Lisa Remsa [00:00:21] Good morning, everyone, and welcome to today's TRUE Talk Webinar. Thank you for joining us. My name is Lisa Remsa, and I'm the Marketing Manager here at True Digital Security. And I have the pleasure of being today's webinar host. Today's webinar will be presented by Vince Fusco, PCI Services Manager here at TRUE, and Duane Fernandez, a principal VOKSEE. And they will be taking us through the details of the trusted partner network, also known as TPN. What this new program entails, what it looks to achieve, how your business may benefit from a TPN assessment, and why TRUE is uniquely qualified to perform these assessments. So just a little housekeeping before we get started. This presentation will run about 40 to 45 minutes with Q and A at the end. If you have any questions during the presentation, please take them in the question box and then go to webinar control panel and events. We will answer them as best they can at the end of the session. We'll try to address all questions at the end of the webinar, but if we run out of time, we will answer any remaining questions by email. There will also be a recorded version of this webinar available on demand. You can either use the same registration link you used for this live session, or you could always visit truedigitalsecurity.com/webinars, And you can do all of our on demand recordings there as well. Now, without further ado, I'm going to turn the time over to Vince and Duane.
Vince Fusco [00:01:35] Thanks, Lisa. I hope everybody can hear me. Yes. As Lisa mentioned, this is a pretty high level overview of a new compliance standard in an industry that has has not typically been very security savvy, savvy. It's called the Trusted Partner Network and it's a joint venture between the MPA, which it was previously the Motion Picture Association of America. They dropped the America, because they're now an international organization. They are just now the Motion Picture Association and the Content Delivery and Security Association, the CBSA. So the members of the MPA and the members of the DSA have come together to create the trusted partner network along with other content owners and vendors, to hopefully create a standard of security across the the the business and the content delivery area typically associated with entertainment.
Vince Fusco [00:02:47] So as I mentioned earlier, it's just it's it's an area that has a business that typically hasn't focused too much on the security. But now, as we all know with with streaming and digital and the way that we view entertainment these days, it's all connected in networks. And so we we need to secure these things. A lot of IP and personal information is associated with this data as well. So, you know, companies like Disney and Netflix want to protect all that. So they have a right they have they have the power to create something like a trusted partner network to make sure that all their vendors and content owners are following a standard.
Vince Fusco [00:03:48] So without further ado, I'll kind of kind of go in to the the TPN and some of the details associated with the TPN and how to how to be assessed as a TPN member and what that looks like. So as I stated earlier, the TPN is it's kind of a dual, dual creation between the MPA and the CBSA. But what that means really is, is that the big boys of the entertainment industry, such as Marvel and Disney and Netflix and all the big names that you know about streaming and entertainment nowadays have come together and basically said that anybody that wants to do work with us from a content perspective needs to be TPN assessed and they need to be assessed by a validated third party, a TPN assessor, to make sure that they're handling all the content securely and that they're transferring all the content to, you know, the big studios securely. And there have been some news stories in the past about prerelease entertainment. Being leaked to the public, you know, before it's before it's ready and that costs a lot of money for companies like Disney, tend to have the details of the newest Marvel release leaked to the Internet. Weeks before the actual release of the film, if it keeps people away from spending the money to go see the movie. And so they have a financial interest in keeping all these things secure and secret. And so they they've partnered with the MPA, who's created a best practices standard for content security and the guidelines associated with that.
Vince Fusco [00:05:55] So that's that's essentially what a TPN assessment is used to. Those are the requirements that are used for TPN assessment. So depending on how a content owner utilizes content or handles content and you can and in the rest of the compliance world, you can kind of think of that as, you know, personal information or or payment card data. It all depends on how you're handling the data is the requirements that you will be held to. So if you are just a storage facility that holds physical hard drives of a of the newest Marvel movie, but you don't actually have access to the hard drive data itself. You just have the hard drives. Well, then you'll be held to this, the MPA standards for physical security and current career security and all those sorts of things. Now, if you're a production company and you handle content from from beginning to end. Then you're gonna be held to a higher requirement standard across the board, which is pretty, pretty common in the compliance community. For a little background on myself, I come from the PCI world, the payment card industry world. So it mirrors very, very closely to the types of assessments and requirements that you would see in a standard compliance set scenario for PCI. They've done a good job by looking at standards that are already in place and kind of morphing and copying the ones that make sense for content, entertainment content and putting those into best practices. As a veteran in this area, I think the MPA standards are very, very good and I'm happy to use them as as a standard. Why was it created?
