Frequently Asked Questions
Please select a main FAQ category.
What is the TPN program?
Showing 9 questions for this FAQ category.
What is the TPN program?
Trusted Partner Network (TPN) is a global, industry-wide content security initiative that is wholly owned by the Motion Picture Association. TPN provides programming intended to address security in various contexts and at various points in the content pipeline. These include: the MPA Content Security Best Practices, which are maintained by TPN, and establish a single benchmark of minimum security preparedness for content industries; TPN security assessments, which measure a Service Provider's current security posture against the MPA Best Practices; and TPN+, a proprietary software application and global registry of industry service providers, which enables service providers to securely and seamlessly share their security information with Content Owners.
Why was TPN built?
As the eco-system of third-party Service Providers continues to expand, the threat to the entertainment industry's most valuable asset, the content, escalates exponentially. The TPN program seeks to raise security capabilities throughout the industry, while generating cost and time efficiencies for participants.
Who should join the TPN membership?
While TPN participation is voluntary, every Company that values content security should join TPN membership and realize the significant benefits of our security reporting tools and programming, as well as becoming a part of a growing industry community dedicated to raising security standards.
What is the difference between TPN Blue and Gold Shield status?
TPN Blue Shield status indicates that a TPN member Service Provider has finished self-reporting their security information using TPN+. TPN Gold Shield status indicates that: a participating Service Provider has undergone a third-party security assessment, performed by a TPN-accredited assessor; and the resulting security report is available to Content Owners via TPN+.
What is the difference between TPN and TPN+?
Trusted Partner Network (TPN) is the name of the program. TPN+ is the name of the platform in which most program functions are performed and managed.
Does TPN certify my facility / operation?
No, TPN does not provide certifications. Instead, TPN provides service providers with a means for securely providing self-reported, and third-party validated, security information with Content Owners, in order that they may make their own independent, risk-based decision with regard to vendor sourcing and engagement.
Does TPN support international Service Providers and assessments?
Absolutely. Supporting international Service Providers is important to us, as over 70% of our membership is outside the US. As part of the TPN program, we are focused on growing the number and locations of the TPN accredited assessors so that we can continue to support both on-site and remote assessments in all time zones. Please contact us at support@ttpn.org if you have any questions about a particular region.
How is TPN working to improve security standards in the industry?
The TPN team are regularly updating the MPA Best Practices to stay current with evolving industry trends and technology evolution. We seek feedback from all stakeholders including service providers, assessors and content owners to ensure the MPA Best Practices and the subsequent TPN assessments consider all Content Security threats. Please submit your suggestions to support@ttpn.org.
Is the TPN assessment always on-site or do you accept remote assessments also?
TPN supports both on-site and remote assessments. Before scheduling a remote assessment, though, we would encourage you to communicate with your Content Owner customers regarding their expectations. In many cases, these companies require on-site assessment for service providers working on sensitive content, assets or workflows.
No results found for this filter criteria.
Showing 5 questions for this FAQ category.
What are the benefits for Service Providers who join the TPN program?
TPN membership provides Service Providers with a number of significant benefits including: reducing the number of annual security assessments from multiple Content Owners; centralized and standardized communication with all member Content Owners; ability to manage entire company security status in the TPN+ platform, including owned and licensed applications; ability to share non-TPN security certificates such as ISO or Soc2; ability to self-report security status per site or applicaton to earn a TPN Blue Shield; ability to undergo a 3rd party TPN assessment per site or application to achieve a TPN Gold Shield; visbility for your Company in the TPN+ Company and/or Application registry; ability to view other Service Provider's TPN status in the TPN+ registry including access to various application hardening guidelines; and ability to access all of the foregoing benefits in respect of wholly-owned subsidiary companies.
What are the benefits for Software Companies who join the TPN program?
