Media and Entertainment
Pass Your TPN Assessment With Confidence
Articles by: Richey May, May 12, 2020
The Trusted Partner Network (TPN) assesses the fitness of an organization to handle sensitive content for entertainment production studios. While the TPN has been around since 2018, the number of questions about its framework and assessment process often outnumber the answers. In this post, veteran-certified TPN assessor, Michael Wylie, provides the secrets to passing a TPN assessment.
The TPN assessment process provides a method for certified assessors to measure your content security procedures against the Content Security Best Practices of the Motion Picture Association (MPA) ― but, to clarify, no pass/fail scoring is provided for the assessment. Any shortcomings are documented by the certified assessor as a finding, coupled with required or highly recommended remediation tasks. Documented deficiencies in content security controls are on display for TPN member studios such as HBO, Walt Disney Studios Motion Pictures, Warner Bros. Entertainment Inc., Amazon Studios, and many others to see. In other words, any deficiencies in how your organization handles content will be aired out like dirty laundry. However, if you carefully heed the following advice, you’ll be prepared to pass the assessment with confidence.
The Three Major Keys to Passing Your TPN Assessment:
Prepare. First and foremost, preparation is the key to passing a TPN assessment. Certified TPN assessors are required to dig deep, validating any information provided on your extended questionnaire by seeing, touching, and hearing anything to which you’ve attested. This will probably be the most in-depth assessment you’ve been through, involving 6-8 hours of questioning.
Before your on-site visit, review the MPA Content Security Best Practice document and be able to provide evidence of anything you attest to in the extended questionnaire. For example, if you have a change management process in place, be able to provide the assessor the policy, procedures, and a history of using the change management process. A good assessor should provide you with a checklist of documents to have available during your assessment. If you’re not ready or unsure, reach out to a trusted advisor familiar with the TPN assessment process.
Establish processes. Whether big or small, formalize and document policies, procedures, and workflows. One of the most common deficiency findings is lack of documentation. For instance, you may require employees to follow best practices regarding passwords; but if the practices are not written in a policy or employee handbook, expect a remediation task outlining that you don’t adhere to the best practices . Policy and procedure documents can scaled based on the size and complexity of a facility―a post-production studio with five employees doesn’t need a ten page policy on passwords. Keep it simple and effective for your business. Many well-versed cybersecurity consulting firms will have templates that can be quickly implemented in any size environment without spending a fortune.
Know your risk threshold. Third, after the certified TPN assessor completes his or her assessment, the draft report is sent to the TPN for quality control, a process that typically takes approximately two weeks . For areas where the assessment indicates non-compliance with a control or practice, the TPN will provide you with a remediation list. You have ten business days to respond to the TPN with a roadmap that documents how you intend to fix the deficiencies. If you picked a good TPN assessor, he or she should have already briefed you on the key findings before submitting the report, so you know what to expect. At this point, your dirty laundry can be seen by all member studios. This can be problematic if you’ve completed a direct audit with a studio in the past and answered differently to their questionnaire. Each studio has their own appetite for risk and will handle your remediation list differently.
A Trusted Partner Helps Guide the Process
It’s important to have a trusted advisor who knows each studio’s risk tolerance. Some studios may accept your remediation list as-is, while others may withhold content from you until all remediation items are resolved. Having a trusted partner with media and entertainment experience who is familiar with the TPN process, and a veteran in the cybersecurity industry, can help guide you around any roadblocks during the process.
If you are preparing for a TPN assessment or are simply unsure of where you stand, contact a trusted qualified TPN assessor at Richey May Technology Solutions today.
Michael Wylie, MBA, CISSP has over 14 years of experience with IT and Cybersecurity. He was one of the first TPN assessors in the inaugural year of the TPN program launch.