Vince Fusco [00:08:13] The basis was what I mentioned earlier, and that means companies are more our studios are more and more scared of the idea of prerelease content leaking onto the Internet. And as we know in this digital world, there's so many middlemen from the people who create the content to get it to the final place where it would be shown whether it be a streaming service or a movie theater. You know, there's a lot of couriers involved, a lot of post-production people involved at any step along the way. You know, you can have a data leak. All it takes is one Marvel super fan along the way to decide that, hey, I want to I want to try to break the encryption on this hard drive and share with my friends the details of the newest movie. And all the sudden it's on the Internet for everyone to see. And Marvel's lost millions of dollars for it. So that is really the basis of what it's created. And then they kind of spread that out. Across all the vendors in the entertainment industry in which there are a lot. So that brings me to the next area. Who is it for? It is for everybody that would handle content across the way. Like I said, there's hard drives that need to be stored. There's cameramen that are on set that aren't necessarily employees of the studio. There are movie theater employees. There are airlines that show movies that are still in theaters. So anybody you can think of that would handle content like this would would want to be in the TPN network.
Vince Fusco [00:09:58] Because at the end of the day, while it is still a new requirement and compliance standard, it's gonna be very difficult to do business with the leading studios in Hollywood and the entertainment industry. Before long, they're all gonna require a TPN assessment of some sort. So that's the next part. That's the benefit, right?
Vince Fusco [00:10:23] If you can come out and say that I've been being assessed, now you're on the list for for these big studios to say, OK, well, we can we can comfortably do work with this company because we know they've been third party assessed against the standard that was created to protect our content. So those types of things. You know, just, you know, the general compliance world, you know, you want it, you want it from a security standpoint, but you also want it from a business standpoint to which, you know, is usually the driver. And all this until you get a call from, say, Disney and said, then they say, well, we can't do work with you until you do this assessment. Nobody really believes that they need to do these things, security or not. A lot of us want to believe that these groups would have an interest in being secure anyway. But until it affects the bottom line, you know, that's that's just not realistic. But here we are. And I will say, just from my short time experience in the team, can there are a lot of studios that are already enforcing this. Disney being one and saying like, we will just not even enter into a contractual agreement with you until you get TPN and assess and for a lot of these small boutique content owners. One deal with Disney as a whole, a whole year or two of of pay day for them. So if you shut that down, then you've you know, you've kind of shut off the lights for for a very small company. So there is a pretty big incentive to be part of the TPN now and it seems to be accepted across the industry. I don't know of any big players that have spoken out against it. A lot of them are kind of giving their content owners their heads up and saying, this is where we're moving. You have a little time to to get the assessment. But there are also people like Disney or saying, no, we're just not going to do business until you do it. So it's it's a drive that's going to be you're going to start hearing it a lot here in the next year or two. So we hope that that, you know, all our companies and and content owners are going to jump on board because, you know, we want. We want it to be secure as well. Next, I kind of want to I want to kick it over to Duane to kind of give you some real world experience.
Vince Fusco [00:13:06] He just went through a TPN assessment with us. You know, TPN has only been around since October of last year. So it's a very new, not a lot of companies are getting TPN certified yet, but for the ones that are there getting a competitive advantage right off the bat for the studios that will only want to do business with TPN and certified companies.
Vince Fusco [00:13:32] So Duane here has a company here in Tulsa. They went for an assessment for that for that specific idea. So he's going to kind of talk about his experience, a little bit of background on this company and what it's meant for him.
Duane Fernandez [00:13:49] Yes. Hello. My name is Duane Fernandez. By the way, Vince, great job on outlining all of the front end of this product, the webinar living. There's a lot of information out there, but it's really hard to understand how it applies to your business. You can find a lot of information about TPN and what they're looking at as far as your company. But when you're actually the user, it's a little bit overwhelming. And so a little bit about our company is that our company, VOKSEE, is in development for film and television. And then we also do a lot of brand work, longer form brand work for digital and social media. So we work with all the studios in Los Angeles where we're a lot of brand partners. And from our understanding is that not only is TPN going to start overseeing a lot of that entertainment space, but also it's going to trickle into more than the Fortune 500 brands as well just because it's creating content, and you are using it for a marketing campaign. If someone shares any of that information ahead of time, you kind of ruin the entire investment of the campaign.
Duane Fernandez [00:15:02] You want those beats of the campaign to go out at a certain time. You don't want people to know there's a lot of spoilers in advertising campaigns from the studio side and from the brand side. So it's a huge investment to go develop content, go shoot the content and share the content. And then the goal is to create a lot of earned media and conversations around that content in the modern era. So having anyone kind of leak that information out ruins that excitement for whatever the product is, whether it's a film, an album, a book or a clothing line. So our company does film TV. We work on branded content and we work primarily Los Angeles, New York. So we moved our company to Tulsa so it can be read between the two. We found out from one of our studio partners that they're going to start requiring that all their vendors do a TPN assessment. So it took about a year for us, from start to finish, to actually learn about what the assessment looked like, what we needed to do to be properly assessed, and then actually look at the remediation items, which are like our the last action items of the of the entire assessment.
Duane Fernandez [00:16:18] Once you have an auditor come to your space review, everything from policy procedure, all the documentation, there's a lot of physical requirements like cameras and alarm systems. How do you store your hard drives? Are they in a safe? Are they backed up? Are they backed up offsite? There's a lot of information for us to process that. As this foward thinking as we were, we just didn't know truly how much more we could do to protect ourselves. [00:16:48]So we absolutely loved the whole process. It was very beneficial for us because, as a business owner, the biggest benefit is peace of mind. [8.4s] Is that we've actually implemented and put together through thorough policy and procedures from the ideation stage, the production phase, to the finishing phase, to the delivery phase.
Duane Fernandez [00:17:09] [00:17:09]And knowing that we've done a full risk assessment. We've identified our weak points and we've put into place things that would allow us to be really smart about how we handle those files has really given me a lot of peace of mind. [18.6s] That's really the greatest asset of this whole thing. The other part of it that really taught me a lot about how we should approach projects, was learning a lot about risk assessments, and we now use them in every aspect of our business where we mainly only did them once a year. So before we start any project, we actually take a look at it and see what sort of risks are we facing with this unique project, with travel, with the days of the shoot and then how we're delivering those files and come up with a plan ahead of time. And that's now become part of our our policy procedure for our entire company. And we wouldn't have really thought that specifically about it had we not gone through this process.
Duane Fernandez [00:18:10] As it looks from our client point of view, from our point of view, it was a lot to learn because a big chunk of it, aside from the stuff that we knew, which was how to manage files, was around network security. And that was something that's very new to us. You know, all the connection processes we've ever had was we'd reach out to Cox or AT&T, set up a network and we were done. But what the TPN process has taught us was that there's a lot more steps involved and that we should've been thinking about what kind of firewalls or we're using, what kind of encryption, passwords and driver encrypting the hard drives. Are we using passwords for email and for all the different platforms and all the different machines that we use for editing? So that part was the biggest part for us to really learn and understand because we didn't come from an I.T. background and all the people here are creative or they're producers and they didn't understand. So we had to bring on consultants to help us really understand that. And so the. Putting together policy and procedure took us about six months because unlike I think a lot of areas of business, there aren't... There was a lot of... There wasn't a precedent for this. There wasn't there wasn't a... I couldn't go to LegalZoom and be like oh i'm going to download this 200 page workbook and then just kind of white label and put our company name in places like it doesn't exist. And it's really unique to that type of production company. So the stuff we were doing probably might be slightly different from another production company. So it was really hard to really understand that. So we had to kind of stop down what we're doing and actually write a lot of policy procedure, use user consultants to help us refine that language or think about things slightly differently. So and that could be everything from how do you store passwords for your email? How do you start passwords for the hard drives? How do you. Who has access to the hard drives and clearly are just writing that information out. Whereas a lot of that. Workflow internally was just kind of organic and we didn't have in-depth policy for procedures for a lot of these things, so that was a big chunk of time. So, you know, as you go through this process, really get ahead of the Pauls, the documentation. Talk a little bit about the timeline. But it took about a year, three months, the front of it, it was really learning about the scope of the assessment and what it was going to require and then kind of bringing experts on in each phase of that to help us implement specific things before the assessment.
