As we explored in the first part of this series, Protecting Intellectual Property Part I, the Trusted Partner Network is a collaboration between the Motion Picture Association of America (MPAA) and the Content Delivery & Security Association (CDSA), helping to standardize the way 3rd party vendors serving the film industry validate their security practices. Modern motion pictures depend on their network of independent firms and vendors to provide them with such services as on-location videography, talent, scripts, and the many other components that go into making a quality film. Using 3rd parties enables producers and directors to pivot and adjust from film to film, selecting the right team for the job. However, working with that many providers brings about the challenge of keeping intellectual property secure among countless parties and entities, ensuring that creative content is not leaked to the public before release dates through a security gap in the supply chain. One of TRUE’s most experienced security assessors, Vince Fusco, has stepped into the space to help these vendors, undergoing the process of certification to become an Approved TPN Assessor.
As a PCI QSA (Payment Card Industry Qualified Security Assessor) who has an extensive security background, Vince views the TPN as a natural extension of what many other industries have done in developing compliance frameworks. Whereas most of these compliance bodies, as is the case in the Payment Card Industry, formalize compliance as a requirement, TPN has taken a little bit different approach. Joining the TPN through an assessment to become a Trusted Partner is voluntary for anyone who wants to work with members of the MPAA. Of course, not every vendor is positioned to do business with this group, with some choosing to stay out of the mainstream. For those who do wish to provide services for a feature film, however, TPN processes are an industry differentiator–a way for them to set themselves apart as vetted and trustworthy. That is not to say that independent vendors outside of the network are not also trustworthy, but that perhaps they do not wish to go through the same processes of validation to work in this high-powered arena.
VOKSEE, a visionary production company dedicated to the creation of content for television, film and branded entertainment, has had a long-standing relationship with True Digital Security. Their Principal, Duane Fernandez, viewed the TPN assessment process as an opportunity. Already security-minded in how VOKSEE was protecting all Intellectual Property (IP), the production company recognized the value of working through the assessment process and joining the Trusted Partner Network as a way to validate their security practices against defined standards. This now enables them to provide measured, defined, and documented assurance to those in the major motion picture industry.
Fernandez has become a strong proponent to his industry peers of the assessment’s value, reiterating the fact that securing one’s most valuable assets is vital. As a TPN partner, VOKSEE has shown through its leadership that this is the new gold standard in doing business with major IP rights holders. “We will continue to educate our industry partners about the risks and how to best mitigate them,” Fernandez said.
HOLLYWOOD’S NEED TO STANDARDIZE SECURITY CONTROLS
Aside from the obvious need to secure valuable data, one might wonder why the MPAA and CDSA have decided to formalize the process. Historically, major film studios have provided their own security assessments to third-party vendors who wish to work with them. The problem that creates is inconsistency among assessors of what the minimal security controls should be. So, if a vendor wanted to work with more than one filmmaker, they would need to research disparate assessments and attempt to address all of them with a singular set of security controls. Through standardization, TPN has essentially joined PCI, HIPAA, CCPA, GDPR, FICA, FERPA, and other regulatory bodies who have paved the way for standard practices in handling various sets of sensitive data. While it remains voluntary, joining the network carries the strong financial incentive of being able to provide services across this industry. Further, TPN’s maintaining a central database of approved vendors, along with their security scores, means the vendors can simply undergo assessment and remediation, have their reports submitted by the assessor, then let filmmaking organizations access that information, themselves, through TPN. This removes the administrative burden created when someone requests an attestation of compliance, and the need to repeat that process every time the vendor wants to bid on a new project.
WHAT SECURITY ASSESSMENTS SEEK TO MEASURE
If your organization is considering undergoing a formal security assessment to provide validation of your security practices, you might wonder what this entails. For instance, how should you prepare? Will you be given an opportunity to remediate any potential gaps before the report is finalized?
Some of the questions you should be prepared to answer would include information about the security of your physical location, all the places you work (shared office space? coffee shops?), everyone who has access to your data, current physical and cyber security controls, whether or not your facility has been through a content security assessment in the past, and so on. (If you have been through an audit process in the recent past, you may be able to leverage some information from those reports.) A walk-through is also usually required to verify your security controls, which is easily done and not unique to TPN.
WHY YOUR PHYSICAL WORK LOCATIONS MATTER
Even when you have invested in the best-intentioned cyber security controls, if someone can walk in the front door of your office or shared workspace and have access to laptops sitting unattended and unlocked–or they can get into a server room without too much of a fuss–your controls are pointless. Building on that idea, creatives are known to congregate and work in collectives, or meet up at coffee shops to ensure the open exchange of ideas that fuels their work. However, when working in these environments, you are only as secure as the least secure person in the room. Are you using an open network? Can others see your screen or overhear your conversation? Are their cell phones secure from hackers? Could a thief or competitor who wants access to your artistic content hack into IOT devices in your space, such as a video camera? (Yes, this happens, and no, it isn’t hard to do.)
BENEFITS OF BECOMING A TRUSTED PARTNER
What should be recognized about the need to undergo a security audit and formally join the Trusted Partner Network is that it benefits you, as a vendor. Your own creative work, as well as any intellectual property sent to you, will be secure from theft. If a major studio entrusts your organization with the creation of a trailer, audio scoring, or another creative service, sending you their prized original content, you don’t want to be responsible for a security breach or IP leak. Not only would your client have lost their most valuable asset, but you might have trouble re-establishing a solid reputation among a group of people who are highly selective, to begin with. Taking the time to invest in your security posture will only strengthen your organization’s business practices and reputation.
“In the modern world, the most valuable asset that any entertainment organization can have is content. The TPN assessment program allows the entertainment industry to have a standard of security practices that will push the industry to protect their content in the manner that matches its value. It’s a huge step in a market that has not historically valued data security in the way other markets have valued their most prized assets."
For more information about becoming part of the Trusted Partner Network through a formal assessment, please reach out to us at: