MPA Content Security Program - Motion Picture …

MPA Content Security Program

CONTENT SECURITY BEST PRACTICES COMMON GUIDELINES



Version 4.10 February 8, 2022

MPA Global Content Security Program

February 8, 2022

DOCUMENT HISTORY

Version

1.0

Date

Description

December 31, 2009 Initial Public Release

2.0

May 15, 2011 Updates and Revisions Consolidation into Common Guidelines and

Supplementals

Author

Deloitte & Touche LLP, MPA, MPA Member Companies PwC LLP, MPA, MPA Member Companies

2.1

January 1, 2013 Updates and Revisions

PwC LLP, MPA, MPA Member Companies

3.0

April 2, 2015 Updates and Revisions

4.02

December 1, 2017 Updates and Revisions

4.03

July 18, 2018 Updates and Revisions

4.04

October 12, 2018 Updates and Revisions

4.05

May 31, 2019 Updates and Revisions

MPA, MPA Member Companies MPA, MPA Member Companies MPA, MPA Member Companies MPA Content Security, MPA IT, MPA Member Companies MPA Content Security, MPA Member Companies

4.06

October 25. 2019 Updates and Revisions

4.07

July 10, 2020 Updates and Revisions

4.08

November 11, 2020 Updates and Revisions

4.09

July 14, 2021 Updates and Revisions

4.10

February 8, 2022 Update and Revisions

MPA Content Security, MPA Member Companies MPA Content Security, MPA Member Companies MPA Content Security, MPA Member Companies MPA Content Security, MPA Member Companies MPA Content Security, MPA Member Companies

MPA Best Practices - Common Guidelines

Page i

MPA Global Content Security Program

Summary of Changes Made to this Version:

Version Date

Description

4.10

February 8, 2022 In this version, best practices and guidance were introduced covering work from home

(WFH), remote working, and teleworking scenarios. The updates are as follows:

Comments

1. MS-2.0 Guidance was updated to identify and document remote working risks and to tie them to the business continuity and disaster recovery plan

2. MS-4.0 A remote and home working policy (WFH) and procedures policy was added to the list of minimum polices in the best practice

3. MS-4.0.3 A new best practice covering the establishment of a Remote and Home Working Policy (WFH) and Procedures, and implementation guidance.

4. MS-4.3 Security awareness training was updated to cover remote work and work from home (WFH) employees and WFH remote working security risks. Implementation guidance was added with references to SANS WFH security awareness training

5. MS-5.0 Incident response guidance was updated to include coverage of WFH and remote workers

6. MS-6.0 Business Continuity and DRP guidance was updated to include coverage for remote and WFH workers and business functions occurring remotely. The temporary WFH exception process was no longer relevant, and removed

7. MS-11.0 Guidance was updated to included confidentiality agreement coverage of WFH and remote workers and return of company assets.

8. PS-1.0 Guidance was added for securing entry and exit points for remote worker locations, facility server rooms, datacenters, colocations, and cloud hosting facilities.

9. PS-1.1 Guidance was added for segregating content areas from other areas of a facility for remote and WFH workers

10. PS-5.0 Guidance was added for alarm systems at remote and WFH locations and facility server rooms, datacenters, colocations, and cloud hosting facilities

11. PS-9.0 Guidance was added for CCTV camera coverage for remote worker and WFH locations

12. DS-1.0 Updated the guidance section for firewall segregation on remote work and WFH networks

13. DS-1.3 Updated best practice and guidance sections to accommodate VPN gateways, remote access brokers, virtual, and physical servers on local VLANs and Virtual Private Clouds (VPCs)

14. DS-1.5 Guidance for hardening of infrastructure devices was updated for remote and WFH workers

15. DS-1.6 The best practice and implementation guidance for managing firewalls was updated for remote facilities

16. DS-2.0 Updated the best practice and implementation guidance section for remote WFH workflows accessing production environments

17. DS-2.1 Email filtering best practice and guidance was updated for WFH and remote workers

18. DS-2.2 Web filtering best practice and guidance was updated for WFH and remote workers

MPA Best Practices - Common Guidelines

February 8, 2022 Page ii

MPA Global Content Security Program

Summary of Changes Made to this Version:

19. DS-3.0 Implementation guidance was updated on isolating the production network for remote and WFH workers

20. DS-3.2 Completely revised this remote access control, with new best practices based on a tiered model recommended by NIST. Provided guidance for remote corporate access, remote workers, and elevated access

21. DS-3.9 Internal network vulnerability scans guidance for remote and WFH workers was added

22. DS-4.0 Guidance on restricting wireless on the production network was added for WFH and remote workers

23. DS-4.1 Wireless configuration for non-production networks and WFH/remote workers was added to the best practice and guidance sections

24. DS-5.0 Guidance was added for data I/O systems used by remote and WFH workers

25. DS-6.0 Best Practices and guidance for endpoint protection and antivirus was added for remote and WFH workers, and also VDI (virtual desktop infrastructure)