Duane Fernandez [00:20:57] And then also that, again, the documentation. So, for example, our physical security, we have a very savvy security company here locally who came in. We looked we showed them kind of what we were going to be assessed. And they helped us lay out a security plan with cameras and fobs and how we track those like the key entries, how we keep log key entries, how long should we keep them for? What's an industry standard? There's just a lot of new things to learn. So that first three months was really taking a look at what the entire entire assessment was going to do. When you log in and you start the assessment, you see a questionnaire. The first phase for you as as you go through this is that the TPN and when you log in, they'll give you the assessment in question form so you'll see all the questions that they're asking. And so we basically created a document with all those questions. And who are the experts are gonna help us understand the ones that we didn't know how to answer or we didn't have an answer for them. And so that first three months of building a plan and then the next six months was really bringing all the different people together to help us implement those that plan from physics, like physical security, the contractors for our network, security, working with our ISP provider like Cox to actually help us understand which firewalls we should use to be the most secure. And then the last three months was just fine tuning all the pieces and making sure that we had everything buttoned up before we actually begin in the audit.
Duane Fernandez [00:22:27] And then you do the audit and the audit is more or less about a two week process where you identify an auditor. They come in and they'll do an assessment internally and then they will come and actually try to hack your your network externally and internally to see any weak points and then all that information. And I'm sure there's other pieces that I'm not quite sure from the auditor side, but those pieces will then be submitted with their entire report to TPN, which takes about, you know, 30 days, I'm guessing, and TPN will review that and then identify some or remediation items, items that you have to go back through and address. So. What they'll do is that in your client portal with TPN is that once your assessment is done, they'll outline your remediation items. You go in and you click when you hope to have them do by. And so you can set that out for 10, 15, 30 days, however long you want. You bring in your partner to help you resolve that remediation item. Then you actually make the note underneath the remediation, I'm saying. This is how we addressed it. And then you can upload additional files for evidence and they will then review that and then follow up with you if they have any questions or an additional requirements. Working with TPN has been absolutely a pleasure. They've been from the very beginning very helpful in helping us understand how to get through this. They answered every single question we've ever had over that entire year. Very quick to respond. We usually get responses within a couple of hours. And then once you actually begin the assessment there, they let you know when it's the start. They give you a good timeline of when they'll get their report back. And then again, how quickly they respond to you for those remediation items. They check in regularly every month to make sure you don't have any questions or concerns. So we've been very pleased with this entire assessment, this entire process. We were very daunting upfront now having gone through it. We're so grateful for it. And all of our partners we work with, we. We share ways that they can be more secure even if they're not going through this process. You know, it's just become become something that we're we've become very passionate about is the security of IP, because I came from the studio side. And so I remember how nerve racking was being at a studio and knowing that all this content was just out there and so many different pieces and places. You know, when you're working on a film, you've got people in one studio mixing sound, one studio doing color, wants to do doing the edits. And it was it was kind of terrifying in this digital age and especially with cloud based creative processes. Is that all this stuff is out there and some people don't necessarily understand how vulnerable they are.
Duane Fernandez [00:25:28] So, yeah, we've... I'm a nerd also. So I'll say it. I should preface that I really enjoy this process.
Vince Fusco [00:25:37] Yeah, on my end. All right. Thanks, Duane. Yeah. So he brought up a couple of good points across across the board in that typical your typical TPN client from an assessor's point of view is not going to be very security savvy unless you're dealing with a big studio or a big organization that just already had those things in mind because they've been around so long, because they've been just so large.
Vince Fusco [00:26:08] But a lot of these organizations that are gonna go for the TPN process are going to be small or boutique or they do just a very specific thing in the industry. For example, one of the assessments that I've already done is for a company that creates movie posters. And because the movie posters have to be created from the content from a film, you know, they have access to two pictures and things. And from their perspective, they're saying, well, all we have is, you know, a picture of Darth Vader's helmet. Like, what are what does that mean? And so well, you know, you still you know, Disney is the one that saying you need to be secure because, you know, a poster leaks and all of a sudden it gets onto the fan sites before, you know, the movie theaters can put it up. And, you know, it can be kind of a snowball effect for them.
Vince Fusco [00:27:04] So really, anybody can think of is is going to be affected by this. Another thing I wanted to point out that Duane mentioned is the TPN in itself, because they're an organization that they themselves have, you know, put a lot of money and effort into creating this process. And, you know, it's not from a legal perspective or an international legal perspective. They want all their members to succeed. And so that's why they set up the TPN and to be a very fluid and comfortable process. Like Duane mentioned, they're very easy to work with. They're very easy to talk to. They want you to be secure just as much as the assessor and your and your, you know, your company itself. So that is a helpful thing. They're not they're not one of those auditing bodies that is just saying, you know, this is the way it is. And I'm sorry. And we can't help you. Just let us know if if you if you finish your assessment and will rubber stamp it at the end of the day. And that's another key thing to think about. TPN actually does not have what is classically considered a pass or fail standard. So if I were to take Duane's assessment, for example, you know, they had a couple of small remediation items that we found at the end of the assessment that that Duane's company went back in and remediated. And so so they're good. But from TPN standpoint, you don't actually have to remediate those items. They just want a third party to.. To note them.
Vince Fusco [00:29:06] Because once a studio wants to work with one of the companies and they go into the TPN database, what they'll do is they'll look at the database for, say, you know, a company that can do X, Y and Z services. They search on that. And then when they click the company, they'll get their full TPN report. So if they get a report that says, oh, you know, you don't have a security guard on duty at your facility 24/7. He's only he's only a twelve hour. Well, that might not be enough for the studio to say, well, we don't want to work with them. They just say, oh, OK. Well, that's not really that big of a deal. That's fine with us. We can accept that risk because we really want to work with this this content owner. So like I said, it's not really a pass or fail. These these assessment reports are available for TPN members to review. So it's one of those things that it's really about going through the assessment itself and not about whether you have a pass or fail. That's not really the point of it. It's to go through the assessment to review all the requirements and see how your organization stacks up. And you know, it it it behooves you to to be as compliant as you can be for these things. But it's it's not. Saying that if you go through this assessment and there's some small findings that you're not allowed to work with Disney or Marvel and Netflix ever again, that's not the case. But that's that's a small difference between TPN and a lot of the classic compliance entities that you'll run into.
Vince Fusco [00:30:54] A couple other little things I wanted to mention about TPN and the process is that they don't they don't manage any of the the contractual process.
Vince Fusco [00:31:12] So it's really going to come down to the content owner looking for an assessor. There's an assessor. So when you sign up for TPN is doing a mention, you have a little portal. You go in there, you fill out the security questionnaire and then you pick an assessor. I think last time I checked, there's about 20 assessors that have gone through the process. I'm sure that's going to grow over time. But again, this has only been around a year. So when you go in your view and assessor, then it's up to the content owner and the assessor kind of work out what the assessment is going to look like. So, for example, if a content owner reaches out to me and said I would like an assessment for my TPN and I would, I would return to them and say, yeah, that's great. Do you mind sending over your questionnaire that you've filled out for TPN? And that gives me a good idea of the scope we're working on. Do you literally just look at pictures like like I mentioned with the movie poster company or are you a content creator or are you going out in the field and in actual making film and editing and seeing majority of the process? Because that affects, you know, the size and scope of the assessment. And then it's up to the content owner and the assessor us to come up with an agreed upon plan for the assessment. So that's all that's all kind of the side. And then once we once we decide fees and, you know, statements of work and that sort of thing, we send it back to the TPN and say, you know, this is what they agreed upon. They will review the agreement and the contract to make sure that all looks good. And then, Phil, what they say is they release the assessment to the assessor and then I can begin. So it's it's pretty.
Vince Fusco [00:33:09] It's a pretty fluid process. Like I said, it does not have to take place on site at the content owner. You know, to assess physical security, typically it needs to be. But TPN allows for things like Web cams and that sort of thing to assess physical security as as an assessor myself.
