Ex Parte CondonDownload PDFBoard of Patent Appeals and InterferencesSep 12, 201111060332 (B.P.A.I. Sep. 12, 2011) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 11/060,332 02/17/2005 Kirk Condon SBCK0120PUS/IT1065 3662 84004 7590 09/12/2011 AT & T Legal Department - BK Attention Patent Docketing Room 2A-207 One AT & T Way Bedminster, NJ 07921 EXAMINER HOMAYOUNMEHR, FARID ART UNIT PAPER NUMBER 2434 MAIL DATE DELIVERY MODE 09/12/2011 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________________ Ex parte KIRK CONDON ____________________ Appeal 2009-014120 Application 11/060,332 Technology Center 2400 ____________________ Before MAHSHID D. SAADAT, KALYAN K. DESHPANDE, and ERIC B. CHEN, Administrative Patent Judges. DESHPANDE, Administrative Patent Judge. DECISION ON APPEAL Appeal 2009-014120 Application 11/060,332 2 STATEMENT OF CASE 1 The Appellant seeks review under 35 U.S.C. § 134(a) of a final rejection of claims 1, 7-15, and 20, the only claims pending in the application on appeal. We have jurisdiction over the appeal pursuant to 35 U.S.C. § 6(b). We REVERSE. The Appellant invented a method and system of auditing databases for security compliance. Specification 1:6-7. An understanding of the invention can be derived from a reading of exemplary claim 1, which is reproduced below [bracketed matter and some paragraphing added]: 1. A method of auditing databases for security compliance, the method comprising: [1] querying databases in batch operation with signals emitted from a remotely located central security server for database security parameters associated with the databases such that the databases are queried without being individually selected by a user to be queried, wherein the database security parameters associated with each database define rules for user identifications and user passwords to be used by users to access the database, wherein the databases are queried for different database security parameters such that the queried database security parameters associated with at least one of the databases is different than the queried database security parameters associated with at least one of the other databases; [2] wherein querying databases further includes automatically querying a database with a signal emitted from the central security server for database security parameters 1 Our decision will make reference to the Appellant’s Appeal Brief (“App. Br.,” filed Jan. 28, 2009) and Reply Brief (“Reply Br.,” filed May 21, 2009), and the Examiner’s Answer (“Ans.,” mailed Apr. 15, 2009), and Final Rejection (“Final Rej.,” mailed Oct. 31, 2008). Appeal 2009-014120 Application 11/060,332 3 associated with the database in response to a user changing at least one of the user identification and the user password used by the user to access the database; [3] determining authorized database security parameters for each queried database security parameter; [4] for each database, auditing at the central security server the queried database security parameters associated with the database for compliance with the authorized security parameters; [5] for each database, determining each queried database security parameter associated with the database as being a noncompliant security parameter if the queried database security parameter associated with the database fails to comply with the authorized database security parameters; and [6] compiling a security report of databases having noncompliant security parameters. REFERENCES The Examiner relies on the following prior art: Kayashima Lineman US 2001/0023486 A1 US 2003/0065942 A1 Sep. 20, 2001 Apr. 3, 2003 REJECTIONS Claims 1, 7-15, and 20 stand rejected under 35 U.S.C §103(a) as being unpatentable over Lineman and Kayashima. Ans. 3-10. ISSUE The issue of whether the Examiner erred in rejecting claims 1, 7-15, and 20 under 35 U.S.C. § 103(a) as unpatentable over Lineman and Kayashima turns on whether the combination of Lineman and Kayashima describe limitations [1] and [2] of claim 1. Appeal 2009-014120 Application 11/060,332 4 FACTS PERTINENT TO THE ISSUE The following enumerated Findings of Fact (FF) are supported by a preponderance of the evidence. Facts Related to the Prior Art Lineman 01. Lineman is directed to a method and apparatus for actively managing the security policies for users and computers in a network. Lineman ¶ 0001. 02. Lineman describes software for creating a security policy document that contains appropriate controls required to enforce the security policy on various computing platforms. The software further tracks access to the security policy document. Lineman ¶ 0008. 03. The security management program enables an administrator to set or audit the parameters on the computers system and run check reports on the computer systems to measure their compliance with security policy. Lineman ¶ 0038. 