Ex Parte Condon

Board of Patent Appeals and Interferences

Sep 12, 2011

11060332 (B.P.A.I. Sep. 12, 2011)

UNITED STATES PATENT AND TRADEMARK OFFICE
UNITED STATES DEPARTMENT OF COMMERCE
United States Patent and Trademark Office
Address: COMMISSIONER FOR PATENTS
P.O. Box 1450
Alexandria, Virginia 22313-1450
www.uspto.gov
APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO.
11/060,332 02/17/2005 Kirk Condon SBCK0120PUS/IT1065 3662
84004 7590 09/12/2011
AT & T Legal Department - BK
Attention Patent Docketing
Room 2A-207
One AT & T Way
Bedminster, NJ 07921
EXAMINER
HOMAYOUNMEHR, FARID
ART UNIT PAPER NUMBER
2434
MAIL DATE DELIVERY MODE
09/12/2011 PAPER
Please find below and/or attached an Office communication concerning this application or proceeding.
The time period for reply, if any, is set in the attached communication.
PTOL-90A (Rev. 04/07)

UNITED STATES PATENT AND TRADEMARK OFFICE
____________________

BEFORE THE BOARD OF PATENT APPEALS
AND INTERFERENCES
____________________

Ex parte KIRK CONDON
____________________

Appeal 2009-014120
Application 11/060,332
Technology Center 2400
____________________

Before MAHSHID D. SAADAT, KALYAN K. DESHPANDE, and ERIC
B. CHEN, Administrative Patent Judges.

DESHPANDE, Administrative Patent Judge.

DECISION ON APPEAL

Appeal 2009-014120
Application 11/060,332
2
STATEMENT OF CASE
1

The Appellant seeks review under 35 U.S.C. § 134(a) of a final
rejection of claims 1, 7-15, and 20, the only claims pending in the
application on appeal. We have jurisdiction over the appeal pursuant to 35
U.S.C. § 6(b).
We REVERSE.

The Appellant invented a method and system of auditing databases for
security compliance. Specification 1:6-7.
An understanding of the invention can be derived from a reading of
exemplary claim 1, which is reproduced below [bracketed matter and some
paragraphing added]:
1. A method of auditing databases for security compliance, the
method comprising:
[1] querying databases in batch operation with signals
emitted from a remotely located central security server for
database security parameters associated with the databases such
that the databases are queried without being individually
selected by a user to be queried, wherein the database security
parameters associated with each database define rules for user
identifications and user passwords to be used by users to access
the database, wherein the databases are queried for different
database security parameters such that the queried database
security parameters associated with at least one of the databases
is different than the queried database security parameters
associated with at least one of the other databases;
[2] wherein querying databases further includes
automatically querying a database with a signal emitted from
the central security server for database security parameters

1
Our decision will make reference to the Appellant’s Appeal Brief (“App.
Br.,” filed Jan. 28, 2009) and Reply Brief (“Reply Br.,” filed May 21, 2009),
and the Examiner’s Answer (“Ans.,” mailed Apr. 15, 2009), and Final
Rejection (“Final Rej.,” mailed Oct. 31, 2008).
Appeal 2009-014120
Application 11/060,332
3
associated with the database in response to a user changing at
least one of the user identification and the user password used
by the user to access the database;
[3] determining authorized database security parameters for
each queried database security parameter;
[4] for each database, auditing at the central security server
the queried database security parameters associated with the
database for compliance with the authorized security
parameters;
[5] for each database, determining each queried database
security parameter associated with the database as being a
noncompliant security parameter if the queried database
security parameter associated with the database fails to comply
with the authorized database security parameters; and
[6] compiling a security report of databases having
noncompliant security parameters.

REFERENCES
The Examiner relies on the following prior art:
Kayashima
Lineman
US 2001/0023486 A1
US 2003/0065942 A1
Sep. 20, 2001
Apr. 3, 2003

REJECTIONS
Claims 1, 7-15, and 20 stand rejected under 35 U.S.C §103(a) as being
unpatentable over Lineman and Kayashima. Ans. 3-10.

