing the glossary and accompanying equations as follows: - Rsk—Risk factors; Cat—Category scores used to demonstrate risk in broader areas of risk factors; Kc—Key control risk scores used to demonstrate risk in a wide area of risk factors; Ov—The overall score used to demonstrate risk represented by the entire area of risk factors; RskRS—Risk factor raw score; RskMS—Risk factor max score; RskNS—Risk factor normalized score; RskW—Risk factor weight used to determine the probability that a failure of a given risk factor will result in a security breach; RskWMS—Risk factor weighted max score (RskMS*RskW); CatRF—Category risk factor is the scope of risk factors within a given category; and KcRF—Key control risk factor is the scope of risk factors within a given category.
- The calculation for category score and key control score differ in scope. A risk factor can exist at key control or category level and will be considered together with its respective key control or category siblings. The input will have the risk factor raw score, risk factor weight, and category weight. The rest of the fields are derived values.
- 1. Risk Factor Score—The weighted RskWS is derived by multiplying the answer raw score that represents the maturity of the control by a weighting factor that represents the probability that a failure in this control would result in an IT security breach. The RskWS is then divided by the max score, and then multiplied by 1000 to obtain a risk factor normalized score (RskNS). The following formula represents the calculation of the RskNS:
-
RskRS=Selected Answer Score -
RskWS=RskRS*RskW -
RskMS=MAX of the possible answer scores -
RskNS=((RskWS/(RskMS*RskW))*1000 - 2. Selected Answer with Child Risk Factors—Many risk factors need further definition to clarify a response to a high level risk factor with more in-depth review. For instance a positive response to the risk factor “Do you have information security policies?” results in additional risk factors being measured, e.g. “Do you have a physical security policy?” and “Do you have an intrusion detection policy?” These are referenced as child or sibling risk factors. The child set risk factor score is derived by first calculating the weighted risk factor score (RskWS) of each child risk factor. The RskWS is derived by multiplying the answer raw score (RskRS) by the risk factor weight (RskW). The RskWS are summed for the entire dependent child risk factors and divided by sum of the entire child risk factor weights (RskW). The following formula represents the calculation of the child set risk factor score: The definite integral between i and n (n=number of factors), where i=0 for (RskRSchild ix RskWchild i) divided by the definite integral between i and n, where i=0 for (RskWchild i). For a selected answer with associated child risk factors, the score assigned to the answer itself is ignored and replaced by the child set risk factor score.
- 3. Category Score—The category risk score is derived by calculating the CatWS. To calculate the CatWS, first calculate the RskWS for each risk factor within the category by multiplying each RskRS by the RskW. Then calculate the CatW by summing the RskW for each of the risk factors in the category. The category raw score is calculated by dividing the CatWS by the CatW. The following formulas represent the calculation of the Category risk score:
-
CatWS equals the definite integral between i and n, where i=0 for (RskRSCatRFi.times.RskWCatRFi) -
CatW equals the definite integral between i and n, where i=0 for (RskWCatRFi) -
CatRS=(CatWS)/(CatW) - The category max score is derived by first calculating the category weighted max score (CatWMS). To calculate CatWMS first sum the results of the RskMS*RskW for each of the risk factors within the category. Then divide the CatWMS by CatW (described above). This is represented by the following formula:
-
CatWMS equals the definite integral between i and n, where i=0 for (RskMSCatRFi.times.RskWCatRFi) -
CatMS=(CatWMS)/(CatW) - The category normalized score is derived by dividing the CatWS by the CatWMS. The result is multiplied by 1000. This is represented by the following formula:
-
CatNS=(CatWS/CatWMS)*1000. - 4. Key Control Risk Score—The key control risk score is derived by first calculating the key control weighted score (KcWS). To calculate the KcWS first calculate the CatWS for each category within the key control by multiplying each CatRS by the CatW. Then calculate the KcW by summing the CatW for each of the categories in the key control. The key control raw score is calculated by dividing the key control weighted score (KcWS) by the KcW. The following formulas represent the calculation of the key control risk score:
-
KcWS equals the definite integral between i and n, where i=0 for (CatRSKcRFi.times.CatWKcRFi) -
KcW equals the definite integral between i and n, where i=0 for (CatWKcRFi) -
KcRS=KcWS/KcW - The key control max score is derived by first calculating the key control weighted max score (KcWMS). To calculate KcWMS the first sum the results of the category max score (CatMS) times the CatW for each of the categories within the key control. Then divide the KcWMS by KcW. This is represented by the following formulas:
-
KcWMS equals the definite integral between i and n, where i=0 for (CatMSKcRFi.times.CatWKcRFi) -
KcMS=KcWMS/KcWMS - The key control normalized score is derived by dividing the key control weighted score (KcWS) by the key control weighted max score (KcWMS). The result is multiplied by 1000. This is represented by the following formula:
-
KcNS=(KcWS/KcWMS)*1000. - 5. Overall Score—The overall score is used by the
risk report component 24 to demonstrate risk represented by the entire area of the plurality of IT information risk factors. The overall risk score is derived by first calculating the overall weighted score (KcWS). To calculate the OvWS first calculate the KcW. The following formulas represent the calculation of the overall weighted score: -
OvWS equals the definite integral between i and n, where i=0 for (KcRSOvRFi.times.KcWovRFi) - The overall set max score is derived by first calculating the overall set weighted max score (OvWMS). To calculate OvWMS first sum the results of the key control max score (KcMS) times the key control weight (KcW) for each of the key controls within the overall set. Then divide the OvWMS by OvW. This is represented by the following formula:
-
OvWMS equals the definite integral between i and n, where i=0 for (KcMSOvRFi.times.KcWOvRFi) - The overall set normalized score is derived by dividing the overall set weighted score (OvWS) by the overall set weighted max score (OvWMS). The result is multiplied by 1000. This is represented by the following formula: OvNS=(OvWS/OvWMS)*1000.
- Referring briefly to
FIG. 3 , the businessprofile risk score 300 is a function of more than one variable. TheIT control score 310 and the relationship risk score 320 are also functions of more than one variable associated with the plurality of IT information risk factors. TheIT risk score 330 may be quantified as a function of thebusiness profile score 300 and theIT control score 310. In another embodiment of the present invention, theIT risk score 340 is a function of the businessprofile risk score 300, the ITcontrol risk score 310, and the relationship risk score 320. - An algorithm may also be utilized to separate the
IT risk score 255 into a normalized baseline score and a composite score that adjusts the baseline score up or down depending upon the relationship the third party has with the client. The algorithm is f(sum(weighted and normalized score sub n where n=number of risk factors measured)*category weighting factor). The results are then normalized by category using standard mathematical normalization processes. The baseline score is stored in thedatabase 120 and is available to other relying clients upon request from the third party associated with the client. Subsequent requests for the baseline score may be adjusted up or down depending upon the relationship the third party has with the requesting client. - The composite score is utilized to adjust the baseline score up or down depending upon the
relationship risk assessment 125 and/or the third party business profile risk assessment 160. The algorithm uses weighted controls to determine specific impact to the client's business due to a control failure. The scoring model also provides a method for the client to assess IT information risk reduction based on reducing the normalized baseline score. The invention provides the ability to view the major contributors to IT and information risk in a number of meaningful views. As discussed above, therelationship risk score 130 may depend upon the client response to the subset of relationship risk factors. The business profile risk score 170 depends upon public record information about the third party associated with the subset of business profile risk factors. Therefore, it is contemplated that a change to either the client response or the public record information may correspond to a change in the composite score which results in adjusting the baseline score. It may then be assessed what impact a certain action has in reducing or increasing the baseline score. For example, the client may change their response from $1 million to $5 million to a question asking for the relative monetary value of the business relationship. In other words, therisk report component 24 is used to assess the increase in the IT information risk associated with the particular risk factor. The change in response corresponds to a change in the baseline score. Therisk report component 24 may calculate the risk reduction or increase in risk exposure based upon at least one risk factor from the plurality of IT information risk factors stored on thedatabase 120. - The
risk monitoring component 28 is contemplated to provide real-time monitoring of the plurality of IT information risk factors associated with the various risk scores generated by therisk report component 24. Therisk monitoring component 28 is capable of monitoring of the IT risk information associated with therelationship risk score 130, the business profile risk score 170, and the ITcontrol risk score 210. Therisk monitoring component 28 may be configured to continuously monitor and update the plurality of IT information risk factors such as the subset of relationship risk factors associated with therelationship risk assessment 125. For example, therisk monitoring component 28 may assess any changes to the type of relationship between the client and the third party, the length of the relationship, the contract terms, or the monetary value. Therisk monitoring component 28 may transmit information updated in real-time associated with the plurality of IT information risk factors used by therisk report component 24 to generate therelationship risk score 130. Thus, it is contemplated that therisk report component 24 may generate an updatedrelationship risk score 130 based on IT risk information identified by therisk monitoring component 28. - The
risk monitoring component 28 may also be configured to continuously monitor and update the IT risk information associated with the subset of business profile risk factors corresponding to the business profile risk assessment 160. In this respect, therisk monitoring component 28 may continuously search for IT risk information corresponding to the third party. For example, if a news story is published about an IT security breach corresponding to the third party, therisk monitoring component 28 collects data about such occurrences. This information is then updated within thedatabase 120 and used by therisk report component 24. The updated IT risk information relates to the subset of business profile risk factors that are associated with the business profile risk assessment 170 of the third party. If an event or IT risk information associated with the third party is made available through public records, therisk monitoring component 28 may record the information and transmit the information to therisk reports component 24 for generating a revised business profile risk score 170. - The
risk monitoring component 28 may be configured to continuously monitor and update the plurality of IT information risk factors including the subset of IT security control risk factors associated with the IT securitycontrol risk assessment 200. Theintegrated platform 12 is configured to assess IT risk information associated with a plurality of business relationships between the plurality of clients and the plurality of third parties. For example, the IT securitycontrol risk assessment 200 may be completed for the third party with respect to a first client. Another IT securitycontrol risk assessment 200 may then be conducted for the same third party with respect to a second subsequent client. If the ITcontrol risk assessment 200 for the third party is different than the prior IT securitycontrol risk assessment 200 for the third party with respect to the first client, then the IT securitycontrol risk assessment 200 may be updated for the first client with the IT securitycontrol risk assessment 200 established for the second subsequent client. Therefore, IT risk information pertaining to one client may be updated in real-time from IT risk information pertaining to a different client. It is also contemplated that the plurality of IT information risk factors associated with a different client or different third party may be used to update the plurality of IT information risk factors associated with a particular client. Therefore, therisk monitoring component 28 may continuously monitor and update the plurality of IT information risk factors associated with the ITsecurity control assessment 200 through updates to the IT risk information related to other business relationships. Therisk monitor component 28 is configured to transmit the updated IT risk information associated with the plurality of risk factors for IT securitycontrol risk assessment 200 to therisk report component 24 for generating an updated IT securitycontrol risk score 210. - An aspect of the present invention contemplates the