In addition to the general Service Provider membership benefits listed above, software companies can share security information regarding different software versions and applications in the TPN+ platform and share hardening guidelines through the TPN+ Application registry. If a TPN member uses your application, they can indicate that they do so on their profile, and the relevant application's security status(es) (as well as your Blue or Gold TPN Shield) will be exhibited there. This enables software companies to share security information with their customers, as well as content owners that rely upon the security of these applications when making sourcing decisions.
What are the benefits for Content Owners in the TPN program?
TPN participation provides Content Owners with a centralized, global database of business-critical security information regarding service and software providers working in content industries, including: information regarding services and sites owned, as well as owned or licensed software applications; security assessment reports performed by qualified third-party assessors; visibility to service providers' ISO, SOC2, and non-TPN security certifications; and access to other information supporting multi-tiered decision making based on different content and risk profiles. As such, a Content Owner's participation in TPN can create cost efficiencies -- through reduced need to perform your own, internal assessments of service providers -- and increase your access to security information, and, thereby, your ability to manage security risks.
How do Content Owners use the TPN program?
Each Content Owner independently decides which Service Providers they will award work to depending on project specifics and their own risk-based strategies. The TPN program provides information that the Content Owners use, along with other independent, risk-based factors, to determine whether a Service Provider is suitable based on a number of factors, including the Service Provider's security posture.
Will Content Owners still be conducting their own assessments?
TPN is expected to greatly reduce the number of content owner initiated assessments. Content Owner assessments may continue to be required on an "as-needed" basis, but it is expected they will be additive and not duplicative to the TPN assessment.
No results found for this filter criteria.
Showing 12 questions for this FAQ category.
Who has to pay a membership fee?
All users of the TPN+ platform pay an annual membership fee, including Content Owners and Service Providers. Please visit the Membership page on the TPN website to view membership tiers for both Content Owners and Service Providers
What does TPN membership include for Service Providers?
Membership benefits include: placement in TPN+'s global registry of service and software providers; the ability to seamlessly and securely share information regarding your security, including by self-reporting your security posture in relation to the MPA Best Practices, uploading information regarding third-party security certifications, and uploading an unlimited number of documents, such as legacy TPN assessments, white papers, process maps; access for an unlimited # of users on the TPN+ platform; access to (and the ability to create a profile in) TPN+ for all wholly owned subsidiary companies; unlimited registration of services, sites, owned and/or licensed applications; the ability to request and undergo a TPN security assessment administered by a 3rd party TPN accredited assessor; and the ability to self-manage remediation status.
What does TPN membership include for Content Owners?
Membership benefits include: access to TPN+ for an unlimited number of users; the ability to view Service Provider's profiles, including completed security questionnaires, published TPN security assessment reports, remediation items and any self-reported security information; access to legacy security assessment reports; and the ability to download copies of published assessment reports, as needed. Gold level members also participate in feedback and provide input to the TPN strategy and roadmap, and have access to basic TPN data for the purposes of importing to their own security databases.
How can I join the TPN membership?
For Service Providers, please click on the "NEW SERVICE PROVIDER?" button located at the top of every page on this website and you will be be taken to a sign up page. Content Owners should email support@ttpn.org. Once you have created your TPN+ account, you will see a prompt at the top of the screen in TPN+ to sign the membership agreement which triggers the annual fee invoice.
When does my annual TPN membership begin?
Your annual TPN membership begins upon full execution of the TPN membership agreement.
How much does it cost to join TPN?
Please visit the Membership page on this website to view Content Owner and Service Provider membership tiers.
Who will see our membership levels? We do not want to share our annual gross revenue information.
Your membership level and associated annual gross revenue tier is strictly confidential and is only visible to TPN and will not be shared.
What do you consider annual gross revenue? My company is involved in many activities not related to content.
We define annual gross revenue as the gross revenue of your company and its wholly-owned subsidiaries that is related to media and entertainment for the prior year. For more details, please email support@ttpn.org and request a copy of the membership agreement.
I work for a large Company that has multiple subsidiary Companies. How does this work?
Your annual TPN membership tier and fee will include any wholly owned subsidiary Companies. Please be sure to list all of your wholly-owned subsidiaries when completing your TPN membership agreement.
