TPN Assessment: What You Need To Know
Source: Juan Reyes – President, Tech Align Group
Having conducted over 300 TPN assessments in the past six years, I have been fortunate to work with Service Providers of all sizes that cover a wide range of services. I’ve had countless discussions about the process, the value of an assessment, and keeping content secure. Often, many of the Service Providers I assess are new to the security assessment process and are curious about the TPN assessment program, process, benefits, and how it all relates to them. In this blog I will address some of the most common questions I receive. I hope my answers are helpful and insightful as you navigate your organization’s commitment to keeping content secure.
What are the MPA Best Practices?
The MPA Content Security Best Practices are a collaborative framework of security controls developed by MPA member Studios (Amazon Studios, Apple Studios, The Walt Disney Studios, NBC Universal, Netflix, Paramount Global, Sony Pictures, Warner Bros. Discovery, Canal+) and the TPN. These comprehensive best practices cover various aspects of content security (digital, physical, personnel, risk management, incident response, etc.) and guide Service Providers in safeguarding content and reducing the risk of security breaches. The MPA Best Practices framework and many controls are mapped to other security frameworks, including ISO, NIST, CSA, and others.
How do the MPA Best Practices apply to me?
The MPA Best Practices apply to global Service Providers of all sizes across the entire M&E supply chain – from individual contributors to large global organizations. The controls apply to everyone, yet the implementations for each vary based on the size of the company. A firewall is a good example. The price range for implementing a company-wide firewall can range from less than $1,000 to over $100,000. The MPA controls state that all Service Providers should implement a firewall, however, the price each company pays will vary based on different factors, which can include size of the organization, network infrastructure requirements, application requirements, content workflows, and speed. Similar examples include centralized logging, vulnerability scanning, and penetration testing.
What is the importance/value of a TPN assessment?
Content is ‘king’, and securing it is crucial for Service Providers and Content Owners. A TPN assessment helps Service Providers evaluate their security posture and alignment with MPA Content Security Best Practices. A TPN assessment identifies areas needing improvement. Think of it as a content security health check.
A TPN assessment also allows a Service Provider to be listed in the TPN+ portal. Content Owners (Studios) and selected Service Providers can view profiles, check for Gold or Blue Shield statuses, verify if an assessment was conducted remotely or on-site, and read assessment reports if authorized. This transparency helps Service Providers showcase their security readiness and TPN status to Studios and potential partners.
Who benefits from a TPN assessment?
A TPN assessment benefits everyone involved – the Service Provider, the Content Owner, and the industry. It’s a win/win for everyone. The TPN assessment program helps to foster trust and is a tool for organizations to demonstrate their commitment to high content security standards. For a Service Provider, a TPN assessment offers them an outside point of view based on an industry-agreed-upon set of security controls. Studios and Content Owners gain insight into a Service Provider’s level of security and implementation of best practices across the same set of security controls. At the end of the day, it’s about keeping content secure through a transparent and universally recognized security standard. For any individual or organization that is working with content in M&E, it’s an opportunity to demonstrate their robust security preparedness.
What is an ISMS (Information Security Management System) and does it apply to me?
An ISMS is a framework of policies, procedures, and controls designed to protect an organization’s sensitive data and information. An ISMS is designed to protect the confidentiality, integrity, and availability of data. Often overseen by management or an independent team, an ISMS should reference one or more security frameworks, such as MPA Best Practices, ISO 27001, NIST, SANS, CSA, etc. An ISMS is a way to effectively organize all of your policies and procedures, keeping them current and providing opportunities for continuous improvement. All Service Providers, regardless of size, would benefit from an ISMS as it offers an organized approach to identifying and managing risks, improves their ability to respond to security incidents, and demonstrates a commitment to keeping content secure.
I’ve never had an incident so why do I need an Incident Response Plan?
An incident response plan is a set of instructions to help organizations detect, respond to, and recover from security incidents. Whether an organization has had an incident or not, a sufficient incident response plan and playbook offer a course of action and are a proactive way to be prepared. A thorough and detailed plan will help a company control and recover from an incident quickly. It can also help reduce the impact to stakeholders affected outside the organization, such as clients. It’s also crucial that everyone in an organization is trained in incident response and understands the importance of the plan. Think of it as having car insurance – protection against an accident you hope will never happen, but if it does, you are prepared.
Do I need a security awareness training program?
We often hear about security breaches occurring as a result of human error, whether it’s clicking on a deceptive email or text, phishing schemes, or malware. Many of these situations can be avoided, especially if they are demonstrated in a security awareness training session and content security policy. Regular content security training can help prevent or anticipate incidents before they occur, ensuring that all team members understand and avoid the risks and threats associated with cyberattacks. Security awareness training helps protect an organization’s data, systems, and networks from malicious attacks and cyber threats. As the MPA Best Practices suggest, an annual training session with new personnel trained upon hire and well documented training records should be implemented. Additionally, a program to test the effectiveness of the training (e.g. phishing campaign) is also recommended.
What is a Data I/O Network and why do I need one?
A Data I/O network is a dedicated network, or DMZ, used for the incoming and outgoing transfer of content. In this network, systems are dedicated solely for the function of transferring content and are isolated from the production, corporate, and other networks to prevent cross-network compromise. Internal content transfers are initiated by a secure production network, pushing content to the Data I/O network for outgoing transmission and pulling content from the Data I/O network after the incoming assets have been scanned for viruses. This is crucial for the security of a Service Provider’s infrastructure and the content they work on.
Do I need a Content Management System?
For incoming and outgoing content transfers, many Service Providers tend to rely on the email notifications they receive from content transfer platforms they’re using. This approach is insufficient and inefficient in the long term.. If an incident occurs involving the Content Owners’ assets, one of the first requests would be to review the content transfer logs. Maintaining a content management system for logging incoming and outgoing content transfers at a minimum provides an organized system for reviewing the logs regularly and having them available for review.
Content transfer logs maintained in a content management system are vital for maintaining the security of content transfers and identifying suspicious content transfer activity.
Is a remediation item a red flag or a bad point against me?
In the TPN+ platform, a remediation item appears red for a best practice control and orange for an additional recommendation control, highlighting opportunities for improvement. During a TPN assessment, assessors identify areas where the Service Provider may not fully align with MPA Best Practices. While the goal is to have no remediation items, this is uncommon.
After the assessment, the Service Provider must create a plan to address each remediation item and enter the details under their profile in the TPN+ portal. Once all items are addressed and documented, the Service Provider receives a Gold Shield.
Do I have to remediate all remediation items?
Organizations may follow different processes than an MPA control specifies. A Service Provider can provide remediation item details and comments in their TPN+ platform profile that explain the differences and what they’re doing to mitigate risk. For remediation items that are not closed out, Service Providers and their Studio clients will have the opportunity to discuss whether both parties are comfortable with the level of content security preparedness in place.
Did I pass or fail?
I get this question a lot. A TPN assessment is not a pass/fail assessment. It is not based on points or scoring. The main goal for completing a TPN assessment is for a Service Provider and Content Owner to have visibility into the security preparedness of the assessed facility and how aligned they are with the MPA Best Practices. A Service Provider may have two remediation items that are high risk or five remediation items that are low risk. Completing a TPN assessment provides a Service Provider with specific details on how to better align with the MPA Best Practices.
In Closing
I look forward to continuing to work with Service Providers and Studios as a community to identify, rectify, and enhance our industry’s overall content security preparedness. I welcome your comments and questions, so please feel free to reach out at juan@techaligngroup.com