risk manager 20 component is a comprehensive solution for managing third party and client relationships. Therisk manager 20 has the ability to easily catalog and manage third party relationships. Therisk manager 20 is configured to automate risk reporting and streamlined risk decision making, exposure reporting based on regulation, information type, third party, country, etc. In one embodiment of the present invention, therisk manager component 20 provides a graphic user interface for the client to monitor and manage the plurality of business relationships between the client and third parties associated with the client. Therisk manager 20 component is in communication with thedatabase 120 and therisk report component 24 for receiving information stored within thedatabase 120 and the generatedIT risk score 255. It is also contemplated that therisk manager 20 component is in communication with other components associated with theintegrated platform 12. Therisk manager 20 component may display or list the third party relationships associated with the client. The display may provide such information as to whether the third party is certified by the client, specifies the contract, the expiration of the contract or relationship, the type of service (software development, application hosting, web hosting, data processing, consulting, etc.), the risk level associated with the third party, and any alerts. - The
risk manager 20 component of the present invention may be accessed by the client via a secure login. Additionally, therisk manager 20 is an interactive tool for the client to monitor and manage the plurality of business relationships with the client's third parties. The client may select the third party from the list or display of third parties to obtain more detailed information associated with the selected third party. The information may include therelationship risk score 130, the business profile risk score 170, the ITcontrol risk score 210, theIT risk score 255, remediation plans, and control evidence. The control evidence may include documents sufficient to validate certain IT risk information associated with the plurality of IT information risk factors. Therisk manager component 20 provides the capability of analyzing the risk relationship score 130 by divided therelationship risk score 130 into three different scores that are key indicators and factors associated with therelationship risk assessment 125. The three scores may include data exposure, compliance and reporting exposure, and business process exposure. - Similar to the
relationship risk score 130, the business profile risk assessment 160 may be selected as well via therisk manager component 20. The business profile risk assessment 160 may also include status information and various action plans. Additionally, the business profile risk score 160 may be divided into three scores to provide more insight into the business profile risk assessment 160. For example, the key indicators may include regulatory oversight, financial strength, and geopolitics. Thus, scores may be assigned to each of these key indicators. Therisk manager component 20 may further dissect the ITcontrol risk score 210 to obtain an IT control risk report. The ITcontrol risk score 210 may be divided into three separate scores to more adequately explain the ITcontrol risk score 210. In one example, the key indicators may include ISO27001/2, PCI 1.2, and FISAP (Financial Institution Shared Assessments Program). - It is also contemplated that the client or prospective client accesses the
integrated platform 12 and may select a third party IT information risk score lookup option. The client inputs search criteria for the third party. Thedatabase 120 is searched for theIT risk score 255 of the 3rd Party. If theIT risk score 255 is available for the third party and the client has been granted access to the third party's risk score the “risk score report” is presented. If the risk scores are available but authorization has not been granted to the client then notification is given that access is denied and a “request for access” form must be submitted. The client completes the “request for access” form and submits. The “request for access” form may be sent via email to the subscribing client or third party for whom a request for the risk scores has been made. The subscribing client receives the “request for access” email, logs onto theintegrated platform 12 and either approves or disapproves the request. If access is approved the requesting client is sent an email with a link to the site, logs in and views the risk score report. If access is denied, a denial email is sent to the requesting client. - The
database 120 also provides a real-time searchable repository of standardized IT risk scores 255 by company, industry, service type, location and other attributes. The invention quantifies both the business profile risk assessment 160 of the third party and quantifies the risk of the third party ITsecurity control assessment 200 by industry sector. These scores are then provided as searchable data points for clients looking to do business with the third party. This provides tremendous proactive and timely risk insight on potential third parties prior to clients engaging them. The invention provides the method to query the database for third party risk details including IT risk scores 255 for the third party similar to a Dun & Bradstreet search. As third party security reviews are completed and documented, the IT risk scores 255 are added to thedatabase 120. Existing clients may be alerted as new third parties are added or may just look up third parties to perform research. Prospective clients are allowed to search thedatabase 120 to see if theIT risk score 255 is on file for the third party the prospective client would like to review before subscribing to the service. - The
IT risk score 255 allows clients to be able to do fast, easy direct searches/lookups into a third party risk score repository to get the information needed before engaging with the third party from an IT risk perspective to make the best business decision for their organization. TheIT risk score 255 is contemplated to be utilized by businesses to determine whether or not the IT information risk posed by its third parties are within the client's risk tolerance comfort level. It may be comparable to a consumer's credit score that is used by banks to decide to either fund a loan or not fund a loan. It is contemplated that the risk score lookup service extrapolates tolerable information risk levels for various industry sectors by combining a multitude of individual IT information risk scores established for its clients and the third parties that support them using mathematical formulas and algorithms. This process is analogous to the way credit score ranges are created as a byproduct of creating thousands of individual consumer credit scores. By using the weighted average of scores by industry, a range of scores for the industry is extrapolated. - The
insurance application 18 is configured to assess theIT risk score 255 including therelationship risk score 130, the business profile risk score 170, and the ITcontrol risk score 210 to determine an appropriate insurance coverage policy for the client. Referring now toFIG. 5 , theclient 410 requests theintegrated platform 430 to quantify IT information risk related to the business relationship with the third party as represented by the arrow shown. Following the quantification of the IT information risk quantified by theintegrated platform 430 with respect to the business relationship between theclient 410 and thethird party 420, the IT information risk may be transferred to aninsurance company 440. Additionally, thethird party 420 may also have the option of transferring risk associated with the third party's business relationship with theclient 410. Theinsurance application 18 is configured to provide the option of transferring the IT information risk to a third party insurer willing to indemnify the client from damages resulting from the identified risk exposure. - Insurance companies may reply based upon the
IT risk score 255 as one data point that feeds into their decision whether or not to assume the identified risk and insure the client against damages resulting from it. Theinsurance application 18 acts as an online brokerage house for multiple insurers for the clients to get a competitive insurance bid. Theinsurer 440 may choose to underwrite policies to insure both theclient 410 and thethird party 420 or just one or the other based on the underwriting criteria. Theclient 410 is allowed to choose the insurance coverage that best meets their needs. The IT risk scores are used to determine the level of risk for underwriting. Theinsurance application 18 provides a plurality of cyber insurance options for theclient 410 to mitigate or transfer the risk established by the IT risk scores. The cyber insurance options may include network security and privacy liability, digital content and intellectual property infringement liability, property and business income loss, cyber extortion, regulatory defense and crisis management. The insurance coverage options are tailored by theinsurance application 18 based on the IT information risk exposure. It is also contemplated that theclient 410 may conduct risk reduction assessments to determine the impact the IT risk score may have on obtaining insurance coverage through theinsurance application 18. For example, the client may vary responses to the subset of relationship risk factors to determine the corresponding change in theIT risk score 255. Based upon these changes, the client may determine certain actions that reduced the cost of insurance. - The
compliance manager 22 is contemplated as a graphical user interface the client may view, track, and monitor contractual obligations associated with third party business relationship. Additionally, thecompliance manager 22 may monitor regulatory and industry standards. An aspect of the present invention contemplates a single platform utilized to manage compliance to key industry regulatory standards. The invention creates the ability to create a risk based analysis of the compliance to multiple regulations, industry and technical standards using a flexible controls definition. The invention's method performs a common criteria mapping across the multiple regulations and standards (e.g., ISO27001/2, PCI, FISAP, GLBA, HIPPA, FERC) allowing the client to manage compliance of these regulatory standards through the single platform. The present invention adds to the process by using risk based analysis to determine the amount of risk associated with non-compliance. - Referring now to
FIG. 6 , thecompliance manager 22 according to an embodiment of the present invention is provided with respect to theintegrated platform 12. Thecompliance manager 22 may keep track of a plurality ofcontracts 38. Each contract from the plurality ofcontracts 38 may include control evidence or reports 42 securely stored on the database. Thecompliance manager 22 is configured to define a plurality of obligations oractions 44 based upon eachcontract 38. Theclient 30 and thethird party 32 may provide information or responsive answers in the form ofcontrols 40. Thecompliance manager 22 may then assess thecontrols 40 provided by theclient 30 and thethird party 32 with respect to theactions 44. It is contemplated that the various stakeholders including theclient 30, thethird party 32, the auditor, or aninsurer 36 have access to thecompliance manager 22 to information associated with a particular contract only as it pertains to the stakeholders role with respect to thecontract 38. - The present invention also contemplates due diligence and monitoring services that allow for a regulatory compliant, scalable and cost effective third party risk management program. The
audit manager component 26 contemplates a method for standardizing the IT auditing process into a quantifiable measure of risk. The invention provides an auditor the ability to review the controls and evidence as represented by the third party. The auditor may track each of their audit assignments. Thus, the invention contemplates the ability to reduce costs by using lower cost resources through online access to evidence replacing the high-cost local auditors. Furthermore, theaudit manager component 26 contemplates the capability of storing and securing evidence of controls compliance. The integrated platform provides the ability to perform due diligence reviews through an online portal utilized by the auditor. Theintegrated platform 12 is capable of providing an on-site auditor the ability to review physical evidence and indicate audit results to be stored on the database. - The
integrated platform 12 provides a method of funneling the plurality of third parties based upon their business profile risk scores 170. The funneling or risk profiling method is a quick and cost saving method for the client to assess business relationships with a multitude of third parties to determine which third parties are within the client's risk tolerance level and which third parties require further risk assessment. The present invention provides a standardized method for comparing the relative business risk across a population of third party relationships. Automation is accomplished by using a web based technology to gather information about the third party which allows the client an easy and simple way to register and catalog all third party relationships and be able to quickly identify and quantify high, medium, and low IT information risk relationships. The funneling process reduces the level of effort in identifying and managing the number of third parties that must be reviewed in depth due to their business profile risk assessment 160. It is contemplated that the subset of business profile risk factors from the plurality of IT information risk factors are evaluated with respect to each third party. The subset of business profile risk factors are assigned corresponding weighting factors to generate the business profile risk score 170 and then used to eliminate third parties that are not within the client IT information risk tolerance level. Eliminated third parties are documented and included in audit reports to provide evidence of the client's due diligence. - Following review of the risk profiling reports to the client, work flow actions are offered: request
