This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Video Game Security Framework"
From OWASP
m (→Business Strategy & Risk) |
m (→Classifications) (Tag: Visual edit) |
||
Line 110: | Line 110: | ||
== Business Strategy & Risk == | == Business Strategy & Risk == | ||
− | <br/> | + | <br /> |
The purpose of the Strategy & Risk phase in the framework is to layout a guiding path to creating and completing security related initiatives in gaming. | The purpose of the Strategy & Risk phase in the framework is to layout a guiding path to creating and completing security related initiatives in gaming. | ||
− | <br/> | + | <br /> |
'''Strategy & Risk Process''' | '''Strategy & Risk Process''' | ||
− | <br/> | + | <br /> |
:1. Establish Purpose | :1. Establish Purpose | ||
Line 122: | Line 122: | ||
:4. Plan Next steps | :4. Plan Next steps | ||
− | <br/> | + | <br /> |
'''1.Establish Purpose''' | '''1.Establish Purpose''' | ||
− | <br/> | + | <br /> |
It’s important to understand in detail the goal of the overall security strategy and how can you capture requirements to ensure this phase is properly completed. Eventually a full project plan will be created for the initiatives that emerge from this phase. Establishing how an org handles these types of projects is a key driver of success. | It’s important to understand in detail the goal of the overall security strategy and how can you capture requirements to ensure this phase is properly completed. Eventually a full project plan will be created for the initiatives that emerge from this phase. Establishing how an org handles these types of projects is a key driver of success. | ||
− | <br/> | + | <br /> |
'''''Example Questions to ask:''''' | '''''Example Questions to ask:''''' | ||
− | <br/> | + | <br /> |
'''''What''''' are the project requirements? | '''''What''''' are the project requirements? | ||
− | <br/> | + | <br /> |
:1) Detailed in Project plan | :1) Detailed in Project plan | ||
::a) May come from leadership and other areas of business | ::a) May come from leadership and other areas of business | ||
− | <br/> | + | <br /> |
'''''What''''' is the proposed approach to this project? | '''''What''''' is the proposed approach to this project? | ||
− | <br/> | + | <br /> |
:1) Methodology | :1) Methodology | ||
Line 142: | Line 142: | ||
::b) Agile | ::b) Agile | ||
− | <br/> | + | <br /> |
'''''Who''''' are the parties involved? | '''''Who''''' are the parties involved? | ||
− | <br/> | + | <br /> |
:1) Key Stake Holders | :1) Key Stake Holders | ||
Line 150: | Line 150: | ||
:3) Project Managers & Staff | :3) Project Managers & Staff | ||
− | <br/> | + | <br /> |
'''''What''''' are the Risks, Barriers & Concerns? | '''''What''''' are the Risks, Barriers & Concerns? | ||
− | <br/> | + | <br /> |
:1) Resource Availability | :1) Resource Availability | ||
Line 166: | Line 166: | ||
::b) Vendor support | ::b) Vendor support | ||
− | <br/> | + | <br /> |
'''''What''''' are the known tasks that need to be accomplished? | '''''What''''' are the known tasks that need to be accomplished? | ||
:1) Varies by project | :1) Varies by project | ||
− | <br/> | + | <br /> |
'''Triage Capabilities''' | '''Triage Capabilities''' | ||
− | <br/> | + | |
+ | <br /> | ||
Assessing the current security capabilities within a company is the next step. This will allow an organization to understand certain strengths and developing areas in their sec operations. The very detailed information from the results of the assessments are vital to the next step. | Assessing the current security capabilities within a company is the next step. This will allow an organization to understand certain strengths and developing areas in their sec operations. The very detailed information from the results of the assessments are vital to the next step. | ||
− | <br/> | + | |
+ | <br /> | ||
''Example Questions to ask:'' | ''Example Questions to ask:'' | ||
− | <br/> | + | |
+ | <br /> | ||
'''''What''''' security controls do we currently have in place? | '''''What''''' security controls do we currently have in place? | ||
Line 188: | Line 191: | ||
:5) User Security | :5) User Security | ||
− | <br/> | + | <br /> |
'''''Are''''' licensed security technologies being utilized to their fullest potential? | '''''Are''''' licensed security technologies being utilized to their fullest potential? | ||
− | <br/> | + | |
+ | <br /> | ||
'''''What''''' are the gaps in the security technologies currently used? | '''''What''''' are the gaps in the security technologies currently used? | ||
Line 196: | Line 200: | ||
:2) Cannot perform data analytics | :2) Cannot perform data analytics | ||
− | <br/> | + | <br /> |
'''Define Vision''' | '''Define Vision''' | ||
− | <br/> | + | |
+ | <br /> | ||
The vision for org security needs to be created with the overall business objectives in mind. This needs to start out very high level and can be tailored a bit more later. Understanding industry trends and being innovative allows for a better vision. | The vision for org security needs to be created with the overall business objectives in mind. This needs to start out very high level and can be tailored a bit more later. Understanding industry trends and being innovative allows for a better vision. | ||
− | <br/> | + | |
+ | <br /> | ||
Example Questions to ask: | Example Questions to ask: | ||
− | <br/> | + | |
+ | <br /> | ||
'''''What''''' do we want our security posture to look like in the future? | '''''What''''' do we want our security posture to look like in the future? | ||
Line 230: | Line 237: | ||
::c) Increased consumer trust | ::c) Increased consumer trust | ||
− | <br/> | + | <br /> |
'''''What''''' are the current threats to the organization? | '''''What''''' are the current threats to the organization? | ||
− | <br/> | + | |
+ | <br /> | ||
'''''What''''' does the org need to protect? | '''''What''''' does the org need to protect? | ||
Line 246: | Line 254: | ||
::b) Impact user privacy | ::b) Impact user privacy | ||
− | <br/> | + | <br /> |
'''Plan Next Steps''' | '''Plan Next Steps''' | ||
− | <br/> | + | |
+ | <br /> | ||
During this phase an org must create a list with the end-resulted actions necessary to get to the newly accepted vision. This list must be prioritized and grouped to form the initiatives needed for implementation. | During this phase an org must create a list with the end-resulted actions necessary to get to the newly accepted vision. This list must be prioritized and grouped to form the initiatives needed for implementation. | ||
− | <br/> | + | |
+ | <br /> | ||
''Example Questions to ask:'' | ''Example Questions to ask:'' | ||
− | <br/> | + | |
+ | <br /> | ||
'''''What''''' capabilities will achieve the defined vision from the previous step? | '''''What''''' capabilities will achieve the defined vision from the previous step? | ||
Line 260: | Line 271: | ||
:3) Technology | :3) Technology | ||
− | <br/> | + | <br /> |
'''''What''''' can be done to ensure continued maintenance on the defined vision? | '''''What''''' can be done to ensure continued maintenance on the defined vision? | ||
Revision as of 21:17, 26 April 2019