What is a TPN Assessment
TPN: An Introduction
The Trusted Partner Network (TPN) is a new, global, industry-wide film and television content protection initiative. The TPN helps companies prevent leaks, breaches, and hacks of their customers’ movies and television shows prior to their intended release and seeks to raise security awarness, preparedness and capabilities within the industry.
MPA Best Practices: Common Guidelines
The Motion Picture Association (MPA) Content Security Best Practices Common Guidelines (CSBP-CG) is an Information Security Management System (ISMS) framework derived from ISO/IEC 27002-2013 and NIST 800-53. The CSBP-CG is industry specific and designed to be of use by any organisation that is engaged in the Media and Entertainment Industry. The framework can be used standalone or in conjunction with other ISMS or risk management regime such as the ISO/IEC 27000 family, ITIL and COBIT.
A Trusted Partner Network (TPN) Assessment is a cybersecurity audit where your ISMS implementation (i.e. management system, physical security and digital security) and corresponding content handling workflows are bench-marked for conformance with the MPA Best Practises Common Guidelines by an Accredited TPN Assessor. The assessment process is designed to deliver a comprehensive report to MPA, CDSA and ACE member studio content owners detailing your ISMS implementation, approach to risk and business continuity management, control implementation and treatment and to detail areas of non-conformance for remediation in the future. The need to comply with the MPA Best Practises Common Guidelines is voluntary. The TPN Assessment Process is not an accreditation program.
Who needs a TPN Assessment and how does it help your organisation
Any organization that is intending to bid on projects that are offered by an MPA, CDSA or ACE member studios will require a TPN Assessment. Establishing the ISMS in the organization demonstrates the business' commitment to cybersecurity and to secure content handling workflows. The TPN establishes a single benchmark of minimum security preparedness for all vendors and their teams, wherever they work, and whatever their specialty. By creating a single, global directory of “trusted partner” vendors, content companies will have access to a centralized database to learn their TPN status.
How are we different and
Why choose us
Our auditors are industry veterans who have worked on multiple shows and have the screen credits to prove it. We intimately understand the cybersecurity risks involved in operating a facility and handling vendor content. We can work with you to implement an ISMS that is designed to reduce the exposure of your business to cybersecurity breach and content theft or loss.
TPN - Trusted Partner Networks
Frequently Asked Questions
What vendors should join the TPN - Trusted Partner Network?
Joining the TPN is voluntary; however, every vendor – large and small – that believes that security is a core business principle of their organization should join the TPN.
Do I have to have a TPN assessment to do business with a content creator?
No. Joining the TPN is voluntary. Individual content creators can always decide who to do business with depending on the type of project and their own risk management strategies. The TPN program demonstrates to content holders that a vendor facility takes content security seriously and ensures its protection.
Why should I consider a TPN assessment?
The TPN has been developed to help the industry improve content security, avoid duplicative assessments, and provide content owners with a unified platform for recognizing levels of conformance to the MPA’s content security best practices.
How do I prepare for an assessment?
There are a variety of ways to prepare for an assessment. Downloading a free copy of the MPA content security best practices is a great way to start. If you aren’t sure about how to implement controls, or need other assistance, there are also TPN assessors that may be able to help you with consultative work. Please remember that if you select a TPN assessor to aid in either preparation or remediation work, that assessor cannot be the same person providing your TPN assessment.
How do I get TPN assessed?
Participating in the TPN is voluntary and very straight forward. Simply follow the steps to begin the process.
How much does a TPN assessment cost?
The cost of an assessment is negotiated, on a case-by-case basis, between the TPN Qualified Assessor and the vendor making the assessment request.
What types of facilities are assessed?
Currently, the TPN is available to provide assessments of most production, post-production, and distribution operations throughout the entertainment supply chain. Your facility’s specific services will be determined and addressed during the TPN assessment process.
How frequent are the TPN assessments?
Due to the dynamic nature of the content security landscape, and the ongoing development and refinement of security controls, TPN assessments renew annually.
Can I “fail” a TPN assessment?
The TPN assessment does not provide a “pass/fail” grade, certification, or rating. It provides an assessment of a facility’s security preparedness for conformance with the MPA content security best practices. If an assessment indicates non-conformance with a control or practice, any necessary remediation may be conducted by a separate but similarly approved TPN assessor. The vendor may also provide evidence of their own remediation to the TPN. The TPN also has a formal review and submission process for any assessment disputes. Assessors are regularly measured and evaluated through the TPN Qualified Assessor Program.
