MPA Content Security Best Practices Version 5.0: Objectives and Methodology
INTRODUCTION
The purpose of this document is to outline the objectives and methodology used to develop the MPA Content
Security Best Practices Version 5.0 to meet the industry’s evolving security needs, address industry-specific
challenges and provide clear information for all stakeholders involved in Content Security.
The Media and Entertainment industry, including Production and Marketing, has challenges that some other
industries don’t typically face. Decision-making often requires information quickly to make critical decisions.
Volumes are often large and need to be managed accordingly. Service Providers vary in size and scope, from
individual contributors to multi-million-dollar companies. Technological advancements require rapid evaluation
and adoption. Throughout it all, security continues to be of utmost importance. TPN understands the distinct
challenges and the importance of enabling the Content Owners freedom throughout the creative process, while
also balancing the need for Content Security.
DELIVERABLES AND OUTCOME
The MPA Content Security Best Practices v5.0 are published with 64 Best Practices and Implementation Guidance,
including the following updates and additions:
• Best Practices, including Application and Cloud
• Implementation Guidance, including Application and Cloud
• Definitions for Best Practices and Implementation Guidance
• Security Domains
• Security Topics
• Site vs Cloud Identifier
• Control Framework Mapping
• Glossary
DECISION-MAKING PROCESS
TPN received feedback from a sizable cross-section of Content Owners, Service Providers, and Assessment
Companies. We reviewed every single comment and question and understandably, perspectives were wideranging, and opinions were strong. For example, some felt the same Best Practice should be a requirement, while
others felt the Best Practice could never be met, due to particular business reasons. Similarly, some felt a Best
Practice or Implementation Guidance were not prescriptive enough, while others felt they were too prescriptive.
Ultimately, TPN weighed all feedback to meet the greatest need across the wide variety of Service Provider types,
as well as meet the security needs of the industry.
BACKGROUND
For more than three decades, the MPA has managed Content Security assessments on behalf of its member
companies: Netflix Studios, LLC; Paramount Pictures Corporation; Sony Pictures Entertainment Inc.; Universal City
Studios LLC; Walt Disney Studios Motion Pictures; and Warner Bros. Discovery Inc. Assessments were performed
using a standardized set of MPA Site Best Practices and Common Guidelines. In 2018, the MPA and Content
Delivery and Security Association (CDSA) created the TPN and in 2021, TPN became wholly owned by MPA.
TPN is a global, industry-wide program created to unite the Media and Entertainment community, comprised of
Content Owners, Service Providers, and Assessors, to avoid leaks, breaches and hacks of its most prized asset, its
content. Content assets can include media such as video, audio, storyboards, or photos as well as other types of
assets such as scripts, subtitles, budgets, and contracts. TPN and its members, define the MPA Content Security
Best Practices for use by the industry, and to increase security awareness, preparedness, and capabilities to secure
content throughout the content lifecycle. The MPA Best Practices establish a single benchmark of minimumsecurity preparedness for all Service Providers. In turn, TPN runs an assessment program against the Best Practices
to determine a Service Provider’s security status. By creating a single, global directory of “trusted partner” Service
Providers and their security status, Content Owners can make independent, risk-based business decisions more
easily.
Now that the Media and Entertainment industry has transitioned to cloud-based applications, supply chains and
workflows and the MPA Content Security Best Practices have been updated in response to the rapid growth in
multi-layered hybrid and cloud-native supply chains and workflows.
STAKEHOLDER COMMUNITY
Content Owners are organizations that produce, manage, license, and/or distributes content. The Content Owner
is ultimately responsible for maintaining the content’s security during its lifecycle including prior to its intended
initial release. Content Owners have unique risk profiles, that can be enterprise-wide, or by specific business line,
process/workflow, project/title, or asset type.
Service Providers are a critical part of the content creation and distribution supply chain ecosystem that require
standardized Content Security Best Practices and an efficient security assessment process that is consistent across
the industry.
Assessors are TPN-accredited individuals who perform site and cloud assessments of a Service Providers’ security
preparedness measured against MPA Best Practices and capture findings. They are responsible for gathering
information, validating evidence, and providing an assessment of a Service Provider’s security status.
OBJECTIVES
Quality is Key
• Maintain highest quality standards to provide a single benchmark of minimum-security preparedness.
Plan for Variability
• Create a framework that accommodates multiple stakeholder perspectives and varied processes, technologies,
infrastructures, workflows, and content types.
Simplify When Possible
• Provide clear, concise, practical, and comprehensive Best Practices that are easy to understand and implement.
Flexibility Matters
• Create a structure that can consider and continue to grow with industry evolution.
METHODOLOGY
The MPA Site Best Practices and Common Guidelines v4.10 include 263 Best Practices. They were developed for
site-based Service Provider assessments, and specifically targeted post-production facilities and workflows. Over
time, some cloud and work-from-home Best Practices were added. The TPN team also received 111 proposed
Application and Cloud controls from a third-party assessment company, Convergent Risks.
The following details the strategy and approach deployed during the creation of v5.0 with reference to the above
outlined objectives.
