Common Questions That Come Up During TPN Assessments

Having personally conducted over 300 TPN assessments in the past six years, I have been fortunate to work with Service Providers of all sizes that cover a wide range of services. I’ve had countless  discussions about the process, the value of an assessment, and keeping content secure. Often, many of the Service Providers I assess are new to the security assessment process and are curious about the TPN assessment program, process, benefits and how it all relates to them. In this two-part blog series, I will address some of the most common questions I receive. I hope you find my answers helpful and insightful as you navigate your organization’s commitment to keeping content secure.

What are  the MPA Best Practices?

The Motion Picture Association (MPA) Content Security Best Practices are a collaborative framework of security controls developed by MPA member Studios (Amazon Studios, Apple Studios, The Walt Disney Studios, NBC Universal, Netflix, Paramount Global, Sony Pictures, Warner Bros. Discovery, Canal+) and the Trusted Partner Network (TPN). These comprehensive best practices cover various aspects of content security (digital, physical, personnel, risk management, incident response, etc.) and guide Service Providers in safeguarding content and reducing the risk of security breaches. The MPA Best Practices framework and many of the controls are mapped to other security frameworks including ISO, NIST, CSA and others.

How do the MPA Best Practices apply to me?

The MPA Best Practices apply to global Service Providers of all sizes across the entire media and entertainment supply chain – from individual contributors to large global organizations. The controls apply to everyone, yet the implementations for each vary based on the size of the company. A firewall is a good example. The price range for implementing a company-wide firewall can range from less than $1,000 to over $100,000. The MPA controls state that all Service Providers should implement a firewall, however the price each company pays will vary based on different factors whicn can include size of the organization, network infrastructure requirements, application requirements, content workflows, and speed. Similar examples include centralized logging, vulnerability scanning and penetration testing.  

What is the importance/value of a TPN assessment?

Content is ‘king’, and securing it is crucial for Service Providers and Content Owners. A TPN assessment helps Service Providers evaluate their security posture and alignment with MPA Content Security Best Practices. A TPN assessment identifies areas needing improvement. Think of it as a content security health check.

A TPN assessment also allows a Service Provider to be listed in the TPN+ portal. Content Owners (Studios) and selected Service Providers can view profiles, check for Gold or Blue Shield statuses, verify if an assessment was conducted remotely or on-site and read assessment reports if authorized. This transparency helps Service Providers showcase their security readiness and TPN status to Studios and potential partners.

Who benefits from a TPN assessment?

A TPN assessment benefits everyone involved – the Service Provider, the Content Owner, and the industry. It’s a win/win for eveyone. The TPN assessment program helps to foster trust and is a tool for organizations to demonstrate their commitment to high content security standards. For a Service Provider, a TPN assessment offers them an outside point of view based on an industry agreed upon set of security controls. Studios and Content Owners gain insight into a Service Provider’s level of security and implementation of best practices across the same set of security controls. At the end of the day its about keeping content secure through a transparent and universally recognized security standard. For any individual or organization that is working with content in the media and entertainment industry, it’s an opportunity to demonstrate their robust security preparedness.   

What is an ISMS (Information Security Management System) and does it apply to me?

An ISMS is a framework of policies, procedures, and controls designed to protect an organization’s sensitive data and information. For the media and entertainment industry, this means securing content. An ISMS is designed to protect the confidentiality, integrity and availability of data. Often overseen by management or an independent team, an ISMS should reference one or more security frameworks such as: MPA Best Practices, ISO 27001, NIST, SANS, CSA, etc. An ISMS is  a way to effectively organize all of your policies and procedures, keeping them current, and providing opportunities for continuous improvement. All Service Providers, regardless of size would benefit from an ISMS as it offers an organized approach to identify and manage risks, improves their ability to respond to security incidents, and demonstrates a commitment to keeping content secure.

I’ve never had an incident so why do I need an Incident Response Plan?

An incident response plan is a set of instructions to help organizations detect, respond to, and recover from security incidents. Whether an organization has had an incident or not, a sufficient incident response plan and playbook offers a course of action and is a proactive way to be prepared. A thorough and detailed plan will help a company control and recover from an incident quickly. It can also help reduce the impact to stakeholders affected outside the organization such as clients. It’s also crucial that everyone in an organization is trained in incident response and understands the importance of the plan. Think of it as having car insurance – protection against an accident you hope will never happen, but if it does, you are prepared.