Abstract: A method, system, and computer program product for identifying reference data values in a source data set. The method may include inputting a block of attribute values to a predefined machine learning model. The method may also include receiving an indication of a presentation layout of the block of the attribute values and an associated reference data extraction method. The method may also include determining a reading direction of the block of values. The method may also include identifying one or more inspection areas in the reading direction of the block of values. The method may also include determining sets of the one or more inspection areas that share a common presentation feature. The method may also include identifying tokens in an inspection area. The method may also include determining if the inspection area includes reference data values. The method may also include outputting the reference data values.

Abstract: A system and method for managing and controlling data licenses for information assets. An information asset is stored in a repository, and registered in a catalog for the repository. A data license is associated with the information asset in the catalog, wherein the data license is stored as part of the information asset's metadata in the catalog. Access to the information asset stored in the repository is controlled based on the data license. A new data license is automatically created for a new information asset derived from an existing information asset, wherein the new data license is derived from an existing data license for the existing information asset. A lineage graph of the information asset is automatically created for audit purposes, to show that the information asset has been accessed in compliance with the data license.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: A system and method for managing and controlling data licenses for information assets. An information asset is stored in a repository, and registered in a catalog for the repository. A data license is associated with the information asset in the catalog, wherein the data license is stored as part of the information asset's metadata in the catalog. Access to the information asset stored in the repository is controlled based on the data license. A new data license is automatically created for a new information asset derived from an existing information asset, wherein the new data license is derived from an existing data license for the existing information asset. A lineage graph of the information asset is automatically created for audit purposes, to show that the information asset has been accessed in compliance with the data license.

Abstract: A multi-component auditing environment uses a set of log-enabled components that are capable of being triggered during an information flow in a data processing system. A “master” compliance component receives data from each log-enabled component in the set of log-enabled components, the data indicating a set of logging properties that are associated with or provided by that log-enabled component. The master compliance component determines, for a given compliance policy, which of a set of one or more events are required from one or more of the individual log-enabled components in the set of log-enabled components. As a result of the determining step, the master compliance component then configures one of more of the individual log-enabled components, e.g. by generating one or more configuration events that are then sent to the one or more individual components. This configuration may take place remotely, i.e., over a network connection.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: A network-based appliance includes a mechanism to erase data on the appliance's local storage. The appliance's normal system reset operation is overridden to enable a local user to place the appliance into a safe mode during which remote erasure of the storage is permitted, provided that mode is entered within a first time period following initiation of a system reset. If the appliance is placed in the mode within the time period, it can then receive commands to wipe the local storage. Once the safe mode is entered by detecting one or more actions of a local user, preferably the appliance data itself is wiped by another person or entity that is remote from the device. Thus, physical (local) presence to the appliance is necessary to place the device in the safe mode, while non-physical (remote) presence with respect to the appliance enables actual wiping of the storage device.

Abstract: A document management (DM), data leak prevention (DLP) or similar application in a data processing system is instrumented with a document protection service provider interface (SPI). The service provider interface is used to call an external function, such as an encryption utility, that is used to facilitate secure document exchange between a sending entity and a receiving entity. The encryption utility may be configured for local download to and installation in the machine on which the SPI is invoked, but a preferred approach is to use the SPI to invoke an external encryption utility as a “service.” In such case, the external encryption utility is implemented by a service provider. When the calling program invokes the SPI, preferably the user is provided with a display panel. Using that panel, the end user provides a password that is used for encryption key generation, together with an indication of the desired encryption strength. The service provider uses the password to generate the encryption key.

Abstract: A technique for selecting an information service implementation includes receiving a service request that includes a tenant identifier that uniquely identifies a calling tenant. Transformation logic to service the service request is selected based on the received tenant identifier. One or more data sources and one or more data targets are selected for the service request based on the received tenant identifier. Data from the selected data sources is processed using the selected transformation logic and the processed data is stored at the selected data targets.

Abstract: A network-based appliance includes a mechanism to erase data on the appliance's local storage. The appliance's normal system reset operation is overridden to enable a local user to place the appliance into a safe mode during which remote erasure of the storage is permitted, provided that mode is entered within a first time period following initiation of a system reset. If the appliance is placed in the mode within the time period, it can then receive commands to wipe the local storage. Once the safe mode is entered by detecting one or more actions of a local user, preferably the appliance data itself is wiped by another person or entity that is remote from the device. Thus, physical (local) presence to the appliance is necessary to place the device in the safe mode, while non-physical (remote) presence with respect to the appliance enables actual wiping of the storage device.