IT risk score 255 and validation for medium or high risk profile scores. It is also contemplated that theIT risk score 255 may be provided at each stage or level of assessment rather than a total score. The invention provides a method in which wherever the client is in the risk management process, the client is presented with the IT risk score at each stage. This differs from the “all or nothing” risk scoring function available in most reviews. Based on the results of the funneling process, more in depth reviews can be scheduled. The third parties that pose minimal or acceptable levels of IT information risk are noted and the documentation can be used to support audits. The funneling process results in a list of third parties that have completed as many as four levels of analysis until the third parties that pose the greatest IT information risk to the client are identified. The funneling method also provides for dynamic policy management and enforcement. An automated risk management component provides an exception process against policy non-compliance for short-term risk acceptance until the exception expires in which the risk has to be mitigated or transferred. The invention contemplates a pre-defined policy template based onIT risk score 255. - The various embodiments described above are provided by way of illustration only and should not be construed to limit the invention. Those skilled in the art will readily recognize various modifications and changes that may be made to the present invention without following the example embodiments and applications illustrated and described herein, and without departing from the true spirit and scope of the present invention. Accordingly, the scope of the invention should be determined not by the embodiments illustrated, but by the appended claims and their equivalents.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/282,347 US20150066577A1 (en) | 2007-04-30 | 2014-05-20 | Method and system for assessing, managing and monitoring information technology risk |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US91500107P | 2007-04-30 | 2007-04-30 | |
PCT/US2008/005519 WO2008140683A2 (en) | 2007-04-30 | 2008-04-30 | A method and system for assessing, managing, and monitoring information technology risk |
US59398709A | 2009-09-30 | 2009-09-30 | |
US14/282,347 US20150066577A1 (en) | 2007-04-30 | 2014-05-20 | Method and system for assessing, managing and monitoring information technology risk |
Related Parent Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/593,987 Continuation US8744894B2 (en) | 2007-04-30 | 2008-04-30 | Method and system for assessing, managing, and monitoring information technology risk |
PCT/US2008/005519 Continuation WO2008140683A2 (en) | 2007-04-30 | 2008-04-30 | A method and system for assessing, managing, and monitoring information technology risk |
Publications (1)
Publication Number | Publication Date |
---|---|
US20150066577A1 true US20150066577A1 (en) | 2015-03-05 |
Family
ID=40002838
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/593,987 Expired - Fee Related US8744894B2 (en) | 2007-04-30 | 2008-04-30 | Method and system for assessing, managing, and monitoring information technology risk |
US14/282,347 Abandoned US20150066577A1 (en) | 2007-04-30 | 2014-05-20 | Method and system for assessing, managing and monitoring information technology risk |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/593,987 Expired - Fee Related US8744894B2 (en) | 2007-04-30 | 2008-04-30 | Method and system for assessing, managing, and monitoring information technology risk |
Country Status (2)
Country | Link |
---|---|
US (2) | US8744894B2 (en) |
WO (1) | WO2008140683A2 (en) |
Cited By (188)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170330474A1 (en) * | 2014-10-31 | 2017-11-16 | Pearson Education, Inc. | Predictive recommendation engine |
WO2017214587A1 (en) * | 2016-06-10 | 2017-12-14 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US9851966B1 (en) | 2016-06-10 | 2017-12-26 | OneTrust, LLC | Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design |
US9858439B1 (en) | 2017-06-16 | 2018-01-02 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US9892477B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems and methods for implementing audit schedules for privacy campaigns |
US9892444B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US9892443B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems for modifying privacy campaign data via electronic messaging systems |
US9892442B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US9898769B2 (en) | 2016-04-01 | 2018-02-20 | OneTrust, LLC | Data processing systems and methods for operationalizing privacy compliance via integrated mobile applications |
US20180121658A1 (en) * | 2016-10-27 | 2018-05-03 | Gemini Cyber, Inc. | Cyber risk assessment and management system and method |
US10013577B1 (en) | 2017-06-16 | 2018-07-03 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US10019597B2 (en) | 2016-06-10 | 2018-07-10 | OneTrust, LLC | Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design |
US10026110B2 (en) | 2016-04-01 | 2018-07-17 | OneTrust, LLC | Data processing systems and methods for generating personal data inventories for organizations and other entities |
US10032172B2 (en) | 2016-06-10 | 2018-07-24 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10104103B1 (en) | 2018-01-19 | 2018-10-16 | OneTrust, LLC | Data processing systems for tracking reputational risk via scanning and registry lookup |
US10102533B2 (en) | 2016-06-10 | 2018-10-16 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10169609B1 (en) | 2016-06-10 | 2019-01-01 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10176502B2 (en) | 2016-04-01 | 2019-01-08 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US10176503B2 (en) | 2016-04-01 | 2019-01-08 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10181051B2 (en) | 2016-06-10 | 2019-01-15 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10181019B2 (en) | 2016-06-10 | 2019-01-15 | OneTrust, LLC | Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design |
US20190018968A1 (en) * | 2014-07-17 | 2019-01-17 | Venafi, Inc. | Security reliance scoring for cryptographic material and processes |
US10204154B2 (en) | 2016-06-10 | 2019-02-12 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10235534B2 (en) | 2016-06-10 | 2019-03-19 | OneTrust, LLC | Data processing systems for prioritizing data subject access requests for fulfillment and related methods |
US10242228B2 (en) | 2016-06-10 | 2019-03-26 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10275614B2 (en) | 2016-06-10 | 2019-04-30 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10284604B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10282559B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10282692B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10282700B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10289870B2 (en) | 2016-06-10 | 2019-05-14 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10289867B2 (en) | 2014-07-27 | 2019-05-14 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10289866B2 (en) | 2016-06-10 | 2019-05-14 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US20190171801A1 (en) * | 2016-06-10 | 2019-06-06 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10318761B2 (en) | 2016-06-10 | 2019-06-11 | OneTrust, LLC | Data processing systems and methods for auditing data request compliance |
US10346637B2 (en) | 2016-06-10 | 2019-07-09 | OneTrust, LLC | Data processing systems for the identification and deletion of personal data in computer systems |
US10346638B2 (en) | 2016-06-10 | 2019-07-09 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US10353674B2 (en) | 2016-06-10 | 2019-07-16 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10353673B2 (en) | 2016-06-10 | 2019-07-16 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10416966B2 (en) | 2016-06-10 | 2019-09-17 | OneTrust, LLC | Data processing systems for identity validation of data subject access requests and related methods |
US10423996B2 (en) | 2016-04-01 | 2019-09-24 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10430740B2 (en) | 2016-06-10 | 2019-10-01 | One Trust, LLC | Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods |
US10438017B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10437412B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Consent receipt management systems and related methods |
US10440062B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Consent receipt management systems and related methods |
US10452864B2 (en) | 2016-06-10 | 2019-10-22 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10452866B2 (en) | 2016-06-10 | 2019-10-22 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10454973B2 (en) | 2016-06-10 | 2019-10-22 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10467432B2 (en) | 2016-06-10 | 2019-11-05 | OneTrust, LLC | Data processing systems for use in automatically generating, populating, and submitting data subject access requests |
US10496846B1 (en) | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10503926B2 (en) | 2016-06-10 | 2019-12-10 | OneTrust, LLC | Consent receipt management systems and related methods |
US10509920B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10510031B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10509894B2 (en) * | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10565161B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10565397B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10565236B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10572686B2 (en) | 2016-06-10 | 2020-02-25 | OneTrust, LLC | Consent receipt management systems and related methods |
US10585968B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10586075B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10592692B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US10592648B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Consent receipt management systems and related methods |
US10606916B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10607028B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US10614247B2 (en) | 2016-06-10 | 2020-04-07 | OneTrust, LLC | Data processing systems for automated classification of personal information from documents and related methods |
US10642870B2 (en) | 2016-06-10 | 2020-05-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US10678945B2 (en) | 2016-06-10 | 2020-06-09 | OneTrust, LLC | Consent receipt management systems and related methods |
US10685140B2 (en) | 2016-06-10 | 2020-06-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US10706379B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for automatic preparation for remediation and related methods |
US10706447B2 (en) | 2016-04-01 | 2020-07-07 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10706131B2 (en) * | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10706174B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for prioritizing data subject access requests for fulfillment and related methods |
US10708305B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Automated data processing systems and methods for automatically processing requests for privacy-related information |
US10706176B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data-processing consent refresh, re-prompt, and recapture systems and related methods |
US10713387B2 (en) | 2016-06-10 | 2020-07-14 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US10713225B2 (en) | 2014-10-30 | 2020-07-14 | Pearson Education, Inc. | Content database generation |
US10726158B2 (en) | 2016-06-10 | 2020-07-28 | OneTrust, LLC | Consent receipt management and automated process blocking systems and related methods |
US10740487B2 (en) | 2016-06-10 | 2020-08-11 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US10762236B2 (en) | 2016-06-10 | 2020-09-01 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10769301B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10776518B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Consent receipt management systems and related methods |
US10776514B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for the identification and deletion of personal data in computer systems |
US10776517B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods |
US10783256B2 (en) | 2016-06-10 | 2020-09-22 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US10796260B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Privacy management systems and methods |
US10798133B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10803202B2 (en) | 2018-09-07 | 2020-10-13 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10803200B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US10810006B2 (en) | 2017-08-28 | 2020-10-20 | Bank Of America Corporation | Indicator regression and modeling for implementing system changes to improve control effectiveness |
US10839102B2 (en) | 2016-06-10 | 2020-11-17 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US10848523B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10846433B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing consent management systems and related methods |
US10853501B2 (en) | 2016-06-10 | 2020-12-01 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10873606B2 (en) | 2016-06-10 | 2020-12-22 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10878127B2 (en) | 2016-06-10 | 2020-12-29 | OneTrust, LLC | Data subject access request processing systems and related methods |
US10877443B2 (en) | 2017-09-20 | 2020-12-29 | Bank Of America Corporation | System for generation and execution of improved control effectiveness |
US10885485B2 (en) | 2016-06-10 | 2021-01-05 | OneTrust, LLC | Privacy management systems and methods |
US10896394B2 (en) | 2016-06-10 | 2021-01-19 | OneTrust, LLC | Privacy management systems and methods |
US10909265B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Application privacy scanning systems and related methods |
US10909488B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US10944725B2 (en) | 2016-06-10 | 2021-03-09 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US10949565B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10949170B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10997318B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10997315B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11004125B2 (en) | 2016-04-01 | 2021-05-11 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US11025675B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11023842B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11023812B2 (en) | 2017-08-28 | 2021-06-01 | Bank Of America Corporation | Event prediction and impact mitigation system |
US11038925B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11057356B2 (en) | 2016-06-10 | 2021-07-06 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US20210224402A1 (en) * | 2012-02-14 | 2021-07-22 | Radar, Llc | Systems and methods for managing data incidents having dimensions |
US11074367B2 (en) | 2016-06-10 | 2021-07-27 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11087260B2 (en) | 2016-06-10 | 2021-08-10 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11100444B2 (en) | 2016-06-10 | 2021-08-24 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
WO2021178710A1 (en) * | 2020-03-05 | 2021-09-10 | Shakfeh Noor | Resilience measurement system |
US11134086B2 (en) | 2016-06-10 | 2021-09-28 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US11138242B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11138299B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11144622B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Privacy management systems and methods |
US11144675B2 (en) | 2018-09-07 | 2021-10-12 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11146566B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11151233B2 (en) | 2016-06-10 | 2021-10-19 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11157600B2 (en) | 2016-06-10 | 2021-10-26 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11188862B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Privacy management systems and methods |
US11188615B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11200341B2 (en) | 2016-06-10 | 2021-12-14 | OneTrust, LLC | Consent receipt management systems and related methods |
US11210420B2 (en) | 2016-06-10 | 2021-12-28 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11222309B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11222142B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for validating authorization for personal data collection, storage, and processing |
US11222139B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
US11228620B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11227247B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11238390B2 (en) | 2016-06-10 | 2022-02-01 | OneTrust, LLC | Privacy management systems and methods |
US11244367B2 (en) | 2016-04-01 | 2022-02-08 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US11270021B2 (en) | 2019-06-05 | 2022-03-08 | The Toronto-Dominion Bank | Modification of data sharing between systems |
US11277448B2 (en) | 2016-06-10 | 2022-03-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11295316B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11294939B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11301796B2 (en) | 2016-06-10 | 2022-04-12 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11328092B2 (en) | 2016-06-10 | 2022-05-10 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US11336697B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11341447B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Privacy management systems and methods |
US11343284B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11354434B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11354435B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11366909B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11366786B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11373245B1 (en) | 2016-03-04 | 2022-06-28 | Allstate Insurance Company | Systems and methods for detecting digital security breaches of connected assets based on location tracking and asset profiling |
US11392720B2 (en) | 2016-06-10 | 2022-07-19 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11397819B2 (en) | 2020-11-06 | 2022-07-26 | OneTrust, LLC | Systems and methods for identifying data processing activities based on data discovery results |
US11403377B2 (en) | 2016-06-10 | 2022-08-02 | OneTrust, LLC | Privacy management systems and methods |
US11416109B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US11416798B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
US11416589B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11418492B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US11416590B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11436373B2 (en) | 2020-09-15 | 2022-09-06 | OneTrust, LLC | Data processing systems and methods for detecting tools for the automatic blocking of consent requests |
US11438386B2 (en) | 2016-06-10 | 2022-09-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11444976B2 (en) | 2020-07-28 | 2022-09-13 | OneTrust, LLC | Systems and methods for automatically blocking the use of tracking tools |
US11442906B2 (en) | 2021-02-04 | 2022-09-13 | OneTrust, LLC | Managing custom attributes for domain objects defined within microservices |
US11461500B2 (en) | 2016-06-10 | 2022-10-04 | OneTrust, LLC | Data processing systems for cookie compliance testing with website scanning and related methods |
US11475165B2 (en) | 2020-08-06 | 2022-10-18 | OneTrust, LLC | Data processing systems and methods for automatically redacting unstructured data from a data subject access request |
US11475136B2 (en) | 2016-06-10 | 2022-10-18 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US11481710B2 (en) | 2016-06-10 | 2022-10-25 | OneTrust, LLC | Privacy management systems and methods |
US11494515B2 (en) | 2021-02-08 | 2022-11-08 | OneTrust, LLC | Data processing systems and methods for anonymizing data samples in classification analysis |
US11520928B2 (en) | 2016-06-10 | 2022-12-06 | OneTrust, LLC | Data processing systems for generating personal data receipts and related methods |
US11526624B2 (en) | 2020-09-21 | 2022-12-13 | OneTrust, LLC | Data processing systems and methods for automatically detecting target data transfers and target data processing |
US11533315B2 (en) | 2021-03-08 | 2022-12-20 | OneTrust, LLC | Data transfer discovery and analysis systems and related methods |
US11544409B2 (en) | 2018-09-07 | 2023-01-03 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11544667B2 (en) | 2016-06-10 | 2023-01-03 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11546661B2 (en) | 2021-02-18 | 2023-01-03 | OneTrust, LLC | Selective redaction of media content |
US11562078B2 (en) | 2021-04-16 | 2023-01-24 | OneTrust, LLC | Assessing and managing computational risk involved with integrating third party computing functionality within a computing system |
US11562097B2 (en) | 2016-06-10 | 2023-01-24 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US11586700B2 (en) | 2016-06-10 | 2023-02-21 | OneTrust, LLC | Data processing systems and methods for automatically blocking the use of tracking tools |
US11601464B2 (en) | 2021-02-10 | 2023-03-07 | OneTrust, LLC | Systems and methods for mitigating risks of third-party computing system functionality integration into a first-party computing system |
US11620142B1 (en) | 2022-06-03 | 2023-04-04 | OneTrust, LLC | Generating and customizing user interfaces for demonstrating functions of interactive user environments |
US11625502B2 (en) | 2016-06-10 | 2023-04-11 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US11636171B2 (en) | 2016-06-10 | 2023-04-25 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US11651104B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US11651106B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11651402B2 (en) | 2016-04-01 | 2023-05-16 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of risk assessments |
US11675929B2 (en) | 2016-06-10 | 2023-06-13 | OneTrust, LLC | Data processing consent sharing systems and related methods |
US11687528B2 (en) | 2021-01-25 | 2023-06-27 | OneTrust, LLC | Systems and methods for discovery, classification, and indexing of data in a native computing system |
US11727141B2 (en) | 2016-06-10 | 2023-08-15 | OneTrust, LLC | Data processing systems and methods for synching privacy-related user consent across multiple computing devices |
US11775348B2 (en) | 2021-02-17 | 2023-10-03 | OneTrust, LLC | Managing custom workflows for domain objects defined within microservices |
US11797528B2 (en) | 2020-07-08 | 2023-10-24 | OneTrust, LLC | Systems and methods for targeted data discovery |
US11870800B1 (en) * | 2019-09-20 | 2024-01-09 | Cowbell Cyber, Inc. | Cyber security risk assessment and cyber security insurance platform |
Families Citing this family (162)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10083481B2 (en) | 2006-02-02 | 2018-09-25 | Oracle America, Inc. | IT risk management framework and methods |
US20090183259A1 (en) * | 2008-01-11 | 2009-07-16 | Rinek Jeffrey L | Integrated Protection Service System Defining Risk Profiles for Minors |
US10248915B2 (en) | 2008-03-07 | 2019-04-02 | International Business Machines Corporation | Risk profiling for enterprise risk management |
US9798319B2 (en) * | 2008-05-27 | 2017-10-24 | Rockwell Automation Technologies, Inc. | Industrial control metadata engine |
US8533843B2 (en) * | 2008-10-13 | 2013-09-10 | Hewlett-Packard Development Company, L. P. | Device, method, and program product for determining an overall business service vulnerability score |
US8326987B2 (en) * | 2008-11-12 | 2012-12-04 | Lin Yeejang James | Method for adaptively building a baseline behavior model |
US7966203B1 (en) * | 2009-02-27 | 2011-06-21 | Millennium Information Services | Property insurance risk assessment using application data |
US20100241478A1 (en) * | 2009-03-20 | 2010-09-23 | Mehmet Sahinoglu | Method of automating security risk assessment and management with a cost-optimized allocation plan |
US8370193B2 (en) * | 2010-02-01 | 2013-02-05 | Bank Of America Corporation | Method, computer-readable media, and apparatus for determining risk scores and generating a risk scorecard |
US20110276363A1 (en) * | 2010-05-05 | 2011-11-10 | Oracle International Corporation | Service level agreement construction |
US8533537B2 (en) * | 2010-05-13 | 2013-09-10 | Bank Of America Corporation | Technology infrastructure failure probability predictor |
US8812342B2 (en) * | 2010-06-15 | 2014-08-19 | International Business Machines Corporation | Managing and monitoring continuous improvement in detection of compliance violations |
US20120029969A1 (en) * | 2010-07-30 | 2012-02-02 | Joern Franke | Risk management of business processes |
US20120053981A1 (en) * | 2010-09-01 | 2012-03-01 | Bank Of America Corporation | Risk Governance Model for an Operation or an Information Technology System |
US10805331B2 (en) | 2010-09-24 | 2020-10-13 | BitSight Technologies, Inc. | Information technology security assessment system |
US20160232465A1 (en) * | 2011-06-03 | 2016-08-11 | Kenneth Kurtz | Subscriber-based system for custom evaluations of business relationship risk |
US10282703B1 (en) | 2011-07-28 | 2019-05-07 | Intuit Inc. | Enterprise risk management |
US20130041714A1 (en) * | 2011-08-12 | 2013-02-14 | Bank Of America Corporation | Supplier Risk Health Check |
US20130041713A1 (en) * | 2011-08-12 | 2013-02-14 | Bank Of America Corporation | Supplier Risk Dashboard |
US20130166346A1 (en) * | 2011-12-22 | 2013-06-27 | Saudi Arabian Oil Company | Systems, Computer-Implemented Methods and Computer-Readable Media to Provide Multi-Criteria Decision-Making Model for Outsourcing |
US9229684B2 (en) * | 2012-01-30 | 2016-01-05 | International Business Machines Corporation | Automated corruption analysis of service designs |
US10445508B2 (en) * | 2012-02-14 | 2019-10-15 | Radar, Llc | Systems and methods for managing multi-region data incidents |
US9426169B2 (en) * | 2012-02-29 | 2016-08-23 | Cytegic Ltd. | System and method for cyber attacks analysis and decision support |
US9668137B2 (en) * | 2012-03-07 | 2017-05-30 | Rapid7, Inc. | Controlling enterprise access by mobile devices |
US20130253979A1 (en) * | 2012-03-13 | 2013-09-26 | Pacific Gas And Electric Company | Objectively managing risk |
US8984583B2 (en) * | 2012-05-30 | 2015-03-17 | Accenture Global Services Limited | Healthcare privacy breach prevention through integrated audit and access control |
US20130325678A1 (en) * | 2012-05-30 | 2013-12-05 | International Business Machines Corporation | Risk profiling for service contracts |
US9407443B2 (en) | 2012-06-05 | 2016-08-02 | Lookout, Inc. | Component analysis of software applications on computing devices |
US8862948B1 (en) * | 2012-06-28 | 2014-10-14 | Emc Corporation | Method and apparatus for providing at risk information in a cloud computing system having redundancy |
US20140222655A1 (en) * | 2012-11-13 | 2014-08-07 | AML Partners, LLC | Method and System for Automatic Regulatory Compliance |
US20140142988A1 (en) * | 2012-11-21 | 2014-05-22 | Hartford Fire Insurance Company | System and method for analyzing privacy breach risk data |
US20140156339A1 (en) * | 2012-12-03 | 2014-06-05 | Bank Of America Corporation | Operational risk and control analysis of an organization |
US20140257918A1 (en) * | 2013-03-11 | 2014-09-11 | Bank Of America Corporation | Risk Management System for Calculating Residual Risk of an Entity |
US10037623B2 (en) * | 2013-03-15 | 2018-07-31 | Bwise B.V. | Dynamic risk structure creation systems and/or methods of making the same |
US9172720B2 (en) * | 2013-08-30 | 2015-10-27 | Bank Of America Corporation | Detecting malware using revision control logs |
US9438615B2 (en) | 2013-09-09 | 2016-09-06 | BitSight Technologies, Inc. | Security risk management |
US8782770B1 (en) | 2013-12-10 | 2014-07-15 | Citigroup Technology, Inc. | Systems and methods for managing security during a divestiture |
KR101589798B1 (en) * | 2013-12-30 | 2016-01-28 | 연세대학교 산학협력단 | System and method for assessing sustainability of overseas gas field |
US20150186899A1 (en) * | 2014-01-01 | 2015-07-02 | Bank Of America Corporation | Third party control alignment |
US20150186898A1 (en) * | 2014-01-01 | 2015-07-02 | Bank Of America Corporation | Generating an overall control effectiveness |
US20150186897A1 (en) * | 2014-01-01 | 2015-07-02 | Bank Of America Corporation | Framework for control quality verification |
US20150242775A1 (en) * | 2014-02-24 | 2015-08-27 | Bank Of America Corporation | Designation Of A Vendor Manager |
US20150242777A1 (en) * | 2014-02-24 | 2015-08-27 | Bank Of America Corporation | Category-Driven Risk Identification |
US20150242858A1 (en) * | 2014-02-24 | 2015-08-27 | Bank Of America Corporation | Risk Assessment On A Transaction Level |
US11176475B1 (en) | 2014-03-11 | 2021-11-16 | Applied Underwriters, Inc. | Artificial intelligence system for training a classifier |
US9336399B2 (en) | 2014-04-21 | 2016-05-10 | International Business Machines Corporation | Information asset placer |
US11120380B1 (en) * | 2014-06-03 | 2021-09-14 | Massachusetts Mutual Life Insurance Company | Systems and methods for managing information risk after integration of an acquired entity in mergers and acquisitions |
WO2015199719A1 (en) * | 2014-06-27 | 2015-12-30 | Hewlett Packard Enterprise Development L.P. | Security policy based on risk |
US9251221B1 (en) | 2014-07-21 | 2016-02-02 | Splunk Inc. | Assigning scores to objects based on search query results |
US9118714B1 (en) * | 2014-07-23 | 2015-08-25 | Lookingglass Cyber Solutions, Inc. | Apparatuses, methods and systems for a cyber threat visualization and editing user interface |
US9417976B2 (en) | 2014-08-29 | 2016-08-16 | Vmware, Inc. | Preventing migration of a virtual machine from affecting disaster recovery of replica |
US9591022B2 (en) | 2014-12-17 | 2017-03-07 | The Boeing Company | Computer defenses and counterattacks |
US9253203B1 (en) | 2014-12-29 | 2016-02-02 | Cyence Inc. | Diversity analysis with actionable feedback methodologies |
WO2017078986A1 (en) | 2014-12-29 | 2017-05-11 | Cyence Inc. | Diversity analysis with actionable feedback methodologies |
US10050990B2 (en) | 2014-12-29 | 2018-08-14 | Guidewire Software, Inc. | Disaster scenario based inferential analysis using feedback for extracting and combining cyber risk information |
US11863590B2 (en) | 2014-12-29 | 2024-01-02 | Guidewire Software, Inc. | Inferential analysis using feedback for extracting and combining cyber risk information |
US10341376B2 (en) * | 2014-12-29 | 2019-07-02 | Guidewire Software, Inc. | Diversity analysis with actionable feedback methodologies |
US9521160B2 (en) | 2014-12-29 | 2016-12-13 | Cyence Inc. | Inferential analysis using feedback for extracting and combining cyber risk information |
US10050989B2 (en) | 2014-12-29 | 2018-08-14 | Guidewire Software, Inc. | Inferential analysis using feedback for extracting and combining cyber risk information including proxy connection analyses |
US9699209B2 (en) | 2014-12-29 | 2017-07-04 | Cyence Inc. | Cyber vulnerability scan analyses with actionable feedback |
WO2016109608A1 (en) * | 2014-12-30 | 2016-07-07 | Cyence Inc. | System for cyber insurance policy including cyber risk assessment/management service |
US11855768B2 (en) | 2014-12-29 | 2023-12-26 | Guidewire Software, Inc. | Disaster scenario based inferential analysis using feedback for extracting and combining cyber risk information |
US20160224911A1 (en) * | 2015-02-04 | 2016-08-04 | Bank Of America Corporation | Service provider emerging impact and probability assessment system |
US20160232466A1 (en) * | 2015-02-09 | 2016-08-11 | Wipro Limited | Method and device for determining risks associated with customer requirements in an organization |
US9507960B2 (en) * | 2015-02-25 | 2016-11-29 | Citigroup Technology, Inc. | Systems and methods for automated data privacy compliance |
US10404748B2 (en) | 2015-03-31 | 2019-09-03 | Guidewire Software, Inc. | Cyber risk analysis and remediation using network monitored sensors and methods of use |
US9836598B2 (en) | 2015-04-20 | 2017-12-05 | Splunk Inc. | User activity monitoring |
US20160371698A1 (en) * | 2015-06-16 | 2016-12-22 | Mastercard International Incorporated | Systems and Methods for Authenticating Business Partners, in Connection With Requests by the Partners for Products and/or Services |
US10084811B1 (en) | 2015-09-09 | 2018-09-25 | United Services Automobile Association (Usaa) | Systems and methods for adaptive security protocols in a managed system |
US20170109671A1 (en) * | 2015-10-19 | 2017-04-20 | Adapt Ready Inc. | System and method to identify risks and provide strategies to overcome risks |
US10970787B2 (en) | 2015-10-28 | 2021-04-06 | Qomplx, Inc. | Platform for live issuance and management of cyber insurance policies |
US11514531B2 (en) | 2015-10-28 | 2022-11-29 | Qomplx, Inc. | Platform for autonomous risk assessment and quantification for cyber insurance policies |
US10891381B2 (en) | 2015-11-13 | 2021-01-12 | Micro Focus Llc | Detecting vulnerabilities in a web application |
US10268976B2 (en) | 2016-02-17 | 2019-04-23 | SecurityScorecard, Inc. | Non-intrusive techniques for discovering and using organizational relationships |
US10366367B2 (en) | 2016-02-24 | 2019-07-30 | Bank Of America Corporation | Computerized system for evaluating and modifying technology change events |
US10275183B2 (en) | 2016-02-24 | 2019-04-30 | Bank Of America Corporation | System for categorical data dynamic decoding |
US10223425B2 (en) | 2016-02-24 | 2019-03-05 | Bank Of America Corporation | Operational data processor |
US10216798B2 (en) | 2016-02-24 | 2019-02-26 | Bank Of America Corporation | Technical language processor |
US10366338B2 (en) | 2016-02-24 | 2019-07-30 | Bank Of America Corporation | Computerized system for evaluating the impact of technology change incidents |
US10430743B2 (en) | 2016-02-24 | 2019-10-01 | Bank Of America Corporation | Computerized system for simulating the likelihood of technology change incidents |
US10067984B2 (en) | 2016-02-24 | 2018-09-04 | Bank Of America Corporation | Computerized system for evaluating technology stability |
US10387230B2 (en) | 2016-02-24 | 2019-08-20 | Bank Of America Corporation | Technical language processor administration |
US10275182B2 (en) | 2016-02-24 | 2019-04-30 | Bank Of America Corporation | System for categorical data encoding |
US10019486B2 (en) | 2016-02-24 | 2018-07-10 | Bank Of America Corporation | Computerized system for analyzing operational event data |
US10366337B2 (en) | 2016-02-24 | 2019-07-30 | Bank Of America Corporation | Computerized system for evaluating the likelihood of technology change incidents |
CN111507638B (en) * | 2016-03-25 | 2024-03-05 | 创新先进技术有限公司 | Risk information output and risk information construction method and device |
US11410106B2 (en) | 2016-06-10 | 2022-08-09 | OneTrust, LLC | Privacy management systems and methods |
US10510079B2 (en) | 2016-09-21 | 2019-12-17 | Coinbase, Inc. | Small sample based training and large population application for compliance determination and enforcement platform |
US11625769B2 (en) * | 2016-09-21 | 2023-04-11 | Coinbase, Inc. | Multi-factor integrated compliance determination and enforcement platform |
US10482470B2 (en) | 2016-09-21 | 2019-11-19 | Coinbase, Inc. | Self-learning compliance determination and enforcement platform |
US10755347B2 (en) * | 2016-09-21 | 2020-08-25 | Coinbase, Inc. | Corrective action realignment and feedback system for a compliance determination and enforcement platform |
US10510034B2 (en) | 2016-09-21 | 2019-12-17 | Coinbase, Inc. | Investigator interface and override functionality within compliance determination and enforcement platform |
EP3545418A4 (en) * | 2016-11-22 | 2020-08-12 | AON Global Operations PLC, Singapore Branch | Systems and methods for cybersecurity risk assessment |
TWI625642B (en) * | 2017-03-08 | 2018-06-01 | 廣達電腦股份有限公司 | Software risk evaluation system and method thereof |
US10476673B2 (en) | 2017-03-22 | 2019-11-12 | Extrahop Networks, Inc. | Managing session secrets for continuous packet capture systems |
US11386435B2 (en) * | 2017-04-03 | 2022-07-12 | The Dun And Bradstreet Corporation | System and method for global third party intermediary identification system with anti-bribery and anti-corruption risk assessment |
US10860721B1 (en) * | 2017-05-04 | 2020-12-08 | Mike Gentile | Information security management improvement system |
US20180357581A1 (en) * | 2017-06-08 | 2018-12-13 | Hcl Technologies Limited | Operation Risk Summary (ORS) |
US10218697B2 (en) * | 2017-06-09 | 2019-02-26 | Lookout, Inc. | Use of device risk evaluation to manage access to services |
US10425380B2 (en) | 2017-06-22 | 2019-09-24 | BitSight Technologies, Inc. | Methods for mapping IP addresses and domains to organizations using user activity data |
US9930062B1 (en) | 2017-06-26 | 2018-03-27 | Factory Mutual Insurance Company | Systems and methods for cyber security risk assessment |
US10217071B2 (en) | 2017-07-28 | 2019-02-26 | SecurityScorecard, Inc. | Reducing cybersecurity risk level of a portfolio of companies using a cybersecurity risk multiplier |
US10614401B2 (en) | 2017-07-28 | 2020-04-07 | SecurityScorecard, Inc. | Reducing cybersecurity risk level of portfolio of companies using a cybersecurity risk multiplier |
US9967292B1 (en) | 2017-10-25 | 2018-05-08 | Extrahop Networks, Inc. | Inline secret sharing |
US20190147376A1 (en) * | 2017-11-13 | 2019-05-16 | Tracker Networks Inc. | Methods and systems for risk data generation and management |
US11636416B2 (en) | 2017-11-13 | 2023-04-25 | Tracker Networks Inc. | Methods and systems for risk data generation and management |
US10607013B2 (en) | 2017-11-30 | 2020-03-31 | Bank Of America Corporation | System for information security threat assessment and event triggering |
US10635822B2 (en) | 2017-11-30 | 2020-04-28 | Bank Of America Corporation | Data integration system for triggering analysis of connection oscillations |
US10824734B2 (en) | 2017-11-30 | 2020-11-03 | Bank Of America Corporation | System for recurring information security threat assessment |
US10616260B2 (en) | 2017-11-30 | 2020-04-07 | Bank Of America Corporation | System for information security threat assessment |
US10616261B2 (en) | 2017-11-30 | 2020-04-07 | Bank Of America Corporation | System for information security threat assessment based on data history |
US10826929B2 (en) | 2017-12-01 | 2020-11-03 | Bank Of America Corporation | Exterior data deployment system using hash generation and confirmation triggering |
US11546365B2 (en) * | 2018-01-28 | 2023-01-03 | AVAST Software s.r.o. | Computer network security assessment engine |
US10389574B1 (en) | 2018-02-07 | 2019-08-20 | Extrahop Networks, Inc. | Ranking alerts based on network monitoring |
US10270794B1 (en) * | 2018-02-09 | 2019-04-23 | Extrahop Networks, Inc. | Detection of denial of service attacks |
EP3762893A4 (en) * | 2018-03-04 | 2021-12-29 | Qomplx, Inc. | Platform for live issuance and management of cyber insurance policies |
US10257219B1 (en) | 2018-03-12 | 2019-04-09 | BitSight Technologies, Inc. | Correlated risk in cybersecurity |
US10812520B2 (en) | 2018-04-17 | 2020-10-20 | BitSight Technologies, Inc. | Systems and methods for external detection of misconfigured systems |
CN108805442A (en) * | 2018-06-06 | 2018-11-13 | 浙江大学 | A kind of pool formula creative management system and method based on energy monitor |
US10411978B1 (en) | 2018-08-09 | 2019-09-10 | Extrahop Networks, Inc. | Correlating causes and effects associated with network activity |
US10594718B1 (en) * | 2018-08-21 | 2020-03-17 | Extrahop Networks, Inc. | Managing incident response operations based on monitored network activity |
US11200323B2 (en) | 2018-10-17 | 2021-12-14 | BitSight Technologies, Inc. | Systems and methods for forecasting cybersecurity ratings based on event-rate scenarios |
US10521583B1 (en) | 2018-10-25 | 2019-12-31 | BitSight Technologies, Inc. | Systems and methods for remote detection of software through browser webinjects |
US20200143301A1 (en) * | 2018-11-02 | 2020-05-07 | Venminder, Inc. | Systems and methods for providing vendor management, advanced risk assessment, and custom profiles |
US20200401961A1 (en) * | 2019-01-22 | 2020-12-24 | Recorded Future, Inc. | Automated organizational security scoring system |
US11388195B1 (en) * | 2019-02-02 | 2022-07-12 | Clearops, Inc. | Information security compliance platform |
US11915179B2 (en) * | 2019-02-14 | 2024-02-27 | Talisai Inc. | Artificial intelligence accountability platform and extensions |
US11176508B2 (en) * | 2019-03-12 | 2021-11-16 | International Business Machines Corporation | Minimizing compliance risk using machine learning techniques |
WO2020191110A1 (en) | 2019-03-18 | 2020-09-24 | Recorded Future, Inc. | Cross-network security evaluation |
US11126746B2 (en) | 2019-03-28 | 2021-09-21 | The Toronto-Dominion Bank | Dynamic security controls for data sharing between systems |
US10965702B2 (en) | 2019-05-28 | 2021-03-30 | Extrahop Networks, Inc. | Detecting injection attacks using passive network monitoring |
US11514529B2 (en) * | 2019-05-31 | 2022-11-29 | Aon Risk Services, Inc. Of Maryland | Systems for generation of liability protection policies |
US10726136B1 (en) | 2019-07-17 | 2020-07-28 | BitSight Technologies, Inc. | Systems and methods for generating security improvement plans for entities |
US11165814B2 (en) | 2019-07-29 | 2021-11-02 | Extrahop Networks, Inc. | Modifying triage information based on network monitoring |
US11388072B2 (en) | 2019-08-05 | 2022-07-12 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US10742530B1 (en) | 2019-08-05 | 2020-08-11 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US11275367B2 (en) | 2019-08-19 | 2022-03-15 | Bank Of America Corporation | Dynamically monitoring system controls to identify and mitigate issues |
US10742677B1 (en) | 2019-09-04 | 2020-08-11 | Extrahop Networks, Inc. | Automatic determination of user roles and asset types based on network monitoring |
US20210073693A1 (en) * | 2019-09-05 | 2021-03-11 | Royal Bank Of Canada | Systems and methods of dynamically presenting datasets in a graphical user interface |
US11275842B2 (en) | 2019-09-20 | 2022-03-15 | The Toronto-Dominion Bank | Systems and methods for evaluating security of third-party applications |
US11436336B2 (en) | 2019-09-23 | 2022-09-06 | The Toronto-Dominion Bank | Systems and methods for evaluating data access signature of third-party applications |
