What is a TPN+ Assessment?
TPN: An Introduction
The Trusted Partner Network (TPN) is a global, industry-wide movie, film, television, broadcast, and game cybersecurity content protection initiative. The TPN helps service providers prevent leaks, breaches, and hacks of their customers’ movies and television shows prior to their intended release date and seeks to raise security awareness, preparedness and capabilities within the industry.
MPA Content Security Best Practices
The MPA Content Security Best Practices (MPA CSBP) is an Information Security Management System (ISMS) control framework derived from and mapped to AICPA TSC 2017, CSA CCM v4.03, ISO/IEC 27001:2022, ISO/IEC 27002:2022, and NIST 800-53 Rev. 5. MPA CSBP is industry-specific and is designed to be of use by any organisation that is engaged in the Media and Entertainment (M&E) industry supply chain. The framework can be used standalone or blended with other ISMS or risk management regimes including ISO/IEC 27001:2022, NIST CSF 1.1, ITIL v4, and COBIT 2019.
A TPN+ Assessment is a cybersecurity supply chain audit aimed at service providers (a.k.a. vendors) where your business' ISMS implementation, risk management philosophy, physical security, digital security, cloud security, software development practices, and secure content handling workflows are benchmarked for conformance with the MPA CSBP. The assessment process is designed to deliver a comprehensive risk and control treatment report to MPA, CDSA, and ACE member studio content owners including Walt Disney Studios, Sony Pictures, Netflix, Paramount Pictures, Warner Brothers Entertainment, and Universal Pictures detailing your ISMS implementation, approach to risk and business continuity management, framework control implementation, control treatment, and to identify areas of non-conformance for remediation. The need to comply with the MPA CSBP is strictly voluntary. TPN+ Assessments are voluntary. TPN+ is not an accreditation program.
Who needs a TPN+ Assessment and how does it help my business get work?
If your business intends to bid or work on any movie, film, TV, broadcast, or game projects that are offered by an MPA, CDSA or ACE member studio then you will generally be required to undertake a cybersecurity assessment. Cybersecurity assessments are often conducted directly by the studios themselves. This might be sufficient for your business compliance needs if you only intend to work for one studio. Alternatively, your business can join the TPN and complete a cybersecurity assessment independent of the studio's content security programs. The advantage of this is that TPN+ Assessments are recognised industry-wide, by all content owners and other service providers participating in the M&E supply chain. Once you have joined the TPN, you can commit to undertaking a TPN+ Blue Shield self-attestation assessment. Once that is complete you can then commit to completing a TPN+ Gold Shield assessment which is conducted by an independent third-party TPN Assessor. The completion of Blue Shield and optionally Gold Shield assessments shows that your business has a demonstrable cybersecurity posture and is committed to secure content handling workflows that meet M&E industry best practices. The upshot of this is that it will be dramatically easier for your business to bid successfully on projects as one of the key barriers to entry (i.e. the implementation of a working cybersecurity program) has been removed. This in turn provides a level of confidence to your clients and content owners that not only are you likely to deliver exemplary work, but their content is safe and unlikely to be leaked, lost, or stolen. To get started and to assist you in navigating the process please ensure you review the TPN+ Assessment Process that we have put together. If you require further assistance, please contact us.
How can we help?
We can help you prepare for assessment to ensure your business meets ISO 27001 or MPA Content Security Best Practices with our Readiness and Gap Analysis.
TPN+ Gold Assessment
Onsite and remote TPN+ and ISO/IEC 27001 assessment & audit where we audit your facility or organisation by one of our Accredited Assessors.
How are we different and
Why choose us
Our auditors are industry veterans who have worked on multiple shows and have the screen credits to prove it. We intimately understand the cybersecurity risks involved in operating a facility and handling vendor content. We can work with you to implement an ISMS that is designed to reduce the exposure of your business to cybersecurity breach and content theft or loss.
TPN - Trusted Partner Networks
Frequently Asked Questions
What vendors should join the TPN - Trusted Partner Network?
Joining the TPN is voluntary; however, every vendor – large and small – that believes that security is a core business principle of their organization should join the TPN.
Do I have to have a TPN assessment to do business with a content creator?
No. Joining the TPN is voluntary. Individual content creators can always decide who to do business with depending on the type of project and their own risk management strategies. The TPN program demonstrates to content holders that a vendor facility takes content security seriously and ensures its protection.
Why should I consider a TPN assessment?
The TPN has been developed to help the industry improve content security, avoid duplicative assessments, and provide content owners with a unified platform for recognizing levels of conformance to the MPA’s content security best practices.
How do I prepare for an assessment?
There are a variety of ways to prepare for an assessment. Downloading a free copy of the MPA content security best practices is a great way to start. If you aren’t sure about how to implement controls or need other assistance, there are also TPN Assessors that may be able to help you with consultative work. Please remember that if you select a TPN assessor to aid in either preparation or remediation work, that assessor cannot be the same person providing your TPN assessment.