Vince Fusco [00:33:36] I don't know if I would always want to rely on that, but there are definitely content owners where I know they're not there. Physical security isn't the point of the assessment. So we don't always have to do that. But, you know, it is usually necessary, from my perspective to just get an idea of how this content come in the door and how does content leave the door and how is it how is it secured while it's on site at any vendor, you know, along the way.
Vince Fusco [00:34:07] So. So that's kind of the overview of the TPN. Like I said, this is a pretty ten thousand foot view of the of the TPN. It is very new. There's not a lot of information out on the Internet about it besides the actual TPN Web site.
Vince Fusco [00:34:27] I've gone ahead and put some of the resources here. This this top link is the TPN website that the FAQ section kind of answers any questions you also have. As Duane mentioned, the TPN itself is very responsive. So if you have a very specific question, I would just email them and they will respond like that in a couple hours. So that's that's where I point everybody who has generic questions about the TPN. And they've they've done a good job on the website and it has how you sign up and the portal and all that, that sort of thing. So that's kind of the all encompassing link there. The next thing I've got, we've we've written a couple of blogs here internally about the TPN and and some some real world stories about how it would. Affects Internet and intellectual property across the board. I'd also put in company's website on their VOKSEE, as well as the link to the actual content best practices standard that the NBA put out, that is that'll take you to the actual PDF with hundreds of requirements to see. You can kind of get an idea of the level of detail and the level of technical it is. As far as compliance standards go, it is pretty technical. I'd say it matches up pretty well with PCI, maybe not as black and white, but definitely more specific than things like HEPA. It's very it's very specific. So I think it does a good job of kind of honing in on the things that affect security in this industry. So I think I think they've done a good job. I've mentioned that before. And then, of course, my email address, which, you know, if you hear of somebody that needs to be in assessment or you need to take an assessment yourself, you know, email me, I can point you in the right direction or maybe then help you with the assessment. As with any assessment, you might need a little pre consulting or pre audit to just kind of understand what the scope of an assessment might look like. We can help with that as well.
Vince Fusco [00:36:54] At True Digital, obviously, we have across the board a lot of security services that would support an assessment of this size from technical testing, penetration testing, like Duane mentioned, vulnerability scanning, risk assessments, all sorts of things.
Vince Fusco [00:37:10] So there's really not much besides the physical security piece in the best practices that that true digital can't consult on. Or, you know, in a lot of cases actually perform for you guys. So that's another area that I would like to point out. So that pretty much is it. I didn't like Lisa said it was more for an overview of this new program.
Vince Fusco [00:37:38] And, you know, in the coming months and years, I'm sure this will evolve like anything else does. And hopefully, you know, being part of it from the beginning has helped us, you know, see where it's going and be actively part of that process. And that is good. TPN does often ask for our feedback as assessors and Dwane mentioned as content owners.
Vince Fusco [00:38:02] So they're are very good at keeping that up to date and and always evolving. So, Duane, I don't know if you had any closing remarks before we move on to questions, if we have any, but that's it for me now.
Vince Fusco [00:38:19] I think you did think additional thoughts I had that you cleared up at the end, so I'm good.
Vince Fusco [00:38:25] Okay, good. Lisa had to run out for a personal issue, so I'd be happy to take any questions if anybody has them. If not, my email address is on the screen. It looks like we don't have any questions, so I'll give it another minute. And if not, I think we're good. And thanks, everybody, for coming in here.
Vince Fusco [00:38:52] And hopefully in the next year or so, we have some more detailed topics about what we've seen in the TPN space. Since it's so new, it's kind of hard to get a lot of experience. A lot of my experience is actually through Duane because he's in the industry. He he hears a lot more whispers than I do of what's evolving. So he's helped me keep kind of my ear to the ground about where it's going and who is pushing this. But it's very exciting. I'm I. As you know, we're all fans of entertainment, and I know we all have our streaming platforms at home. So it's it's a fun and interesting space to help secure. You know, into the future. All right. No more questions. I'm going to. Logout, so I hope everybody had a good time and this recording will be available shortly. Lisa, we'll send that out to all the attendees and to the wider public at large. So thank you, everybody. Have a good day.
Let us know your business needs and we will make sure to get back with you promptly!* denotes required fields