US20220164876A1 (en) * | 2019-09-26 | 2022-05-26 | Sandeep Aggarwal | Methods and systems for credit risk assessment for used vehicle financing |
US11032244B2 (en) | 2019-09-30 | 2021-06-08 | BitSight Technologies, Inc. | Systems and methods for determining asset importance in security risk management |
US11194628B2 (en) | 2019-12-03 | 2021-12-07 | International Business Machines Corporation | Workload allocation utilizing real-time enterprise resiliency scoring |
US11165823B2 (en) | 2019-12-17 | 2021-11-02 | Extrahop Networks, Inc. | Automated preemptive polymorphic deception |
US10893067B1 (en) | 2020-01-31 | 2021-01-12 | BitSight Technologies, Inc. | Systems and methods for rapidly generating security ratings |
US11023585B1 (en) | 2020-05-27 | 2021-06-01 | BitSight Technologies, Inc. | Systems and methods for managing cybersecurity alerts |
US11880896B2 (en) * | 2020-06-22 | 2024-01-23 | Aon Risk Services, Inc. Of Maryland | Vendor management platform |
US11861723B2 (en) | 2020-06-22 | 2024-01-02 | Aon Risk Services, Inc. Of Maryland | Vendor management platform |
US11170334B1 (en) | 2020-09-18 | 2021-11-09 | deepwatch, Inc. | Systems and methods for security operations maturity assessment |
US11489721B2 (en) * | 2020-09-22 | 2022-11-01 | Vmware, Inc. | Dynamic compliance management |
EP4218212A1 (en) | 2020-09-23 | 2023-08-02 | ExtraHop Networks, Inc. | Monitoring encrypted network traffic |
US11463466B2 (en) | 2020-09-23 | 2022-10-04 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
US11122073B1 (en) | 2020-12-11 | 2021-09-14 | BitSight Technologies, Inc. | Systems and methods for cybersecurity risk mitigation and management |
JP7190530B2 (en) * | 2021-05-12 | 2022-12-15 | 株式会社日立製作所 | A system that evaluates resource operations of information systems by users |
US11349861B1 (en) | 2021-06-18 | 2022-05-31 | Extrahop Networks, Inc. | Identifying network entities based on beaconing activity |
US11296967B1 (en) | 2021-09-23 | 2022-04-05 | Extrahop Networks, Inc. | Combining passive network analysis and active probing |
US11606382B1 (en) * | 2021-10-26 | 2023-03-14 | Cyberwrite Inc. | System and method for evaluating an organization's cyber insurance risk for exposure to cyber attacks |
US20230230169A1 (en) * | 2021-10-26 | 2023-07-20 | Cyberwrite Inc. | System and method for evaluating an organization's risk for exposure to cyber security |
US11843606B2 (en) | 2022-03-30 | 2023-12-12 | Extrahop Networks, Inc. | Detecting abnormal data access based on data similarity |
CN115174420A (en) * | 2022-07-05 | 2022-10-11 | 中信百信银行股份有限公司 | Safe operation method, system, terminal device and storage medium based on index measurement |
CN115712866B (en) * | 2022-10-28 | 2023-05-02 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030046128A1 (en) * | 2001-03-29 | 2003-03-06 | Nicolas Heinrich | Overall risk in a system |
US20050080720A1 (en) * | 2003-10-10 | 2005-04-14 | International Business Machines Corporation | Deriving security and privacy solutions to mitigate risk |
US20050096953A1 (en) * | 2003-11-01 | 2005-05-05 | Ge Medical Systems Global Technology Co., Llc | Methods and apparatus for predictive service for information technology resource outages |
US20060100947A1 (en) * | 2000-04-27 | 2006-05-11 | Prosight, Ltd. | Method and apparatus for facilitating management of information technology investment |
US20070143851A1 (en) * | 2005-12-21 | 2007-06-21 | Fiberlink | Method and systems for controlling access to computing resources based on known security vulnerabilities |
US20070156495A1 (en) * | 2006-01-05 | 2007-07-05 | Oracle International Corporation | Audit planning |
US20070192236A1 (en) * | 2006-02-02 | 2007-08-16 | Sun Microsystems, Inc. | IT risk management framework and methods |
US20080103962A1 (en) * | 2006-10-25 | 2008-05-01 | Ira Cohen | Ranking systems based on a risk |
US7813944B1 (en) * | 1999-08-12 | 2010-10-12 | Fair Isaac Corporation | Detection of insurance premium fraud or abuse using a predictive software system |
US8307427B1 (en) * | 2005-12-30 | 2012-11-06 | United Services (USAA) Automobile Association | System for tracking data shared with external entities |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7283977B1 (en) | 2000-02-25 | 2007-10-16 | Kathleen Tyson-Quah | System for reducing risk payment-based transactions wherein a risk filter routine returns instructions authorizing payment to a payment queue for later re-evaluation |
US6638754B1 (en) * | 2000-11-28 | 2003-10-28 | Cytokinetics, Inc. | Motor proteins and methods for their use |
US20050096949A1 (en) | 2003-10-29 | 2005-05-05 | International Business Machines Corporation | Method and system for automatic continuous monitoring and on-demand optimization of business IT infrastructure according to business objectives |
-
2008
- 2008-04-30 WO PCT/US2008/005519 patent/WO2008140683A2/en active Application Filing
- 2008-04-30 US US12/593,987 patent/US8744894B2/en not_active Expired - Fee Related
-
2014
- 2014-05-20 US US14/282,347 patent/US20150066577A1/en not_active Abandoned
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7813944B1 (en) * | 1999-08-12 | 2010-10-12 | Fair Isaac Corporation | Detection of insurance premium fraud or abuse using a predictive software system |
US20060100947A1 (en) * | 2000-04-27 | 2006-05-11 | Prosight, Ltd. | Method and apparatus for facilitating management of information technology investment |
US20030046128A1 (en) * | 2001-03-29 | 2003-03-06 | Nicolas Heinrich | Overall risk in a system |
US6895383B2 (en) * | 2001-03-29 | 2005-05-17 | Accenture Sas | Overall risk in a system |
US20050080720A1 (en) * | 2003-10-10 | 2005-04-14 | International Business Machines Corporation | Deriving security and privacy solutions to mitigate risk |
US20050096953A1 (en) * | 2003-11-01 | 2005-05-05 | Ge Medical Systems Global Technology Co., Llc | Methods and apparatus for predictive service for information technology resource outages |
US20070143851A1 (en) * | 2005-12-21 | 2007-06-21 | Fiberlink | Method and systems for controlling access to computing resources based on known security vulnerabilities |
US8307427B1 (en) * | 2005-12-30 | 2012-11-06 | United Services (USAA) Automobile Association | System for tracking data shared with external entities |
US20070156495A1 (en) * | 2006-01-05 | 2007-07-05 | Oracle International Corporation | Audit planning |
US20070192236A1 (en) * | 2006-02-02 | 2007-08-16 | Sun Microsystems, Inc. | IT risk management framework and methods |
US20080103962A1 (en) * | 2006-10-25 | 2008-05-01 | Ira Cohen | Ranking systems based on a risk |
Non-Patent Citations (1)
Title |
---|
Spears, âA Holistic Risk Analysis Method for Identifying Information Security Risks,â 2005, Security Management, Integrity, and Internal Control in Information Systems, pp. 185-202 * |
Cited By (309)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210224402A1 (en) * | 2012-02-14 | 2021-07-22 | Radar, Llc | Systems and methods for managing data incidents having dimensions |
US20190018968A1 (en) * | 2014-07-17 | 2019-01-17 | Venafi, Inc. | Security reliance scoring for cryptographic material and processes |
US10289867B2 (en) | 2014-07-27 | 2019-05-14 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10713225B2 (en) | 2014-10-30 | 2020-07-14 | Pearson Education, Inc. | Content database generation |
US20170330474A1 (en) * | 2014-10-31 | 2017-11-16 | Pearson Education, Inc. | Predictive recommendation engine |
US10290223B2 (en) * | 2014-10-31 | 2019-05-14 | Pearson Education, Inc. | Predictive recommendation engine |
US11373245B1 (en) | 2016-03-04 | 2022-06-28 | Allstate Insurance Company | Systems and methods for detecting digital security breaches of connected assets based on location tracking and asset profiling |
US9892477B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems and methods for implementing audit schedules for privacy campaigns |
US10176503B2 (en) | 2016-04-01 | 2019-01-08 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US9892442B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US9892441B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems and methods for operationalizing privacy compliance and assessing the risk of various respective privacy campaigns |
US9898769B2 (en) | 2016-04-01 | 2018-02-20 | OneTrust, LLC | Data processing systems and methods for operationalizing privacy compliance via integrated mobile applications |
US9892444B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10956952B2 (en) | 2016-04-01 | 2021-03-23 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10853859B2 (en) | 2016-04-01 | 2020-12-01 | OneTrust, LLC | Data processing systems and methods for operationalizing privacy compliance and assessing the risk of various respective privacy campaigns |
US10026110B2 (en) | 2016-04-01 | 2018-07-17 | OneTrust, LLC | Data processing systems and methods for generating personal data inventories for organizations and other entities |
US9892443B2 (en) | 2016-04-01 | 2018-02-13 | OneTrust, LLC | Data processing systems for modifying privacy campaign data via electronic messaging systems |
US10706447B2 (en) | 2016-04-01 | 2020-07-07 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10423996B2 (en) | 2016-04-01 | 2019-09-24 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US11004125B2 (en) | 2016-04-01 | 2021-05-11 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US11244367B2 (en) | 2016-04-01 | 2022-02-08 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US10169788B2 (en) | 2016-04-01 | 2019-01-01 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10169789B2 (en) | 2016-04-01 | 2019-01-01 | OneTrust, LLC | Data processing systems for modifying privacy campaign data via electronic messaging systems |
US10169790B2 (en) | 2016-04-01 | 2019-01-01 | OneTrust, LLC | Data processing systems and methods for operationalizing privacy compliance via integrated mobile applications |
US11651402B2 (en) | 2016-04-01 | 2023-05-16 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of risk assessments |
US10176502B2 (en) | 2016-04-01 | 2019-01-08 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US10970371B2 (en) | 2016-06-10 | 2021-04-06 | OneTrust, LLC | Consent receipt management systems and related methods |
US10510031B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10181019B2 (en) | 2016-06-10 | 2019-01-15 | OneTrust, LLC | Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design |
US10169609B1 (en) | 2016-06-10 | 2019-01-01 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10204154B2 (en) | 2016-06-10 | 2019-02-12 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10235534B2 (en) | 2016-06-10 | 2019-03-19 | OneTrust, LLC | Data processing systems for prioritizing data subject access requests for fulfillment and related methods |
US10242228B2 (en) | 2016-06-10 | 2019-03-26 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10275614B2 (en) | 2016-06-10 | 2019-04-30 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10284604B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10282559B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10282692B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10282700B2 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10282370B1 (en) | 2016-06-10 | 2019-05-07 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10165011B2 (en) | 2016-06-10 | 2018-12-25 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10289870B2 (en) | 2016-06-10 | 2019-05-14 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10158676B2 (en) | 2016-06-10 | 2018-12-18 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10289866B2 (en) | 2016-06-10 | 2019-05-14 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US20190171801A1 (en) * | 2016-06-10 | 2019-06-06 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10318761B2 (en) | 2016-06-10 | 2019-06-11 | OneTrust, LLC | Data processing systems and methods for auditing data request compliance |
US10348775B2 (en) | 2016-06-10 | 2019-07-09 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10346637B2 (en) | 2016-06-10 | 2019-07-09 | OneTrust, LLC | Data processing systems for the identification and deletion of personal data in computer systems |
US10346638B2 (en) | 2016-06-10 | 2019-07-09 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US10346598B2 (en) | 2016-06-10 | 2019-07-09 | OneTrust, LLC | Data processing systems for monitoring user system inputs and related methods |
US10353674B2 (en) | 2016-06-10 | 2019-07-16 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10354089B2 (en) | 2016-06-10 | 2019-07-16 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10353673B2 (en) | 2016-06-10 | 2019-07-16 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10416966B2 (en) | 2016-06-10 | 2019-09-17 | OneTrust, LLC | Data processing systems for identity validation of data subject access requests and related methods |
US10417450B2 (en) | 2016-06-10 | 2019-09-17 | OneTrust, LLC | Data processing systems for prioritizing data subject access requests for fulfillment and related methods |
US10419493B2 (en) | 2016-06-10 | 2019-09-17 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10102533B2 (en) | 2016-06-10 | 2018-10-16 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10430740B2 (en) | 2016-06-10 | 2019-10-01 | One Trust, LLC | Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods |
US10438016B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10438020B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10437860B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10438017B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10437412B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Consent receipt management systems and related methods |
US10440062B2 (en) | 2016-06-10 | 2019-10-08 | OneTrust, LLC | Consent receipt management systems and related methods |
US10445526B2 (en) | 2016-06-10 | 2019-10-15 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10452864B2 (en) | 2016-06-10 | 2019-10-22 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10452866B2 (en) | 2016-06-10 | 2019-10-22 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10454973B2 (en) | 2016-06-10 | 2019-10-22 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10467432B2 (en) | 2016-06-10 | 2019-11-05 | OneTrust, LLC | Data processing systems for use in automatically generating, populating, and submitting data subject access requests |