1. Consider Multiple Perspectives
We partnered with the Cloud Security Alliance (CSA) to receive feedback from their internal subject matter
experts. Using Convergent Risks’ proposed App/Cloud controls, we launched a pilot Cloud assessment program to
seek feedback from a representative sample of Service Providers in the industry. Each Service Provider was invited
to provide feedback to TPN on the App/Cloud controls for TPN’s consideration.
Upon completion of the v5.0 first draft, we solicited feedback from over 20 industry organizations, including
industry assessment Companies Convergent Risks, International Security Evaluators (ISE), [re]Design and Richey
May.
All MPA members as well as other Content Owners provided detailed feedback to TPN also.
2. Ensure Relevancy
With the addition of Application and Cloud Security, TPN took the opportunity to review every Best Practice to
determine if it was still relevant to current workflows, security requirements, and today’s technology and
infrastructure. We asked ourselves “Does the Best Practice help address today’s threat landscape? If so, should it
be expanded, be more specific to help clarify, or be re-written to specify the security requirement?” If it did not
meet these requirements, the Best Practice was either removed or consolidated with other related and relevant
Best Practices.
3. Focus on Security
TPN’s intent with developing the Best Practices was to help Service Providers secure content. We mapped the MPA
Content Security Best Practices v5.0 against industry recognized security frameworks, including AICPA TSC 2017,
CSA CCM v4.0.3, ISO 27002-2022, and NIST 800-53 Rev. 5. This provided more structure and strengthened
standardization.
Through our process, we also identified several Best Practices in v4.10 that were a part of managing the business
(e.g., segregating replication lines) and did not focus on security. As a result, we removed these Best Practices,
while updating others to better focus on our objectives.
4. Provide Clarity
During this process, we received feedback from TPN community members, and the most common was, “What is
the difference between a Best Practice and an Implementation Guidance?”. To help answer this question, TPN
developed the following definitions:
• Best Practice: Minimum requirements where all components need to be fully met to fulfill the overall Best
Practice.
• Implementation Guidance: Supplemental recommendations for Best Practices implementation. These are not
requirements.
5. Reduce Redundancy
TPN recognized that the MPA Site Best Practices and Common Guidelines v4.10 included the same questions in
multiple areas. Not only did these repetitive questions create fatigue during the assessment process, but they did
not provide additional value. Whenever and wherever possible, TPN grouped related Best Practices and
Implementation Guidance to remove duplicative questions.
6. Recognize Differences
To accommodate different service types, organization size, locations, and business requirements, the cadence of
reviews and updates were changed from specific timelines (e.g., quarterly, or annually), to “regularly as
appropriate”. It is now the responsibility of the Assessor to capture the scope and cadence with the Service
Provider, and for the Content Owner to determine the cadence needed to meet the security needs of their risk
profile.
7. Site vs Cloud
Many workflows today are a hybrid of both Site and Cloud. It was critically important to integrate the new Cloud
Security Best Practices with the existing MPA Site Best Practices and Common Guidelines. The updated MPA
Content Security Best Practices v5.0 now specify either “Site only”, “Cloud only”, or both “Hybrid (both Site and
Cloud”. The “Hybrid” classification allows for a question to be asked once, answered once, and applied to both Site
and Cloud.
8. Domains and Topics
TPN reviewed v4.10 Security Domains, Security Areas, and Security Topics. For v5.0, we updated the Security
Domains to better reflect the intended objectives of the Best Practices and Implementation Guidance and to
support the addition of Application and Cloud Security. See table below, sorted in alphabetical order.
During review, TPN deemed the Security Area layer as unnecessary, and it was removed.
The v4.10 Security Topics numbered 47 in total and were overly complicated. We streamlined the v5.0 Security
Topics to 12 which greatly simplifies the assessment process.
9. Glossary
As the scope of the MPA Content Security Best Practices v5.0 expanded to include Application and Cloud and the
evolution of industry terms and technology continues, the Glossary was updated accordingly. The Glossary now
contains key terms commonly used in the Media and Entertainment and Information Security industries related to
Operational, Organizational, Physical, and Technical Security.
10. Functional Format
The MPA Site Best Practices and Common Guidelines v4.10 were published in a PDF format. The 105 pages were
difficult to sort, filter, and incorporate into Service Provider’s Standard Operating Procedures (SOPs). The updated
MPA Best Practices v5.0 is published in an Excel format. When downloaded, this enables the user to sort, filter, and
incorporate into the Service Provider’s SOPs if needed.
MPA Site Best Practices and Common Guidelines v4.10
MPA Content Security Best Practices v5.0
CONTINUOUS FEEDBACK PROCESS
TPN captured all stakeholder feedback and will continue to review and consider these comments for
future updates. Additionally, we will monitor, review, and analyze progress made by the industry on the
MPA Content Security Best Practices v5.0.
We look forward to working with the community on an ongoing basis for future enhancements. In the
spirit of our collective forward momentum, collaboration, and innovation, the MPA Content Security
Best Practices are now based on a solid foundation that will provide the industry with its most
comprehensive roadmap for continuously addressing Content Security.