26. DS-6.1 Best practices and guidance for updating anti-virus and anti-malware definitions was added for WFH/remote workers and virtual desktops and servers

27. DS-6.2.1 Best practices and guidance for local firewalls were added for WFH and remote workers

28. DS-6.4 Best practices and guidance for patching of systems was updated for WFH and remote workers

29. DS-6.7 Best practices and guidance for securing (encryption and remote wipe) of portable computing devices and machines was updated to include WFH and remote worker devices

30. DS-6.9 Best practices and guidance to establish security baselines and standards for physical and VDI devices were updated to include WFH and remote worker machines

31. DS-7.2 Guidance for the use of credentials for WFH and remote workers was added 32. DS-7.3 Guidance on handling default administrator accounts and other default

accounts was added for WFH and remote workers equipment such as firewalls, WIFI, and routers 33. DS-8.1 Best practices and guidance was updated for password policies and how they would apply to WFH and remote workers connecting to corporate and production networks 34. DS-8.2 Authentication guidance for VPN and other remote connections was updated for WFH and remote workers 35. DS-8.3 Guidance for screen locks was provided for WFH and remote workers 36. DS-11.1 Added guidance for drives used by WFH and remote workers 37. DS-13.0 Added guidance for transfer systems used by WFH and remote workers 38. Added a Work from Home (WFH) and remote working definition in the glossary section Appendix A, based on a NIST definition

MPA Best Practices - Common Guidelines

February 8, 2022 Page iii

MPA Global Content Security Program

February 8, 2022

TABLE OF CONTENTS

Document History ......................................................................................................................................................................................................... i I. Best Practices Overview .................................................................................................................................................................................... 2 II. Facility Overview ................................................................................................................................................................................................ 3 III. Risk Management and Document Organization ................................................................................................................................................ 4 IV. Best Practices Format ........................................................................................................................................................................................ 6 V. Best Practice Common Guidelines .................................................................................................................................................................... 7 Appendix A -- Glossary............................................................................................................................................................................................. 87 Appendix B -- MPA Title and Distribution Channel Definitions................................................................................................................................. 92 Appendix C -- Mapping of Controls to References................................................................................................................................................... 94 Appendix D -- Suggested Policies and Procedures ................................................................................................................................................. 99 Appendix E -- Other Resources and References ................................................................................................................................................... 100

MPA Best Practices - Common Guidelines

Page 1

MPA Global Content Security Program

I. BEST PRACTICES OVERVIEW

Introduction

For more than three decades, the Motion Picture Association (MPA) has managed content security assessments on behalf of its Member Companies (Members): Paramount Pictures Corporation; Sony Pictures Entertainment Inc.; Universal City Studios LLC; Netflix; Walt Disney Studios Motion Pictures and Warner Bros. Entertainment Inc. Fox Studios (a former member) was bought by Disney in 2019 and Netflix joined in 2019.

Starting in 2007, these reviews were performed using a standardized survey model, process and report template. Since then, almost 500 facilities have been surveyed in 32 countries.

During the middle of 2018, the MPA started performing assessments through the TPN (Trusted Partner Network). The MPA is also involved in the governance and operations of the TPN program.

The MPA is committed to protecting the rights of those who create entertainment content for audiences around the world. From creative arts to the software industry, more and more people around the globe make their living based on the power of their ideas. This means there is a growing stake in protecting intellectual property rights and recognizing that these safeguards are a cornerstone of a healthy global information economy.

The MPA Content Security Program's purpose is to strengthen the process by which its Member content is protected during production, post-production, marketing and distribution. This is accomplished by the following:

? Publishing a set of best practices by facility service outlining standard controls that help to secure Member content;

? Assessing and evaluating content security at third-party partners based on published best practices;

? Reinforcing the importance of securing Member content; and

February 8, 2022

? Providing a standard assessment vehicle for further individual discussions regarding content security between Members and their business partners.

Purpose and Applicability

The purpose of this document is to provide current and future thirdparty vendors engaged by Members with an understanding of general content security expectations and current industry best practices. Decisions regarding the use of vendors by any particular Member are made by each Member solely on a unilateral basis. Content security best practices are designed to take into consideration the services the facility provides, the type of content the facility handles, and in what release window the facility operates. Best practices outlined in this document are subject to local, state, regional, federal and country laws or regulations. Best practices outlined in this document, as well as the industry standards or ISO references contained herein, are subject to change periodically. Compliance with best practices is strictly voluntary. This is not an accreditation program.

Exception Process

Where it may not be feasible to meet a best practice, facilities should document why they cannot meet the best practice and implement compensating measures used in place of the best practice. Exceptions should also be communicated directly to the Member.

Questions or Comments

If you have any questions or comments about the best practices, please email: contentsecurity@

MPA Best Practices - Common Guidelines

Page 2

MPA Global Content Security Program

II. FACILITY OVERVIEW

February 8, 2022

The following table describes the typical services offered, content handled and release window involved with each facility type.