US10498770B2 (en) | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10496846B1 (en) | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10496803B2 (en) * | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10503926B2 (en) | 2016-06-10 | 2019-12-10 | OneTrust, LLC | Consent receipt management systems and related methods |
US10509920B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11030274B2 (en) | 2016-06-10 | 2021-06-08 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10509894B2 (en) * | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10558821B2 (en) | 2016-06-10 | 2020-02-11 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10565161B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10564936B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for identity validation of data subject access requests and related methods |
US10565397B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10564935B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10567439B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10565236B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10574705B2 (en) | 2016-06-10 | 2020-02-25 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10572686B2 (en) | 2016-06-10 | 2020-02-25 | OneTrust, LLC | Consent receipt management systems and related methods |
US10585968B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10586072B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10586075B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10592692B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US10592648B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Consent receipt management systems and related methods |
US10594740B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10599870B2 (en) | 2016-06-10 | 2020-03-24 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10606916B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10607028B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US10614246B2 (en) | 2016-06-10 | 2020-04-07 | OneTrust, LLC | Data processing systems and methods for auditing data request compliance |
US10614247B2 (en) | 2016-06-10 | 2020-04-07 | OneTrust, LLC | Data processing systems for automated classification of personal information from documents and related methods |
US10642870B2 (en) | 2016-06-10 | 2020-05-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US10678945B2 (en) | 2016-06-10 | 2020-06-09 | OneTrust, LLC | Consent receipt management systems and related methods |
US10685140B2 (en) | 2016-06-10 | 2020-06-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US10692033B2 (en) | 2016-06-10 | 2020-06-23 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10706379B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for automatic preparation for remediation and related methods |
US11921894B2 (en) | 2016-06-10 | 2024-03-05 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10706131B2 (en) * | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10706174B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for prioritizing data subject access requests for fulfillment and related methods |
US10708305B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Automated data processing systems and methods for automatically processing requests for privacy-related information |
US10705801B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for identity validation of data subject access requests and related methods |
US10706176B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data-processing consent refresh, re-prompt, and recapture systems and related methods |
US10713387B2 (en) | 2016-06-10 | 2020-07-14 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US10032172B2 (en) | 2016-06-10 | 2018-07-24 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10726158B2 (en) | 2016-06-10 | 2020-07-28 | OneTrust, LLC | Consent receipt management and automated process blocking systems and related methods |
US10740487B2 (en) | 2016-06-10 | 2020-08-11 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US10754981B2 (en) | 2016-06-10 | 2020-08-25 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10762236B2 (en) | 2016-06-10 | 2020-09-01 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10769303B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US10769302B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Consent receipt management systems and related methods |
US10769301B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10776518B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Consent receipt management systems and related methods |
US10776514B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for the identification and deletion of personal data in computer systems |
US10776515B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10776517B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods |
US10783256B2 (en) | 2016-06-10 | 2020-09-22 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US10791150B2 (en) | 2016-06-10 | 2020-09-29 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10796020B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Consent receipt management systems and related methods |
US10796260B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Privacy management systems and methods |
US10798133B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11868507B2 (en) | 2016-06-10 | 2024-01-09 | OneTrust, LLC | Data processing systems for cookie compliance testing with website scanning and related methods |
US10803097B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10803198B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for use in automatically generating, populating, and submitting data subject access requests |
US10805354B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10803199B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10803200B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US11847182B2 (en) | 2016-06-10 | 2023-12-19 | OneTrust, LLC | Data processing consent capture systems and related methods |
US10839102B2 (en) | 2016-06-10 | 2020-11-17 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US10848523B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10846433B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing consent management systems and related methods |
US11030563B2 (en) | 2016-06-10 | 2021-06-08 | OneTrust, LLC | Privacy management systems and methods |
US10019597B2 (en) | 2016-06-10 | 2018-07-10 | OneTrust, LLC | Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design |
US10853501B2 (en) | 2016-06-10 | 2020-12-01 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10867072B2 (en) | 2016-06-10 | 2020-12-15 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10867007B2 (en) | 2016-06-10 | 2020-12-15 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10873606B2 (en) | 2016-06-10 | 2020-12-22 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10878127B2 (en) | 2016-06-10 | 2020-12-29 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11727141B2 (en) | 2016-06-10 | 2023-08-15 | OneTrust, LLC | Data processing systems and methods for synching privacy-related user consent across multiple computing devices |
US10885485B2 (en) | 2016-06-10 | 2021-01-05 | OneTrust, LLC | Privacy management systems and methods |
US10896394B2 (en) | 2016-06-10 | 2021-01-19 | OneTrust, LLC | Privacy management systems and methods |
US10909265B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Application privacy scanning systems and related methods |
US11030327B2 (en) | 2016-06-10 | 2021-06-08 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10929559B2 (en) | 2016-06-10 | 2021-02-23 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US10944725B2 (en) | 2016-06-10 | 2021-03-09 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US10949565B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10949567B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10949544B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US10949170B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US11675929B2 (en) | 2016-06-10 | 2023-06-13 | OneTrust, LLC | Data processing consent sharing systems and related methods |
WO2017214587A1 (en) * | 2016-06-10 | 2017-12-14 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10970675B2 (en) | 2016-06-10 | 2021-04-06 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11651106B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10972509B2 (en) | 2016-06-10 | 2021-04-06 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10984132B2 (en) | 2016-06-10 | 2021-04-20 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US10997542B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Privacy management systems and methods |
US10997318B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10997315B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US9882935B2 (en) | 2016-06-10 | 2018-01-30 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11025675B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11023616B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US11023842B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11651104B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US10846261B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10181051B2 (en) | 2016-06-10 | 2019-01-15 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10909488B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US11036771B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11036882B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US11038925B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11036674B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11057356B2 (en) | 2016-06-10 | 2021-07-06 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US11062051B2 (en) | 2016-06-10 | 2021-07-13 | OneTrust, LLC | Consent receipt management systems and related methods |
US11070593B2 (en) | 2016-06-10 | 2021-07-20 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11068618B2 (en) | 2016-06-10 | 2021-07-20 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US11645353B2 (en) | 2016-06-10 | 2023-05-09 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11074367B2 (en) | 2016-06-10 | 2021-07-27 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11087260B2 (en) | 2016-06-10 | 2021-08-10 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11100445B2 (en) | 2016-06-10 | 2021-08-24 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US11100444B2 (en) | 2016-06-10 | 2021-08-24 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
US11113416B2 (en) | 2016-06-10 | 2021-09-07 | OneTrust, LLC | Application privacy scanning systems and related methods |
US11645418B2 (en) | 2016-06-10 | 2023-05-09 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11120161B2 (en) | 2016-06-10 | 2021-09-14 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11120162B2 (en) | 2016-06-10 | 2021-09-14 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11122011B2 (en) | 2016-06-10 | 2021-09-14 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US11126748B2 (en) | 2016-06-10 | 2021-09-21 | OneTrust, LLC | Data processing consent management systems and related methods |
US11134086B2 (en) | 2016-06-10 | 2021-09-28 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US11138242B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11138336B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11138318B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US11138299B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11144622B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Privacy management systems and methods |
US11636171B2 (en) | 2016-06-10 | 2023-04-25 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US11146566B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11144670B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US11151233B2 (en) | 2016-06-10 | 2021-10-19 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11625502B2 (en) | 2016-06-10 | 2023-04-11 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US11157600B2 (en) | 2016-06-10 | 2021-10-26 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11182501B2 (en) | 2016-06-10 | 2021-11-23 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11188862B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Privacy management systems and methods |
US11188615B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11195134B2 (en) | 2016-06-10 | 2021-12-07 | OneTrust, LLC | Privacy management systems and methods |
US11200341B2 (en) | 2016-06-10 | 2021-12-14 | OneTrust, LLC | Consent receipt management systems and related methods |
US11210420B2 (en) | 2016-06-10 | 2021-12-28 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11222309B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11222142B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for validating authorization for personal data collection, storage, and processing |
US11222139B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
US11228620B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11227247B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11240273B2 (en) | 2016-06-10 | 2022-02-01 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US11238390B2 (en) | 2016-06-10 | 2022-02-01 | OneTrust, LLC | Privacy management systems and methods |
US9851966B1 (en) | 2016-06-10 | 2017-12-26 | OneTrust, LLC | Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design |
US11244071B2 (en) | 2016-06-10 | 2022-02-08 | OneTrust, LLC | Data processing systems for use in automatically generating, populating, and submitting data subject access requests |
US11244072B2 (en) | 2016-06-10 | 2022-02-08 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US11256777B2 (en) | 2016-06-10 | 2022-02-22 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US11609939B2 (en) | 2016-06-10 | 2023-03-21 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11277448B2 (en) | 2016-06-10 | 2022-03-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11295316B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11294939B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11301796B2 (en) | 2016-06-10 | 2022-04-12 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11301589B2 (en) | 2016-06-10 | 2022-04-12 | OneTrust, LLC | Consent receipt management systems and related methods |