04. A detect service configuration service includes an interface for showing alerts for detecting changes in security policies passed to the security management program. A set of rules instructs agent software to notify the administrator when important settings or parameters have been changed on the computer systems. An example rule is “Minimum Password Detect Rule.” An alert email is sent to the security administrator when the “minimum password length” detect rule is triggered by an altered setting or Appeal 2009-014120 Application 11/060,332 5 parameter on a computer system. For example, a published security policy may require that the minimum length for new passwords be eight characters. If the configuration of one of the machines is altered so that the minimum password parameter is changed to seven characters, the agent software will notify the security management of the change. Lineman ¶¶ 0093-0096. Kayashima 05. Kayashima is directed to supporting the control and management of a security state of an information processing system composed of various kinds of processing apparatuses connected to a network. Kayashima ¶ 0001. 06. Kayashima describes a system that first includes preparing a database associated with an information security policy representing a policy of a security measure. The information system is constructed in accordance with the information security policy and the security policies are applied to the system. A security management system is introduced to the information system and allows a user to execute audit programs that audit various information such as a type and a software version of the managed system. Kayashima ¶¶ 0012-0013. 07. A “Management” button is provided for changing the security measure pertaining to a selected information security policy. An “Audit” is provided to confirm the execution status of an information security policy. A screen for receiving a setting change of a password is also provided. Kayashima ¶¶ 0069-0072. Appeal 2009-014120 Application 11/060,332 6 08. The management and audit programs may execute other processes concerning the security policy such as a virus check, a change of a password and a collection of logs. Kayashima ¶ 0136. ANALYSIS Claims 1, 7-15, and 20 rejected under 35 U.S.C §103(a) as being unpatentable over Lineman and Kayashima The Appellant contends that the combination of Lineman and Kayashima fails to teach or suggest automatically querying a database for a security parameter, which defines a rule for a password to be used by a user to access the database, in response to the user changing the password used by the user to access the database, as required by independent claims 1 and 15. App. Br. 9-13 and Reply Br. 2-3. Claims 7-14 and 20 incorporate these features by reference. We agree with the Appellant. Limitation [1] of claim 1 requires, in part, querying a database for different database security parameters such that the queried database security parameters associated with at least one database are different than the queried security parameters associated with another database. Limitation [2] further requires automatically querying a database in response to a user changing a user identification or a user password. Limitations [3] – [5] require determining authorized security parameters and auditing each database’s security parameters for compliance with authorized security parameters. As found by the Examiner, Lineman describes querying a set of rules when a security policy, such as a minimum password policy, is changed and a security administrator is notified if the new security policy is violates a set Appeal 2009-014120 Application 11/060,332 7 of security policy rules. FF 02-04 and Ans. 4-7 and 11-12. That is, a set of rules are queried in response to a change in a security setting, such as a password setting. The Examiner acknowledges that this is not the same as querying a database for security parameters in response to a change in password and as such cited Kayashima to describe this limitation. Ans. 11- 12. Kayashima describes a security management system that includes an audit program that executes processes concerning a security policy, such as a change of password. FF 08 and Ans. 12. Kayashima is silent as to exactly what the processes concerning a security policy encompass. The Examiner interprets this description to encompass auditing a system when a password is changed. Ans. 12. The Examiner further found that the action of changing a password setting is the same as changing a password. Ans. 13. However, we disagree with this conclusion. A change of a password setting is not the same as a change of password. As such, Kayashima’s description of auditing systems in response to a change in password is not the same as querying a database for different database security parameters in response to a user identification or password change, as required by claims 1 and 15. The Examiner found that the claimed invention is obvious over the auditing features of Lineman and Kayashima, but has failed to provide any further evidence or rationale to support the conclusion that claim 1 is obvious in light of the descriptions of Lineman and Kayashima. CONCLUSIONS OF LAW The Examiner erred in rejecting claims 1, 7-15, and 20 under 35 U.S.C. § 103(a) as unpatentable over Lineman and Kayashima. Appeal 2009-014120 Application 11/060,332 8 DECISION To summarize, our decision is as follows. The rejection of claims 1, 7-15, and 20 under 35 U.S.C. § 103(a) as unpatentable over Lineman and Kayashima is not sustained. REVERSED ELD Copy with citationCopy as parenthetical citation