What happens if we acquire a Company? Can we fold them into our existing TPN membership?
Yes, you can complete an addendum to your existing TPN membership agreement to add additional wholly-owned Subsidiaries.
What happens if the Company we acquire is already a TPN member?
You will need to complete an addendum to your existing TPN membership agreement to add the new wholly-owned Subsidiary. The Company that you acquired will not need to renew their TPN membership when it expires.
Does TPN check our annual gross revenue?
TPN reserves the right to research your annual gross revenue. Please also note that in the membership agreement, you represent and warrant that the annual gross revenue reported to TPN is complete, accurate and not misleading.
No results found for this filter criteria.
Showing 24 questions for this FAQ category.
Is there a user guide for TPN+?
Yes, you can find a comprehensive "how to guide" on our website under the "Links & Resources" page
How do I get my Company details published in the TPN+ Company registry and visible to the member Content Owners?
Upon payment of the TPN annual membership fee, your details are visible in the TPN+ Company (and Application if applicable) registry and to Content Owners.
Can I start to complete my profile and TPN questionnaire before I pay the membership fee?
Yes, we have designed the TPN process to remove as many bottlenecks as possible. For this reason, you are able to create a TPN+ account, complete your profile and complete a TPN Best Practices questionnaire for your sites and/or owned applications ahead of signing the TPN membership agreement paying the annual fee. Please note that you cannot use the TPN Blue Shield, and your information will not be visible in TPN+, until you have comleted the TPN Best Practices questionnaire and paid the annual membership fee.
How many questions are in the TPN Best Practices assessment questionnaire?
Although the number fluctuates as we regularly update the MPA Best Practices to stay current with industry changes, version 5.2 there are currently 11 baseline questions that are used to scope the questions in your TPN site or application assessment. The maximum number of starting questions is 73. The TPN+ platform applies logic based on your answers, that may or may not ask you a subsequent question depending on how you answered the initial question. The total maximum number of questions is 147. We have also matched our MPA Best Practices to ISO, so if you upload a current, valid ISO certificate, many of your answers will be automatically pre-populated.
Who can see my TPN Best Practice Questionnaire answers?
Your answers are only visible to: participating Content Owners; your selected accredited assessor, if you choose to obtain a TPN assessment.
I’ve created my TPN+ account. What’s next?
After you have created your TPN+ account, you can set up your profile by adding services, sites and owned and/or licensed applications. You can also add non-TPN security certificates and use the Document section to share any legacy TPN assessments or other information you would like the content owners to be aware of. Once complete, you can start to answer the TPN baseline and Best Practice questionnaire. Once complete and submitted, you may schedule your 3rd party TPN assessment. You can also reference the process map on the Membership page of the ttpn.org website for a full workflow overview.
Does TPN+ apply a watermark to any documents downloaded from my TPN+ profile?
TPN+ applies a watermark to any TPN Gold assessment report created on the platform. Any other document uploaded to TPN+ will not be watermarked. (Please note that all legacy TPN assessments are watermarked if downloaded from the TPN Box repository.)
Does my annual TPN membership include the 3rd party assessment cost?
No, TPN membership does not include the third-party assessment cost. This cost is wholly controlled by the 3rd party assessors. We do recommend that you request at least 3 bids from different TPN assessors to ensure competitive pricing.
How do I achieve the TPN Blue Shield?
Once you have completed the self-reported TPN Best Practices questionnaire for a site or application and clicked the submit button, you have earned the TPN Blue Shield. An image of the TPN Blue Shield can be downloaded and used as outlined in the Membership Agreement once you have paid the annual TPN membership fee.
How long can I use the TPN Blue Shield?
If you wish to maintain Blue Shield status and the right to use the TPN Blue Shield, TPN requires that the self-reported TPN Best Practices questionnaire is updated on an annual basis. (Please note that your TPN+ shield status is automatically updated upon expiration, and the TPN Blue Shield will no longer be displayed on your profile.)