Does the TPN assessment substitute for ISO or other standards bodies?
The TPN assessment and credential is designed to be the benchmark for the film and television industry’s handling of content across all phases of the supply chain. It is based on the widely recognized MPA content security best practices. The TPN assessment is not a substitute for ISO or other standards bodies not specific to our industry.
What are the benefits for vendors in the TPN program?
The TPN program will provide a number of benefits to vendors, including:
Reduce the number of assessments conducted at each facility annually.
Reduce the number of different controls used by various content owners.
Create competitive, market-driven assessment pricing.
Accelerate assessment report turn-around.
Offer controls that are specific to the needs and workflows of specific vendor types.
Assist in identifying vulnerabilities and communicate remediation through the TPN Platform.
Allow vendors to promote their security preparedness.
If I have multiple facilities or locations how do I get assessed?
Each facility is considered a separate operation for the purposes of an assessment. Please complete the general questions for the locations you wish to have evaluated on the TPN Platform and individual assessments can be arranged.
Is the TPN international, and if so, where does the TPN perform assessments?
The TPN plans to serve the international community with assessors available to address facilities in most geographic regions of the world.
Does the TPN certify my facility and operations?
Completing an annual TPN assessment allows you to display the TPN logo and assessment certificate indicating your facility or operation has been reviewed by a TPN Qualified Assessor. The TPN logo is recognized by many content holders but is not a “certification.” Individual business decisions will always be made by your customers based on their needs.
Who recognizes the TPN logo and assessment?
The major Hollywood motion picture studios and many others in the industry participated in the development of this program.
Will content owners still be conducting their own assessments?
The TPN is expected to greatly reduce the number of content owner-initiated and funded assessments. Content owner assessments will continue on an “as-needed” basis.
How does a vendor get their information published in the TPN directory?
Once enrolled in the TPN Platform, the vendor(s) will have their company information, along with any authorized supporting assessment materials, published in the TPN vendor directory.
Who pays for the TPN assessment?
Assessment fees are underwritten by the vendor. Assessment reports are shared within the TPN platform and can also be shared with customers outside the TPN at the vendor’s discretion. Content owners may also opt to pay for individual TPN assessments.
What do I get for my assessment fee?
Your assessment fee gets your facility reviewed by a TPN Qualified Assessor of your choosing, a thorough assessment report with suggested remediations and improvements, and visibility in the vendor roster within the TPN Platform. Additionally, once your assessment has been completed through the TPN, we follow up on remediation items and update your facility data. We also provide an annual assessment certificate and the TPN logo to display to acknowledge participation. TPN will work with you to keep your status current through annual assessments and will provide technology alerts regarding possible vulnerabilities within in your own systems.
Who gets to see the TPN Assessment Report?
A TPN Assessment Report will be visible to content owners that are a part of the TPN, as well as our internal quality assurance experts. No other vendors, competitors or otherwise, will be able to see your assessments or any information contained within. Additionally, if you funded your TPN facility assessment you may share your TPN Assessment Report with anyone you wish.
Who are the TPN assessors?
Individual assessors (not audit firms) will undergo a strict review and approval process as to their expertise in securing pre-release, entertainment content. Vendors will hire a Qualified Assessor from the TPN database and will schedule their assessment and manage the process via the secure online platform.
How are TPN Qualified Assessors accredited?
TPN assessors go through a careful screening of their credentials and experience in the industry auditing information security and entertainment assets. There is also a technical test and vetting process for the assessor to gain the accreditation.
What are the criteria (standards) the TPN assessors review my facility against?
The TPN assesses against a set of controls specific to your business operations and are directly based on the industry-recognized MPA content security best practices.
Does the TPN endorse or recommend vendors?
The TPN does not endorse, recommend, or certify vendors. The TPN provides a unified, consistent framework of assessment recognized by the industry as the benchmark for content security. Upon completion of their TPN assessment, the vendor facility may display the TPN logo to show the world they participate in the TPN and strive for the highest levels of security for their client’s content.
Does the TPN endorse, evaluate, or recommend hardware or software solutions for security?
At this time, the TPN does not evaluate or address specific hardware or software solutions at the product or service level. The TPN is focused on assessments of facilities and workflows that directly handle intellectual property and programming content of creators and title rights holders.