Technology
Important Updates to the TPN/MPA Best Practice Guidelines (4.07)
Articles by: Richey May, Jul 16, 2020
On Friday, July 10, 2020, The MPA published version 4.07 of the MPA Content Security Best Practices Common Guidelines and the MPA Best Practice Guidelines to Consider for Remote Content Handling.
What new updates do you need to be aware of for your TPN compliance?
This revision of the MPA Content Security Best Practices Common Guidelines primarily focused on updating the Business Continuity section to address the current pandemic, with a reference to the newly developed MPA Best Practice Guidelines to Consider for Remote Content Handling document. Other noteworthy updates included adding references to ransomware, policy templates, and various changes to physical, and digital controls:
- MS-1.0 – CSA and CIS were added as referenced information and content security frameworks that organizations may adopt as a framework. This is a significant update as the reference to CSA (Cloud Security Alliance) enables additional alignment for organizations to adopt more cloud solutions to support their production and content workflows.
- MS-4.0 – A link to the SANS information security policy repository was added as a reference for sample/template policies. The SANS institute serves as an excellent starting point for policies. However, the repository simply is not a complete library of policies that can be adopted as-is. Remember that the TPN has very specific requirements for policies to the policies and procedures which need to be added and tailored to mirror your operating environment.
- MS-4.3 – Was updated to include ransomware as a topic to be included when developing and updating security awareness programs. Additional information on the expected level of content can be found by referring to NIST SP 18000-26 “Data Integrity Detecting and Responding to Ransomware and Other Destructive Events”
- MS-6.0 – In addition to adding sections on “pandemics” and “ransomware” to organization’s business continuity plan, reference to the MPA’s best practices for remote content handling was added for a more complete guide to business continuity.
- PS-3.0 – Was updated to have a threshold of 25 or more employees / third-party workers. Meaning, companies with less than 25 employees or third-party workers are not required to provide photo identification badges.
- DS-2.0 – References to VNC was removed as an acceptable exception for access to production systems storing content. This most likely was due to the limited security controls that VNC can provide in a remote operating environment. The list of acceptable Internet Gateway solutions is now just Citrix and Terminal Services.
- DS-5.0 – Added a bullet point clarifying FQDN/DNS entry usage in ACLs on the I/O network: “If FQDN (Fully Qualified Domain Names) are used, the firewall should contain a valid DNS entry. DNS resolution should be confirmed it is refreshing periodically to ensure the latest IP addresses are captured in the ACL.”
- DS-5.1 – Added Bluetooth to the list of input/output (I/O) devices to be blocked as part of device security. Given that the Apple platform utilizes Bluetooth for keyboards and mice, make sure to focus on blocking Bluetooth filesharing, Airdrop and other (I/O) devices via a third-party tool. It’s recommended to test the change before blocking Bluetooth across all devices.
- DS-14.2. – Similar to DS-5.0, language was added to clarify firewall FQDN/DNS entry usage when organizations host their own content transfer system in a DMZ: “If FQDN (Fully Qualified Domain Names) are used, the firewall should contain a valid DNS entry. DNS resolution should be confirmed it is refreshing periodically to ensure the latest IP addresses are captured in the ACL”
With the continued impact of the COVID-19 pandemic, some post-production vendors may be forced to implement remote work solutions, otherwise known as Work From Home (WFH) to continue operations. The six page, MPA Best Practice Guidelines to Consider for Remote Content Handling, serves to provide vendors guidance on to continue operations during these uncertain times. While there’s no new security controls in the guide, the document lists key parts of the MPA Content Security Best Practices Common Guidelines to focus on while traditional workflows are alerted.
Remember, per the TPN as a qualified vendor, you are required to always get approval from content owners before implementing a WFH workflow.
If you need help preparing for your TPN assessment or want to implement a longer-term WFH workflow, reach out to one of Richey May Technology Solutions’ many certified TPN assessors for your customized solution.