How do I achieve the TPN Gold Shield?
Once the selected TPN-accredited assessor has completed your assessment, TPN has reviewed and published the final report, and you have entered your remediation plans (if applicable), you will have earned the TPN Gold Shield and it will be available for you to download in your TPN+ profile.
How long can I use the TPN Gold Shield?
If you wish to maintain Gold Status and the right to use the TPN Gold Shield, you must receive a TPN security assessment at least once every two years. (Please note that your TPN+ shield status is automatically updated upon expiration, and the TPN+ Gold Shield will no longer be displayed on your profile.)
I have multiple sites. How can I avoid filling out a TPN questionnaire for every site?
For those Companies with more than 5 sites or apps with the same security implementation, TPN offers a "Global Pass" process. Please contact us for details at support@ttpn.org.
If I have multiple facilities or locations how do I get assessment(s)?
You must list the service and the associated sites and applications in your TPN+ profile, and complete the TPN Best Practices Questionnaire for the site and/or application before you can schedule an assessment in respect of it. Contact us about a "Global Pass" if you have more than 5 sites or apps with the same security implementation at support@ttpn.org. When you select your TPN assessor to assign the assessment request, you may also multi-select sites and apps. Note that each site and/or application will require the assessor to complete a separate assessment.
How long does a 3rd party TPN assessment take?
TPN Assessments are (generally) to be completed within 15 business days of their start date (eg: the date the Assessor accepted the assessment). This timeline includes the pre-assessment phase when the Assessor and Service Provider are reviewing the TPN questionnaire responses and reviewing evidence, and the assessment phase when the Assessor is updating status and findings in the TPN+ platform.
What happens if an assessment takes longer than 15 business days?
Please contact TPN to request an extension or explain the delay. TPN will consider each situation on a case-by-case basis. The TPN Assessor scoring considers the timeliness of the assessment, so all exceptions must be well understood and documented.
How do I know if my TPN Questionnaire answers are meeting the MPA Best Practices? Do I need to pay for an assessment to know my security status?
The TPN+ platform logic will capture your self-reported answers and indicate by color whether you are fully compliant with the MPA Best Practice. This information is available to you as self-report so you are aware of your status before incurring cost for a 3rd party assessment. Remediation is not required at the TPN Blue Shield level.
What happens if I don’t want to share all evidence on the TPN+ platform due to confidentiality concerns?
Due to confidentiality, evidence shared on TPN+ is not visible to Content Owners. Alternatively, you may share the evidence directly with your assigned TPN accredited 3rd party assessor if you prefer.
How do I prepare for an assessment?
We recommend that you download a copy of the most current MPA Best Practices found on the TPN website under the "Links & Resources" and our home page to determine your current compliance and gaps in advance of completing the TPN Best Practices questionnaire upon which the 3rd party assessment will be based.
Can I “fail” a TPN assessment?
TPN assessments do not provide “pass/fail” grades, certifications, or ratings. TPN assessments provide Content Owners with information about a site or application's conformance with the MPA Content Security Best Practices at the time of the assessment. Aspects of security not fully in conformance with with the Best Practices will be listed as a remediation item. Content Owners use this information to make their own independent risk-based decisions.
What happens if, in a TPN Assessment, aspects of my security are found to fall short of the MPA Best Practices?
After the TPN assessment is complete and published, those items that are not fully compliant with MPA Best Practices are listed as remediation items (both Best Practices and Additional Recommendations) in the assessment report. In order to obtain their Gold Shield, the Service Provider is required to submit a remediation plan that includes a description of whether the non-conforming controls have already been remediated; whether they will be remediated; and the planned date of remediation (if applicable). All TPN Content Owner members will have the ability to view the remediation items and Service Provider remediation plans, and TPN Gold Content Owner members are able to indicate that the remediation item is a priority, if needed.
How long do I have to handle any remediation items?
To be awarded the Gold Shield, the Service Providers must provide an update for each remediation item. If you are unable to provide full remediation, you can select "will remediate later" and provide comments and an ETA. You are encouraged to update remediation items within 3 business days of assessment completion.
Who gets to see my TPN Assessment Report?
Content Owners are able to view your site or application final assessment report via the TPN+ platform, and can also download a watermarked copy.
Who pays for the TPN assessment?
In most cases Service Providers are responsible for Assessment fees.
No results found for this filter criteria.
Showing 9 questions for this FAQ category.
What’s different in TPN for Applications vs Sites?
Software providers will be visible in the TPN+ Company registry alongside every other Service Provider. However there is also a separate TPN+ Application registry which is visible to all TPN members, and is searchable by Company and Application name, by service category and also whether or not hardening guidelines are available. The TPN+ Application registry also displays version information and a link to download associated hardening guidelines.
Why has TPN now included Software Applications?
With the accelerated move to cloud workflows during the pandemic, TPN re-published the MPA Best Practices v5.1 in October 2022 to include application and cloud security issues. Given the shift away from centralized onsite work, a detailed understanding of the full on-prem and cloud technology stack is necessary for purchasers to gain a serious understanding of security risks and issue. The TPN program and TPN+ profiles now request that Service Providers report security status for services, locations and owned and/or licensed applications. If a Service Provider lists a 3rd party licensed application that has been through a TPN Gold assessment, then that Service Provider will be able to see the TPN Gold (or Blue if self-reported) Shield in their TPN+ profile and the TPN+ Application Registry.
How do TPN assessments work for Applications?
If a Service Provider owns their own software application, they may obtain a TPN assessment by answering the TPN Best Practices questionnaire on TPN+ and then proceeding on the platform to request an assessment.
If I own an application and undergo a TPN assessment, who sees my TPN Blue or Gold Shield?
Once you pay your TPN membership fee, your TPN Blue or Gold Shield will be visible in the TPN+ Company and Application registry and to Content Owners. In addition, your TPN shield status will also be visible to any Service Provider who has listed your application as a licensed product. In their TPN+ profile, your TPN Blue or Gold Shield will be visible against your application so your Service Provider customers are also aware of your TPN security status.
What should I do if I license an Application but don’t own it?
In your TPN+ profile, you are able to add both in-house developed and 3rd party licensed software applications. If you only license from 3rd party software providers then you would list those software applications by clicking the "+ 3rd party licensed application" button.
How are you handling Application Hardening Guidelines?
The owners of the software applications are able to upload hardening guidelines by version. These guidelines are visible and available for download in the TPN+ Application registry.
How are you handling Application versions?
TPN provides the ability for the owners of software applications to list all versions available. If a Service Provider licenses and lists your application in TPN+, they can select from the list of versions you provided and, if one is missing, request that it be added. In this instance, TPN will work with you to manage the request.
How are versions handled if the Application is only available as a licensed product on TPN+ (eg: the application owner is not a TPN member)?
The first Service Provider to list a licensed 3rd party application can add the version that they are using. Subsequent Service Providers who wish to list the same application can select from the registry created by the first Service Provider, or add the version that they are using if different.
What happens if Applications are listed as licensed, but then the owner of the Application joins the TPN membership?
TPN will work with the application owner to move the TPN+ data associated with their in-house developed application to their new TPN+ profile. The Service Providers who listed the application as licensed will continue to show the application on their TPN+ profiles, but all versions, TPN security status and hardening guidelines will be managed by the Application owner going forward.
No results found for this filter criteria.
Showing 19 questions for this FAQ category.
Who are the TPN assessors?
Individual third-party TPN Assessor candidates undergo a stringent review and approval process to be accepted into the TPN program as an accredited Site and/or Cloud Assessor. A TPN Assessor registry representing all current Assessors is available at http://www.ttpn.org/assessors/. Service providers can select from the list of accredited TPN Assessors based on their individual assessment needs.
How does a Service Provider select a TPN assessor to do their assessment?
