Next Article in Journal
Evaluating the Overall Accuracy of Additional Learning and Automatic Classification System for CT Images
Next Article in Special Issue
A Data-Driven Game Theoretic Strategy for Developers in Software Crowdsourcing: A Case Study
Previous Article in Journal
Thermodynamic Performance Analyses and Optimization of Dual-Loop Organic Rankine Cycles for Internal Combustion Engine Waste Heat Recovery
Previous Article in Special Issue
Effect of Fiber Weave Structure in Printed Circuit Boards on Signal Transmission Characteristics
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 9
Issue 4
10.3390/app9040681
Review Report
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Defining the Minimum Security Baseline in a Multiple Security Standards Environment by Graph Theory Techniques

Appl. Sci. 2019, 9(4), 681; https://doi.org/10.3390/app9040681
by Dmitrij Olifer *, Nikolaj Goranin, Antanas Cenys, Arnas Kaceniauskas and Justinas Janulevicius
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Appl. Sci. 2019, 9(4), 681; https://doi.org/10.3390/app9040681
Submission received: 20 December 2018 / Revised: 4 February 2019 / Accepted: 13 February 2019 / Published: 17 February 2019
(This article belongs to the Special Issue Applied Sciences Based on and Related to Computer and Control)

Round 1

Reviewer 1 Report

This paper use sub-graph isomorphism algorithm to evaluate the relation between different cyber security standard that an organization must comply with.  The node of the graph are the different requirements of a given stand and edge show the connection between those requirements. Their approach find the minimum security baseline across different standard by eliminating redundant requirement. Their method is well described and validated experimentally. Although there was no  theoretical formulation of sub-graph algorithm in general, this was not the main goal of the paper. The authors has instead demonstrated a feasible application.


Figure 3 and 6 should be bigger and more readable.

Author Response

Dear Reviewer,

 

In the name of all authors I would like first of all to express our gratitude for dedicating your valuable time for reviewing our manuscript and providing valuable comments. We’ve tried to correct it as much as possible according to your suggestions. Please find below comments and article modifications point by point.

 

Point 1: Figure 3 and 6 should be bigger and more readable.

 

Response 1: We are grateful for this comment and fully accept it. The following modifications was made

 

 Figure 3 was enlarged and the black colour was replaced with the blue colour text.

 Figure 6 was enlarged.

 

 Thank you very much once again. Looking forward for your reply. Please do not hesitate contacting me if any further clarifications or corrections are needed.

 

Yours sincerely,

 Dmitrij Olifer


Reviewer 2 Report

The purpose of this paper is to devise MSB identification and verification method in multiple security standards environment. This is very well written article with an experimental result, which shows a good operation to detect minimum security baseline well. The following should be considered a bit more


- The beginning of chapter 3 should provide more conceptual descriptions on MSB identification and verification.

- English grammar should be checked by native speaker.

Author Response

Dear Reviewer,

 

In the name of all authors I would like first of all to express our gratitude for dedicating your valuable time for reviewing our manuscript and providing valuable comments. We’ve tried to correct it as much as possible according to your suggestions. Please find below comments and article modifications point by point.

 

Point 1: The beginning of chapter 3 should provide more conceptual descriptions of MSB identification and verification.

 

Response 1: We are grateful for this comment. The beginning of chapter 3 was amended, and paragraph related to MSB identification and verification was added.

 

Identification of a minimum set of security requirements, i.e. of only mandatory security standard requirements, is a challenging task. The scope of the MSB depends on the needs of the organization [55]. The objectives are chosen to be pragmatic and complete and do not impose technical means [56]. Since MSB is a set of compulsory requirements for all systems [17] and presents a subset of information security standard requirements, formation of such set of sets in case of multiple security standards becomes even more complicated.  Currently, organizations are solving this issue by applying risk analysis and risk management techniques, which allow to evaluate business demands, existing environment and summarize the list of security requirements applicable to the organization. Unfortunately, such an approach is based on subjective factors, such as security expert knowledge, skills and experience. Well known vendors, such as Microsoft [57] and Cisco [58], are publishing recommendations related to the configuration of their products. International associations, such as Center of Internet Security [59], are publishing recommendations with the list of most effective risk mitigation controls. However, such approaches are ad-hoc based and are not directly linked with existing security standards. MSB verification could be implemented in different ways, starting from the expert review [18], including information security consultant analysis. Authors of [18] conduct an explorative expert study to derive a set of COBIT 5 processes that could serve as a basis for an Enterprise Governance of IT implementation and discuss how this approach contributes to complexity reduction. This research is based on an earlier [19] study, which was focused on identifying which practices (structures, processes, and relational mechanisms) an organization can leverage to ensure that IT governance becomes a reality in the organization. But it is also necessary to state, that both [18] and [19] concentrate on general IT management processes, rather than security MSB. Some other approaches utilize penetration testing or use of specific tools such as vulnerability scanners for potential security gaps identification [60]. However, the use of tools will not link the identified gaps with applicable security standards.

 

Point 2: English grammar should be checked by a native speaker.

 

Response 2: Thank you for your comment, we appreciate it. English grammar was reviewed and changes were made.

 

Thank you very much once again. Looking forward for your reply. Please do not hesitate contacting me if any further clarifications or corrections are needed.

 

Yours sincerely,

 Dmitrij Olifer


Back to TopTop