Hard Evidence: Structuring Security Practices to Support Assessments

Today’s guest post is authored by Charlie Evatt, a Level 3 Site and Cloud Accredited TPN Assessor at the REDESIGN Group, a Los Angeles-based global technology and cybersecurity consulting firm. Charlie shares his perspectives and recommendations on enhancing security practices — in particular, providing and documenting evidence.

Updated Motion Picture Association Content Security Best Practices and assessment methods

It has been four months since the Motion Picture Association Content Security Best Practices version 5 was released, and momentum is now building for the new TPN+ program.

I thought I would share some thoughts from an assessor’s point of view about how service providers in the Media and Entertainment supply chain could structure their security practices, and consequently streamline any third-party assessments they undergo.

Many of the MPA Content Security Best Practices contain security principles, methodologies and techniques also applicable to other industries, which may have their own control sets and assessment frameworks. The updated TPN instructions for qualified assessors now require assessors to describe what evidence we have validated to mark an assessment security control as ‘Fully Implemented’ or otherwise.

In the ‘pre-assessment phase’ of the TPN process, I review the service provider’s submitted questionnaire and evidence in advance of a site visit or follow up video meeting. What is often missing, but equally critical to support the assessment process, is verifiable evidence that the service provider’s policies and processes are being adhered to.

Understanding risk, and incident management

This ‘absence of evidence’ scenario may look something like this: I am presented with a detailed Incident Management Procedure, but after looking at the related incident log, the records in it are minimal to non-existent. My view is that if zero or very few possible or actual security incident events are identified, trigger alerts, or are logged at an organization, then the organizational understanding and management of risk is too low, regardless of industry. I find it nearly impossible in today’s threat landscape that any organization has never received phishing attempts, has avoided any type of network or application scanning by remote miscreants, or never had a key system component fail.

It is common for the average person to suffer from and feel the impact of digital incidents, such as ransomware, the ‘hi Mum’ scam, false invoices/email compromises and similar social engineering scams. For the naive, understanding the risks usually happens once it is too late. Companies with more people, distributed systems and workforces, and oceans of information must weigh their qualitative and quantitative business value when considering their protection, and be proactive in identifying and managing risk. Attack surfaces have broadened in the modern era.

An organization’s understanding of which events could be classed as an incident is also important – MPA Best Practice Control v5.1 – OR-2.0 covering Risk Management now requires consideration of integrity and availability risks as well as confidentiality risks. We all know that the content owning companies must ensure that their valuable information assets and production metadata remains confidential — and must also ensure that the service providers in their production supply chain will deliver the correct output to specification, on time, without a business continuity incident impacting production schedules.

Radiation over refrigeration

My view is that creating security policies and procedures and storing them in an ‘information fridge’ where they lie forgotten until brought out for the next assessment is ‘security theater,’ to use the term coined by Bruce Schneier. To be effective, organizational policies and procedures must not refrigerate, but must radiate: Be communicated and understood, signed off by personnel, and inform with clarity how they impact stakeholder behavior and interests both inside and outside of the organization. Action must be validated, enforced, and documented because if it is not documented, there is no evidence in the eyes of an assessor.

To wrap up, here are few suggestions which should help your security posture in general, and in preparation for a TPN assessment:

• If you have a policy and procedure which states that the organization performs a certain procedure – then perform that procedure and generate evidence. If you do not or cannot perform the procedure – or something has changed – alter the documentation to reflect your practice!
• Design procedures so that normal operational activities generate the required evidence for assessments.
• Determine daily, weekly, monthly and annual activities for security and technical operations, perform them, and log any minutes and outcomes.
• Retain dated logs of security activities, meetings, workshops, change requests, approvals, decisions and implementations.

Remember – if it was not written down, it did not happen.

Please make sure you share suitable evidence with your TPN assessor so they can validate your ‘Blue Shield’ questionnaire attestations, so we can all do our best to protect content in our industry.