Service Providers are directed to the Assessor Directory on the ttpn.org website, and are encouraged to request bids from 3 separate assessors to ensure competitive pricing. Service Providers are also encouraged to reach out to TPN assessors to negotiate pricing and timing as they are setting up their TPN+ profile and answering the TPN Best Practices questionnaire, so the assessment can start swiftly.
I see that TPN Assessors are labeled TPN Assessor or Advanced TPN Assessor. What does this mean?
Each Assessor receives one of these two designations based on their years of audit and media and entertainment experience, as well as the number of TPN assessments performed and how well they were executed. The Advanced TPN Assessor designation is provided to those Assessors that have more experience and whose performance is determined to be of higher quality (based on our rubric); all other Assessors that meet basic program standards receive the "TPN Assessor" designation. TPN reviews each Assessor's overall performance on a bi-annual basis and adjusts the level accordingly. Please refer to the Assessor page on www.ttpn.org for each Assessor's current level.
If Advanced TPN Assessors are the most experienced and highest performers, will TPN Assessors ever get any assessments?
It is possible that Advanced TPN Assessors may be engaged for more complex, high security assessments and TPN Assessors will be engaged for less complex, post-release content assessments. Service Providers must make their own independent hiring decisions based on pricing, skill level, experience, and other appropriate factors. TPN does not assign assessments or have any involvement in pricing. TPN accredited Assessors are solely responsible for their own customer outreach, pricing, sales and marketing.
How long does it take to do a TPN assessment?
TPN requires each site or application assessment be submitted within 15 business days. This timeline includes the pre-assessment phase when the Assessor and Service Provider are reviewing the TPN questionnaire responses and evidence, and the assessment phase when the Assessor is updating status and findings in the TPN+ platform.
What happens if an assessment takes longer than 15 business days?
Please contact TPN to request an extension or explain the delay. TPN will consider each situation on a case-by-case basis. The TPN Assessor scoring is based partially on the SLA, so all exceptions must be well understood and documented.
What is the criteria for becoming a TPN Assessor?
A TPN assessor applicant must have Media & Entertainment experience, plus a valid security certification for site and/or cloud. These certification(s) must be issued from a valid and legitimate certification body that conducts an examination and application process. Please see the Assessors section of our website for more details including an Assessor Qualifications document.
How do I become a TPN qualified assessor?
Please click on the "NEW ASSESSOR?" button located at the top of every page of this website and you will be be taken to a sign up page. You will be asked to provide information regarding your education, credentials and experience, and this information will be verified by TPN and a 3rd party Company. If your information is verified and you are found to meet TPN's credentialing requirements, you may become a TPN accredited assessor upon paying the applicable fees.
What is the cost of applying to be a TPN Assessor?
A one-time non-refundable application fee of $150 must be paid in order to apply to the program. This fee defrays the costs of reference and certification checks. If you meet the criteria and wish to proceed with accreditation, an additional $500 accreditation fee must be paid. This fee is valid for two years and covers any security certifications (e.g., Site, Cloud) that you choose to obtain during that period.
Can current Site Assessors also apply as Cloud Assessors?
Yes, current Site Assessors can apply to become Cloud Assessors and are encouraged to do so. It is anticipated that some service providers will have workflows in the cloud and on-prem, for which TPN will require Assessors who are qualified for both Site and Cloud.
If a current TPN Site Assessor applies to also do Cloud, do they also have to pay the $150 dollar application fee and another membership fee?
Current TPN Site Assessors will have to pay the one-time non-refundable $150 application fee to apply as Cloud Assessors. However, they will not have to pay another membership fee. In the event that an Assessor qualifies for both Site and Cloud, the $500 membership fee will cover both categories.
Can TPN Cloud Assessors also perform Site Assessments?
Cloud Assessors who have also been accredited by TPN to be a Site Assessors can perform these assessments. However, they must first apply and qualify as a Site Assessor.
Can applicants who don’t meet the qualification criteria for Cloud and/or Site Assessors re-apply at any time?