ISSUE
The issue of whether the Examiner erred in rejecting claims 1, 7-15,
and 20 under 35 U.S.C. § 103(a) as unpatentable over Lineman and
Kayashima turns on whether the combination of Lineman and Kayashima
describe limitations [1] and [2] of claim 1.
Appeal 2009-014120
Application 11/060,332
4
FACTS PERTINENT TO THE ISSUE
The following enumerated Findings of Fact (FF) are supported by a
preponderance of the evidence.
Facts Related to the Prior Art
Lineman
01. Lineman is directed to a method and apparatus for actively
managing the security policies for users and computers in a
network. Lineman ¶ 0001.
02. Lineman describes software for creating a security policy
document that contains appropriate controls required to enforce
the security policy on various computing platforms. The software
further tracks access to the security policy document. Lineman ¶
0008.
03. The security management program enables an administrator to
set or audit the parameters on the computers system and run check
reports on the computer systems to measure their compliance with
security policy. Lineman ¶ 0038.
04. A detect service configuration service includes an interface for
showing alerts for detecting changes in security policies passed to
the security management program. A set of rules instructs agent
software to notify the administrator when important settings or
parameters have been changed on the computer systems. An
example rule is “Minimum Password Detect Rule.” An alert
email is sent to the security administrator when the “minimum
password length” detect rule is triggered by an altered setting or
Appeal 2009-014120
Application 11/060,332
5
parameter on a computer system. For example, a published
security policy may require that the minimum length for new
passwords be eight characters. If the configuration of one of the
machines is altered so that the minimum password parameter is
changed to seven characters, the agent software will notify the
security management of the change. Lineman ¶¶ 0093-0096.
Kayashima
05. Kayashima is directed to supporting the control and management
of a security state of an information processing system composed
of various kinds of processing apparatuses connected to a
network. Kayashima ¶ 0001.
06. Kayashima describes a system that first includes preparing a
database associated with an information security policy
representing a policy of a security measure. The information
system is constructed in accordance with the information security
policy and the security policies are applied to the system. A
security management system is introduced to the information
system and allows a user to execute audit programs that audit
various information such as a type and a software version of the
managed system. Kayashima ¶¶ 0012-0013.
07. A “Management” button is provided for changing the security
measure pertaining to a selected information security policy. An
“Audit” is provided to confirm the execution status of an
information security policy. A screen for receiving a setting
change of a password is also provided. Kayashima ¶¶ 0069-0072.
Appeal 2009-014120
Application 11/060,332
6
08. The management and audit programs may execute other
processes concerning the security policy such as a virus check, a
change of a password and a collection of logs. Kayashima ¶ 0136.

ANALYSIS
Claims 1, 7-15, and 20 rejected under 35 U.S.C §103(a) as being
unpatentable over Lineman and Kayashima
The Appellant contends that the combination of Lineman and
Kayashima fails to teach or suggest automatically querying a database for a
security parameter, which defines a rule for a password to be used by a user
to access the database, in response to the user changing the password used
by the user to access the database, as required by independent claims 1 and
15. App. Br. 9-13 and Reply Br. 2-3. Claims 7-14 and 20 incorporate these
features by reference.
We agree with the Appellant. Limitation [1] of claim 1 requires, in
part, querying a database for different database security parameters such that
the queried database security parameters associated with at least one
database are different than the queried security parameters associated with
another database. Limitation [2] further requires automatically querying a
database in response to a user changing a user identification or a user
password. Limitations [3] – [5] require determining authorized security
parameters and auditing each database’s security parameters for compliance
with authorized security parameters.
As found by the Examiner, Lineman describes querying a set of rules
when a security policy, such as a minimum password policy, is changed and
a security administrator is notified if the new security policy is violates a set
Appeal 2009-014120
Application 11/060,332
7
of security policy rules. FF 02-04 and Ans. 4-7 and 11-12. That is, a set of
rules are queried in response to a change in a security setting, such as a
password setting. The Examiner acknowledges that this is not the same as
querying a database for security parameters in response to a change in
password and as such cited Kayashima to describe this limitation. Ans. 11-
12.
Kayashima describes a security management system that includes an
audit program that executes processes concerning a security policy, such as a
change of password. FF 08 and Ans. 12. Kayashima is silent as to exactly
what the processes concerning a security policy encompass. The Examiner
interprets this description to encompass auditing a system when a password
is changed. Ans. 12. The Examiner further found that the action of
changing a password setting is the same as changing a password. Ans. 13.
However, we disagree with this conclusion. A change of a password
setting is not the same as a change of password. As such, Kayashima’s
description of auditing systems in response to a change in password is not
the same as querying a database for different database security parameters in
response to a user identification or password change, as required by claims 1
and 15. The Examiner found that the claimed invention is obvious over the
auditing features of Lineman and Kayashima, but has failed to provide any
further evidence or rationale to support the conclusion that claim 1 is
obvious in light of the descriptions of Lineman and Kayashima.

CONCLUSIONS OF LAW
The Examiner erred in rejecting claims 1, 7-15, and 20 under 35
U.S.C. § 103(a) as unpatentable over Lineman and Kayashima.
Appeal 2009-014120
Application 11/060,332
8

DECISION
To summarize, our decision is as follows.
 The rejection of claims 1, 7-15, and 20 under 35 U.S.C. § 103(a) as
unpatentable over Lineman and Kayashima is not sustained.

REVERSED

ELD