Building and Assembling Security Practices and Implementation Guidance

The Motion Picture Association (MPA) has recently focused on launching the TPN+ program, which is the latest offering from the Trusted Partner Network.

This is the first of three blog posts in which, collaborating closely with TPN, I would like to discuss our ongoing efforts and the potential benefits they bring to service providers in the Media and Entertainment industry in terms of the MPA’s best practices. By emphasizing the importance of security practices and conducting assessments, we aim to provide content owners with increased visibility and assurance.

In the pre-pandemic era, numerous companies opted for remote work arrangements, which subsequently led to a significant shift in the workforce landscape. Presently, many employees continue to work remotely or in hybrid setups, while companies increasingly explore the use of cloud computing technologies for their operational needs. Consequently, the Trusted Partner Network (TPN) recognized the need to update its content security controls to encompass the protection and fortification of remote work environments and cloud technologies.

As a Security Engineer, I have played a vital role in the enhancement of security best practices and implementation guidance within the Trusted Partner Network. This endeavor aims to create a positive experience for service providers and content owners while fostering strong relationships throughout the media industry. Throughout the process of revamping security controls, I have successfully identified the applicable controls for service providers, ensured the clarity and effectiveness of implementation guidance, and actively incorporated feedback from other studios to make necessary adjustments.  

Understanding the Best Practices 

Best practices are often seen as a comprehensive checklist that ensures all necessary elements are in place and functioning optimally. My view for best practices is explaining the security infrastructure of the company and telling a story of its security posture. Perhaps most important, the purpose of the MPA Best Practices and the assessor community is to support and guide you through the process, not to cause unnecessary hurdles and extra work.

Technically speaking, control measures provide a distinct identification for each best practice, enabling them to be distinguished from one another and implemented individually. These controls serve as specific measures or actions that need to be taken to adhere to the corresponding best practices. These best practices are categorized into different areas such as physical security, cloud security, logging, or monitoring. While they may appear daunting at first, their primary objective is to assist service providers in comprehending the requirements necessary to achieve compliance.

Depending on their infrastructure, some service providers would need to meet specific controls while other controls would not apply. For example – MPA Best Practice Control v5.1 – PS-1.0 covers physical security for all Entry and Exit points at facilities. Service Providers would need to reevaluate their physical security in their facilities and other parts of their facilities to ensure they are meeting this control. However, if a cloud-based service provider is presented with this control, it would not apply. The same would go if an onsite service provider is presented with a cloud-based control and they are not using any cloud services.

We made sure when a service provider lets us know what type of facility they are on, to have them presented with the correct controls. Breaking down the guidelines into specific domains, it becomes easier to address and fulfill the necessary criteria for each area, ensuring a comprehensive and robust security framework. The main goal is to make sure we can accommodate anyone, not just service providers who work onsite.

Next week, we’ll take a close look at the importance of implementation guidance.