Yes. Applicants are not restricted from re-applying and can do so at any time, but each time the applicant applies, they will need to pay the non-refundable $150 application fee.
How soon will applicants know if they qualified as Cloud and/or Site Assessors once they submit their application?
Once the receipt of the candidate’s application has been confirmed, TPN will review the application and verify the experience and certifications of the applicant. Once this is completed, TPN will inform the candidate of the results.
What are the possible results of the Assessor application process?
There are only two possible results from the Assessor application process as follows:
1) Candidate meets the criteria to qualify as a Site and/or Cloud Assessor, or Hybrid in the event the candidate qualifies for both.
2) Candidate does not meet the criteria to qualify as a Site, Cloud, or Hybrid Assessor.
Will certifications that are not on the list of examples be accepted?
TPN can’t guarantee that certifications not listed in Appendix A of the TPN Assessor Qualification and Renew Criteria document will be accepted. TPN will, however, continue to review all certifications submitted, and will add new ones if they meet the criteria.
What happens if an Assessor’s certification expires during the two-year TPN membership?
All Assessors will need to maintain the certifications they used to qualify as a TPN Assessor for Site and Cloud during the TPN two-year membership. If an Assessor allows a certification to expire within the two-year TPN membership term, the Assessor will not be permitted to perform TPN Assessments until a renewed certificate is provided. Please note that TPN will be tracking all certification expiration dates.
How does an accredited TPN assessor get assigned work?
TPN does not assign work to accredited TPN assessors. Each assessor is responsible for outreach, sales and marketing to potential TPN members.
Can an assessor perform consulting roles for TPN Service Providers?
In addition to performing assessments as an accredited TPN Assessor, TPN Assessors may also perform consultative roles for Service Providers to assist Service Providers with their security efforts and processes with the following rules:
- Accredited TPN Assessors may perform consulting, advising, and remediation planning services if they have NOT been the assigned Assessor for the site or application being assessed within two years of the assessment publication date, including the current assessment.
- Accredited TPN Assessors may perform technical testing (e.g., Penetration Testing, Vulnerability Scanning, Code Review, etc.) if they are NOT currently the assigned Assessor for the site or application being assessed, but they may perform technical testing BEFORE or AFTER the assessment has been completed
- Assessor company (i.e., same company or different companies) does not affect the above rules.
No results found for this filter criteria.
Showing 8 questions for this FAQ category.
Why has TPN now included Software Applications?
With the accelerated move to cloud workflows during the pandemic, TPN published the MPA Best Practices v5.1 in October 2022, which includes application/cloud security issues. Given the shift away from centralized onsite work, a detailed understanding of the full on-prem and cloud technology stack is necessary for purchasers to gain a serious understanding of security risks and issues. The TPN program and TPN+ profiles now request that Service Providers report security status for services, locations and owned and/or licensed applications.
Why were the MPA Content Security Best Practices updated?
TPN launched in 2018 to provide site assessments. With the Covid lockdown many of those sites were closed and workflows moved to the cloud. As a result, TPN needed to update its baseline security framework, the MPA Content Security Best Practices, to include application and cloud security issues. During the re-write process, we sought input from Studios and Service Providers, significantly reduced the number of Best Practices, and re-published in a more user friendly Excel format that also includes control mapping to ISO, NIST, AICPA and CSA's CCM. Going forward, we have also introduced a feedback channel for all TPN stakeholders to provide feedback via the "Need Support?" button in TPN+ or via email support@ttpn.org which is regularly reviewed and where appropriate included in annual updates to the MPA Best Practices.
Why is there a new portal/platform (TPN+)?
The legacy TPN portal was originally created by one of the MPA member studios and was better suited to studio content security management, than a program such as TPN where we need to manage customers, payment, contracts and so on. In 2022 Q2 we issued an RFP that included buy and build options, and based on speed to launch and cost, we decided that our needs were so bespoke it was better to build custom software vs buy and try to adapt our business requirements. TPN+ is our new platform which launched in Feb 2023.