Abstract: A network-based appliance includes a mechanism to erase data on the appliance's local storage. The appliance's normal system reset operation is overridden to enable a local user to place the appliance into a safe mode during which remote erasure of the storage is permitted, provided that mode is entered within a first time period following initiation of a system reset. If the appliance is placed in the mode within the time period, it can then receive commands to wipe the local storage. Once the safe mode is entered by detecting one or more actions of a local user, preferably the appliance data itself is wiped by another person or entity that is remote from the device. Thus, physical (local) presence to the appliance is necessary to place the device in the safe mode, while non-physical (remote) presence with respect to the appliance enables actual wiping of the storage device.

Abstract: Gap analysis is performed on security capabilities of a computer system compared to a desired or targeted security model according to one or more security requirement by providing a data structure of security capabilities of a computer system under analysis, wherein each capability is classified in a formal security capability reference model with a mean having a set of attributes and a goal; determining the security capabilities of the deployed system-under-analysis; matching the security capabilities of the deployed system-under-analysis with the security capabilities defined in the data structure; determining one or more gaps in security capabilities between the deployed system and a security reference model goal; and displaying the gaps to a user in a report.

Abstract: Gap analysis is performed on security capabilities of a computer system compared to a desired or targeted security model according to one or more security requirement by providing a data structure of security capabilities of a computer system under analysis, wherein each capability is classified in a formal security capability reference model with a mean having a set of attributes and a goal; determining the security capabilities of the deployed system-under-analysis; matching the security capabilities of the deployed system-under-analysis with the security capabilities defined in the data structure; determining one or more gaps in security capabilities between the deployed system and a security reference model goal; and displaying the gaps to a user in a report.

Abstract: Gap analysis is performed on security capabilities of a computer system compared to a desired or targeted security model according to one or more security requirement by providing a data structure of security capabilities of a computer system under analysis, wherein each capability is classified in a formal security capability reference model with a mean having a set of attributes and a goal; determining the security capabilities of the deployed system-under-analysis; matching the security capabilities of the deployed system-under-analysis with the security capabilities defined in the data structure; determining one or more gaps in security capabilities between the deployed system and a security reference model goal; and displaying the gaps to a user in a report.

Abstract: A method, apparatus and computer program product, for generating a framework for supporting a homogeneous view of an information collection managed in a heterogeneous system of information storage sources. The framework includes an information collection data model mapped to an information source data model, and an information storage services data model mapped to the information source data model. The information collection data model defines information to be collected and stored as an information collection in one or more information storage sources. The information source data model references data sets containing the information defined in the information collection data model. The information storage services data model defines information storage services for accessing and performing operations on the one or more information storage sources storing the information collection.

Abstract: A technique for selecting an information service implementation includes receiving a service request that includes a tenant identifier that uniquely identifies a calling tenant. Transformation logic to service the service request is selected based on the received tenant identifier. One or more data sources and one or more data targets are selected for the service request based on the received tenant identifier. Data from the selected data sources is processed using the selected transformation logic and the processed data is stored at the selected data targets.

Abstract: An approach is provided for selecting one or more trust factors from trust factors included in a trust index repository. Thresholds are identified corresponding to one or more of the selected trust factors. Actions are identified to perform when the selected trust factors reach the corresponding threshold values. The identified thresholds, identified actions, and selected trust factors are stored in a data store. The selected trust factors are monitored by comparing one or more trust metadata scores with the stored identified thresholds. The stored identified actions that correspond to the selected trust factors are performed when one or more of the trust metadata scores reach the identified thresholds. At least one of the actions includes an event notification that is provided to a trust data consumer.

Abstract: An approach is provided for selecting a trust factor from trust factors that are included in a trust index repository. A trust metaphor is associated with the selected trust factor. The trust metaphor includes various context values. Range values are received and the trust metaphor, context values, and range values are associated with the selected trust factor. A request is received from a data consumer, the request corresponding to a trust factor metadata score that is associated with the selected trust factor. The trust factor metadata score is retrieved and matched with the range values. The matching results in one of the context values being selected based on the retrieved trust factor metadata score. The selected context value is then provided to the data consumer.