US11308435B2 (en) | 2016-06-10 | 2022-04-19 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US11328092B2 (en) | 2016-06-10 | 2022-05-10 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US11328240B2 (en) | 2016-06-10 | 2022-05-10 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US11334682B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11336697B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11334681B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Application privacy scanning systems and related meihods |
US11341447B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Privacy management systems and methods |
US11343284B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11347889B2 (en) | 2016-06-10 | 2022-05-31 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11354434B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11354435B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11361057B2 (en) | 2016-06-10 | 2022-06-14 | OneTrust, LLC | Consent receipt management systems and related methods |
US11366909B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11366786B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11586700B2 (en) | 2016-06-10 | 2023-02-21 | OneTrust, LLC | Data processing systems and methods for automatically blocking the use of tracking tools |
WO2017214594A1 (en) * | 2016-06-10 | 2017-12-14 | OneTrust, LLC | Data processing systems for modifying privacy campaign data via electronic messaging systems |
US11392720B2 (en) | 2016-06-10 | 2022-07-19 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11586762B2 (en) | 2016-06-10 | 2023-02-21 | OneTrust, LLC | Data processing systems and methods for auditing data request compliance |
US11403377B2 (en) | 2016-06-10 | 2022-08-02 | OneTrust, LLC | Privacy management systems and methods |
US11409908B2 (en) | 2016-06-10 | 2022-08-09 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US11418516B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US11416636B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing consent management systems and related methods |
US11416109B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US11416798B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
US11416589B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11416634B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US11418492B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US11416576B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11416590B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11562097B2 (en) | 2016-06-10 | 2023-01-24 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US11438386B2 (en) | 2016-06-10 | 2022-09-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11558429B2 (en) | 2016-06-10 | 2023-01-17 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US11556672B2 (en) | 2016-06-10 | 2023-01-17 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11449633B2 (en) | 2016-06-10 | 2022-09-20 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
US11461722B2 (en) | 2016-06-10 | 2022-10-04 | OneTrust, LLC | Questionnaire response automation for compliance management |
US11461500B2 (en) | 2016-06-10 | 2022-10-04 | OneTrust, LLC | Data processing systems for cookie compliance testing with website scanning and related methods |
US11468386B2 (en) | 2016-06-10 | 2022-10-11 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11468196B2 (en) | 2016-06-10 | 2022-10-11 | OneTrust, LLC | Data processing systems for validating authorization for personal data collection, storage, and processing |
US11551174B2 (en) | 2016-06-10 | 2023-01-10 | OneTrust, LLC | Privacy management systems and methods |
US11475136B2 (en) | 2016-06-10 | 2022-10-18 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US11481710B2 (en) | 2016-06-10 | 2022-10-25 | OneTrust, LLC | Privacy management systems and methods |
US11488085B2 (en) | 2016-06-10 | 2022-11-01 | OneTrust, LLC | Questionnaire response automation for compliance management |
US11550897B2 (en) * | 2016-06-10 | 2023-01-10 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11520928B2 (en) | 2016-06-10 | 2022-12-06 | OneTrust, LLC | Data processing systems for generating personal data receipts and related methods |
US11544405B2 (en) | 2016-06-10 | 2023-01-03 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11544667B2 (en) | 2016-06-10 | 2023-01-03 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US20180121658A1 (en) * | 2016-10-27 | 2018-05-03 | Gemini Cyber, Inc. | Cyber risk assessment and management system and method |
US11663359B2 (en) | 2017-06-16 | 2023-05-30 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US11373007B2 (en) | 2017-06-16 | 2022-06-28 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US9858439B1 (en) | 2017-06-16 | 2018-01-02 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US10013577B1 (en) | 2017-06-16 | 2018-07-03 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US11023812B2 (en) | 2017-08-28 | 2021-06-01 | Bank Of America Corporation | Event prediction and impact mitigation system |
US10810006B2 (en) | 2017-08-28 | 2020-10-20 | Bank Of America Corporation | Indicator regression and modeling for implementing system changes to improve control effectiveness |
US10877443B2 (en) | 2017-09-20 | 2020-12-29 | Bank Of America Corporation | System for generation and execution of improved control effectiveness |
US10104103B1 (en) | 2018-01-19 | 2018-10-16 | OneTrust, LLC | Data processing systems for tracking reputational risk via scanning and registry lookup |
US11157654B2 (en) | 2018-09-07 | 2021-10-26 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10963591B2 (en) | 2018-09-07 | 2021-03-30 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US11593523B2 (en) | 2018-09-07 | 2023-02-28 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US11144675B2 (en) | 2018-09-07 | 2021-10-12 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11947708B2 (en) | 2018-09-07 | 2024-04-02 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11544409B2 (en) | 2018-09-07 | 2023-01-03 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US10803202B2 (en) | 2018-09-07 | 2020-10-13 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US11941144B2 (en) | 2019-06-05 | 2024-03-26 | The Toronto-Dominion Bank | Modification of data sharing between systems |
US11270021B2 (en) | 2019-06-05 | 2022-03-08 | The Toronto-Dominion Bank | Modification of data sharing between systems |
US11870800B1 (en) * | 2019-09-20 | 2024-01-09 | Cowbell Cyber, Inc. | Cyber security risk assessment and cyber security insurance platform |
US11888886B1 (en) | 2019-09-20 | 2024-01-30 | Cowbell Cyber, Inc. | Cyber security risk assessment and cyber security insurance platform |
US11615473B2 (en) * | 2020-03-05 | 2023-03-28 | Noor SHAKFEH | Resilience measurement system |
WO2021178710A1 (en) * | 2020-03-05 | 2021-09-10 | Shakfeh Noor | Resilience measurement system |
US11797528B2 (en) | 2020-07-08 | 2023-10-24 | OneTrust, LLC | Systems and methods for targeted data discovery |
US11444976B2 (en) | 2020-07-28 | 2022-09-13 | OneTrust, LLC | Systems and methods for automatically blocking the use of tracking tools |
US11475165B2 (en) | 2020-08-06 | 2022-10-18 | OneTrust, LLC | Data processing systems and methods for automatically redacting unstructured data from a data subject access request |
US11436373B2 (en) | 2020-09-15 | 2022-09-06 | OneTrust, LLC | Data processing systems and methods for detecting tools for the automatic blocking of consent requests |
US11704440B2 (en) | 2020-09-15 | 2023-07-18 | OneTrust, LLC | Data processing systems and methods for preventing execution of an action documenting a consent rejection |
US11526624B2 (en) | 2020-09-21 | 2022-12-13 | OneTrust, LLC | Data processing systems and methods for automatically detecting target data transfers and target data processing |
US11615192B2 (en) | 2020-11-06 | 2023-03-28 | OneTrust, LLC | Systems and methods for identifying data processing activities based on data discovery results |
US11397819B2 (en) | 2020-11-06 | 2022-07-26 | OneTrust, LLC | Systems and methods for identifying data processing activities based on data discovery results |
US11687528B2 (en) | 2021-01-25 | 2023-06-27 | OneTrust, LLC | Systems and methods for discovery, classification, and indexing of data in a native computing system |
US11442906B2 (en) | 2021-02-04 | 2022-09-13 | OneTrust, LLC | Managing custom attributes for domain objects defined within microservices |
US11494515B2 (en) | 2021-02-08 | 2022-11-08 | OneTrust, LLC | Data processing systems and methods for anonymizing data samples in classification analysis |
US11601464B2 (en) | 2021-02-10 | 2023-03-07 | OneTrust, LLC | Systems and methods for mitigating risks of third-party computing system functionality integration into a first-party computing system |
US11775348B2 (en) | 2021-02-17 | 2023-10-03 | OneTrust, LLC | Managing custom workflows for domain objects defined within microservices |
US11546661B2 (en) | 2021-02-18 | 2023-01-03 | OneTrust, LLC | Selective redaction of media content |
US11533315B2 (en) | 2021-03-08 | 2022-12-20 | OneTrust, LLC | Data transfer discovery and analysis systems and related methods |
US11816224B2 (en) | 2021-04-16 | 2023-11-14 | OneTrust, LLC | Assessing and managing computational risk involved with integrating third party computing functionality within a computing system |
US11562078B2 (en) | 2021-04-16 | 2023-01-24 | OneTrust, LLC | Assessing and managing computational risk involved with integrating third party computing functionality within a computing system |
US11620142B1 (en) | 2022-06-03 | 2023-04-04 | OneTrust, LLC | Generating and customizing user interfaces for demonstrating functions of interactive user environments |
Also Published As
Publication number | Publication date |
---|---|
WO2008140683A3 (en) | 2009-01-08 |
US20100114634A1 (en) | 2010-05-06 |
US8744894B2 (en) | 2014-06-03 |
WO2008140683A2 (en) | 2008-11-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8744894B2 (en) | Method and system for assessing, managing, and monitoring information technology risk | |
US20230351456A1 (en) | System and methods for vulnerability assessment and provisioning of related services and products for efficient risk suppression | |
Lichtenstein | Factors in the selection of a risk assessment method | |
US20160140466A1 (en) | Digital data system for processing, managing and monitoring of risk source data | |
US20120053981A1 (en) | Risk Governance Model for an Operation or an Information Technology System | |
US20150142509A1 (en) | Standardized Technology and Operations Risk Management (STORM) | |
US20160012541A1 (en) | Systems and methods for business reclassification tiebreaking | |
US20220207615A1 (en) | Blockchain Insurance Verification System | |
EP0999489A2 (en) | Method and system for evaluating information security | |
US20160012540A1 (en) | Systems and methods for insurance process routing and versioning | |
Kim et al. | IS auditor characteristics, audit process variables, and IS audit satisfaction: An empirical study in South Korea | |
Tsohou et al. | Cyber insurance: state of the art, trends and future directions | |
Christensen et al. | The decision to outsource risk management services | |
Shimels et al. | Maturity of information systems' security in Ethiopian banks: case of selected private banks | |
Ombudsman | Automated decision-making better practice guide | |
Wu et al. | Risk assessment modeling with application in the accounting cloud-service industry | |
Quinn et al. | Staging cybersecurity risks for enterprise risk management and governance oversight | |
Domingues et al. | Finance and Cyber-security Risk Management | |
Woods | The economics of cyber risk transfer | |
Brock et al. | The market value of information system (IS) security for e-banking | |
Lovaas | A comprehensive risk-based Auditing framework for Small and Medium Sized financial institutions | |
Sun | Risk Management in Supply Chain Finance | |
US20240078492A1 (en) | Systems and methods for generating dynamic real-time analysis of carbon credits and offsets | |
Mamers | The art and science of information security investments for small enterprises | |
Boltz | Information Security Risk Assessment: Practices of Leading Organizations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: EVANTIX GRC, LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ONIONOMICS, LLC;REEL/FRAME:038230/0386 Effective date: 20121204 Owner name: ONIONOMICS, LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CREDIT MANAGEMENT ASSOCIATION;REEL/FRAME:038230/0333 Effective date: 20121203 Owner name: CREDIT MANAGEMENT ASSOCIATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EVANTIX, LLC;REEL/FRAME:038230/0305 Effective date: 20121203 Owner name: EVANTIX, LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHRISTIANSEN, JAMES;D'ANGONA, RICK;BELL, CHRIS;REEL/FRAME:038230/0261 Effective date: 20091111 |
|
AS | Assignment |
Owner name: OPTIV SECURITY INC., COLORADO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:EVANTIX GRC, LLC;MEISLIK, ADAM;NATHAN, ERIK;AND OTHERS;REEL/FRAME:038620/0016 Effective date: 20160505 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., CALIFORNIA Free format text: GRANT OF SECURITY INTERESTS IN PATENTS RIGHTS;ASSIGNOR:OPTIV SECURITY INC.;REEL/FRAME:041630/0887 Effective date: 20170201 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, NEW YORK Free format text: GRANT OF SECURITY INTEREST IN PATENT RIGHTS (FIRST LIEN);ASSIGNOR:OPTIV SECURITY INC.;REEL/FRAME:041794/0461 Effective date: 20170201 Owner name: JEFFERIES FINANCE LLC, NEW YORK Free format text: GRANT OF SECURITY INTEREST IN PATENT RIGHTS (SECOND LIEN);ASSIGNOR:OPTIV SECURITY INC.;REEL/FRAME:041794/0468 Effective date: 20170201 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: OPTIV INC, COLORADO Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:063472/0369 Effective date: 20230426 Owner name: OPTIV SECURITY INC., COLORADO Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:063472/0304 Effective date: 20230426 Owner name: OPTIV INC., COLORADO Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:063472/0304 Effective date: 20230426 Owner name: OPTIV SECURITY INC., COLORADO Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:063472/0250 Effective date: 20230426 |