Why do I now need to pay an annual membership fee?
While TPN is operated on a not-for-profit basis, it needs to be able to cover its (not insignificant) operational and technology costs. Under our original financial model, these costs were primarily recovered via a 20% administrative fee that TPN applied to each TPN assessment. We changed this policy for two reasons. First, we made the decision that all companies who benefit from the standardized and centralized information made available by TPN should contribute to the program, including Content Owners. Second, as we added Application/Cloud to TPN assessments, the cost of assessments increased significantly, and it was no longer fair or sensible to charge a 20% fee on assessments that could cost as much as $70k. To address these points, we moved to an annual membership fee based on annual gross revenue for Service Providers and TPN+ functionality and roadmap participation for Content Owners.
Why did the TPN Gold assessment cadence move from one to two years?
Annual TPN assessments are costly and time-consuming - by introducing the new TPN Blue self-reported status on an annual basis, TPN and its member Studios agreed that as long as Service Providers were actively reporting their security status on an annual basis and there were no major changes year to year, then a 3rd party assessment could be acceptable. Note that the two year Gold cadence is TPN's recommendation only - in the event your Company reports a major change or takes on higher security content, an individual Content Owner may request a 3rd party assessment on a more frequent basis.
How does the cadence work between TPN Blue and Gold?
Completion of the TPN Blue self-reported Best Practices questionnaire is the pre-requisite to completing a TPN Gold 3rd party assessment. The TPN Blue self-reported Best Practices questionnaire must be updated on an annual basis, which gives the Content Owners visibility to anything that might have changed in the last year. If nothing substantial has changed, the TPN Gold 3rd party assessment remains valid for two years. Please note that if your annual update to the Blue TPN questionnaire includes a major change, a Content Owner may require you to accelerate your next TPN Gold assessment.
I went through the TPN assessment before the TPN program was updated. What does this mean for me?
The legacy TPN portal that you used previously is not connected to the new TPN+ platform and has now been decommissioned. Your legacy TPN assessment report and remediation items are currently available in the TPN Box repository. Please email support@ttpn.org if you wish to receive a copy. If you wish to join the new TPN membership to continue with your TPN reassessment, please click the "New Service Provider" button at the top of the ttpn.org website to create a new account on the TPN+ platform. From there you will be guided to sign the TPN membership agreement, pay the annual fee and start to fill out your profile and TPN Best Practices Questionnaire. Note that you cannot schedule a TPN assessment until you have completed these steps.
Why did you introduce the different levels for Assessors?
It is critical that the TPN assessments are high quality, thorough and complete. We introduced the different Assesor Levels to give the market more information regarding each Assessor's past performance and level of experience.
No results found for this filter criteria.
Showing 3 questions for this FAQ category.
What is the OTTP/TOTP and MS Authenticator/QR code process?
You will be asked to supply a OTTP (One time temporary password) and you will be presented with a QR code. To complete this step, you will need to download the Microsoft Authenticator application on your smartphone. Microsoft Authenticator is used to store and display your multi-factor authentication one-time password. To download and setup your Microsoft Authenticator Application, please follow the steps below:
1. Download Microsoft Authenticator Application.
- iPhone
- Android
2. Open Application.
3. Click “+” symbol in upper right corner.
- Select Other (Google, Facebook)
4. Point your camera at the QR code.
5. Your new account should appear in your Authenticator app.
6. Use the one-time code to sign in to the TPN+ Platform. Please note that this code changes every 30 seconds, and each new login attempt will require you to supply a new code.
When does my TPN membership start and when will I be invoiced?
Your annual membership will start on the date that your TPN membership agreement is fully executed. You will be invoiced early the following week. Payment options include ACH transfer, wire transfer, or PayPal.
I don’t know how to get started with TPN membership or an assessment
For all other questions not covered in these FAQs, please use our "how-to guide" available on ttpn.org links and resources page, or contact us at support@ttpn.org or click the "need support" button in TPN+ to raise a ticket.
No results found for this filter criteria.