No. Facility Type 1 Audio, Dubbing and Sub-Titling

2 Courier, Delivery and Freight

3 Creative Advertising

4 Digital Cinema

Typical Facility Services

? Original and Foreign Language Dubbing

? Subtitling ? SFX ? Scoring ? ADR/Foley

? Courier Services ? Delivery Services ? Shipping Companies

? Non-Finishing ? Trailer ? TV Spots ? Teasers ? Graphics ? Web Ads

? Digital Cinema Mastering

? Replication ? Key Management

5 Digital Services

6 Distribution

7 DVD Creation

? Digital Intermediate ? Scanning ? Film Recording ? Film Restoration

? Distribution ? Fulfillment ? Backroom/Film Depot ? DVD/Tape Recycling

? Compression ? Authoring ? Encoding ? Regionalization ? Special Features ? Check DiscQC

Type of Content

? Low-Resolution ? Watermarked/Spoiled ?Full/Partial Feature

Content ?Audio Masters

Release Window

? Pre-Theatrical ? Pre-Home Video

? Varied

? Watermarked, Spoiled Full/Partial Feature Content

? Stills ? Clips

? Pre-Theatrical ? Pre-Home Video ? Catalog

? Pre-Theatrical ? Pre-Home Video ? Catalog

? High-Resolution ? Full or Partial Content

? Digital Cinema Distribution Masters

? Digital Cinema Packages

? Pre-Theatrical

? Clean and High Resolution ? Full or Partial Content (Film Tape)

? Pre-Theatrical ? Catalog

? High Resolution ? Clean Image

? Pre-Theatrical ? Pre-Home Video ? Catalog

? Clean ? Full Feature

? Pre-Home Video

No. Facility Type

Typical Facility Services

Type of Content

Release Window

8 In Flight

? IFE Lab

Entertainment ? IFE Integration

(IFE) and

? Hotel

Hospitality Services

? Airline

? Cruise Ship/Ferry

? Libraries

? High-Resolution ? Full or Partial Content

? Spoiled ? Full or Partial Content

? Pre-Theatrical ? Pre-Home Video ? Catalog

? Hospitals

? Prisons

9 PostProduction

Services

? Telecine ? Duplication ? Editing

? High-Resolution ? Full or Partial Content

? Pre-Theatrical ? Pre-Home Video ? Catalog

? Finishing ? QC

10 Replication

? Pre-Mastering ? Mastering

? High Resolution ? Clean Image

? Pre-Home Video

? Replication

? Check Disc Creation

11 Visual Effects

(VFX)

? Digital Post-Production ? High-Resolution ? Partial ? Pre-Theatrical

? Computer Generated ? Frames, Shots, Sequences ? Post-Theatrical

Imagery

and Stills

(2D to 3D)

? Animation

? Scripts

? Storyboards

12 Application

? Application Development

? Varied

? Varied

13 Cloud

? Hosting ? Data Center

? Varied

? Varied

MPA Best Practices - Common Guidelines

Page 3

MPA Global Content Security Program

February 8, 2022

III. RISK MANAGEMENT AND DOCUMENT ORGANIZATION

Risk Assessment

Risks should be identified through a risk assessment, and appropriate controls should be implemented to decrease risk to an acceptable level and ensure that business objectives are met.

The International Organization for Standardization (ISO) 27000 defines risk as the "combination of the probability of an event and its consequence." For example, what is the probability that content can be stolen from a facility's network and released publicly and what is the business consequence to an organization and the client if this occurs (e.g., contractual breach and/or loss of revenue for that release window).

The importance of a robust management system is also highlighted in the ISO 27001 standard that shows how to establish an Information Security Management System (ISMS).

Asset Classification

One way to classify assets at your facility is to follow a four-step process, which is summarized below:

Identify and Classify Assets

Monitor and Evaluate

Effectiveness

Determine Minimum Security

Control Set

Implement Controls

In consultation with the Member (its client), an organization is responsible for determining which client assets require a higher level of security. The following table provides an example of how to classify content:

Classification Description

Examples

High-Security Content

Any content that the ? Theft of a blockbuster

organization believes feature before its first

would result in

worldwide theatrical

financial loss, negative release

brand reputation, or ? Theft of home video

serious penalties

content before its first

should the asset be

worldwide street date

stolen or leaked

? Theft of masters or

screeners

Additional information about risks generally associated with each facility type is also included in each supplemental best practice.

Security Controls

The IT Governance Institute defines controls as "the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected." Security controls are typically selected based on the classification of the asset, its value to the organization, and the risk of the asset being leaked or stolen.

In order to mitigate identified risks, organizations are encouraged to implement controls commensurate to each specific risk. Such measures should also be evaluated periodically for their design and effectiveness based on the current threat environment.

MPA Best Practices - Common Guidelines

Page 4

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download