How do I get TPN assessed?
Participating in the TPN is voluntary and very straightforward. Simply follow the steps to begin the process.
How much does a TPN assessment cost?
The cost of an assessment is negotiated, on a case-by-case basis, between the TPN Accredited Assessor and the vendor making the assessment request.
What types of facilities are assessed?
Currently, the TPN is available to provide assessments of most production, post-production, and distribution operations throughout the entertainment supply chain. Your facility’s specific services will be determined and addressed during the TPN assessment process.
How frequent are the TPN+ Assessments?
Due to the dynamic nature of the content security landscape, and the ongoing development and refinement of security controls, TPN Blue Shield assessments renew annually. Gold Shield assessments renew every two years.
Can I “fail” a TPN+ Assessment?
The TPN assessment does not provide a “pass/fail” grade, certification, or rating. It provides an assessment of a facility’s security preparedness for conformance with the MPA Content Security Best Practices. If an assessment indicates non-conformance with a control or practice, necessary remediation may need to be undertaken. The service provider may need to provide evidence of their remediation to the TPN or content owner. The TPN also has a formal review and submission process for any assessment disputes. Assessors are regularly measured and evaluated through the TPN Accredited Assessor Program.
Does the TPN+ Assessment substitute for ISO or other standards bodies?
The TPN+ Assessment is designed to be the benchmark for the film and television industry’s handling of content across all phases of the supply chain. It is based on the widely recognized MPA Content Security Best Practices. TPN+ Assessment is not a substitute for ISO or other standards bodies not specific to our industry.
What are the benefits to service providers in the TPN+ program?
The TPN program will provide a number of benefits to service providers, including:
Reduce the number of assessments conducted at each facility annually.
Reduce the number of different controls used by various content owners.
Create competitive, market-driven assessment pricing.
Accelerate assessment report turn-around.
Offer controls that are specific to the needs and workflows of specific vendor types.
Assist in identifying vulnerabilities and communicate remediation through the TPN+ Platform.
Allow vendors to promote their security preparedness.
If I have multiple facilities or locations how do I get assessed?
Each facility is considered a separate operation for the purposes of an assessment. Please complete the general questions for the locations you wish to have evaluated on the TPN+ Platform and individual assessments can be arranged.
Is the TPN international, and if so, where does the TPN perform assessments?
The TPN plans to serve the international community with assessors available to address facilities in most geographic regions of the world.
Does the TPN certify my facility and operations?
Completing an annual TPN+ Assessment allows you to display the TPN Blue Shield or Gold Shield logo to indicate your facility or operation has been reviewed by a TPN Accredited Assessor. The logos are recognised by many content owners but it is not a “certification.” Individual business decisions will always be made by your customers based on their needs.
Who recognizes the TPN+ logos and assessment?
The major Hollywood motion picture studios and many others in the industry participated in the development of this program.
Will content owners still be conducting their own assessments?
The TPN is expected to greatly reduce the number of content owner-initiated and funded assessments. Content owner assessments will continue on an “as-needed” basis.
How does a vendor get their information published in the TPN directory?
Once enrolled in the TPN+ Platform, the vendor(s) will have their company information, along with any authorized supporting assessment materials, published in the TPN+ Vendor Directory.
Who pays for a TPN+ Assessment?
Assessment fees are underwritten by the vendor. Assessment reports are shared within the TPN+ Platform and can also be shared with customers outside the TPN at the vendor’s discretion. Content owners may also opt to pay for individual TPN+ Assessments.
What do I get for my assessment fee?
Your assessment fee gets your facility reviewed by a TPN Accredited Assessor of your choosing, a thorough assessment report with suggested remediations and improvements, and visibility in the vendor roster within the TPN+ Platform. Additionally, once your assessment has been completed through the TPN, the TPN will follow up on remediation items and update your facility data. The TPN also provides logos for display to acknowledge participation. TPN will work with you to keep your status current through annual assessments and will provide technology alerts regarding possible vulnerabilities within your own systems.
Who gets to see the TPN+ Assessment Report?
A TPN+ Assessment Report will be visible to content owners that are a part of the TPN, as well as our internal quality assurance experts. No other vendors, competitors or otherwise, will be able to see your assessments or any information contained within. Additionally, if you funded your TPN facility assessment you may share your TPN+ Assessment Report with anyone you wish.
Who are the TPN Assessors?
Individual assessors (not audit firms) undergo a strict review and approval process as to their expertise in securing pre-release, entertainment content. Vendors will hire an Accredited TPN Assessor from the TPN database and will schedule their assessment and manage the process via the secure online platform.
How are TPN Accredited Assessors qualified?
TPN assessors go through a careful screening of their credentials and experience in the industry auditing information security and entertainment assets. There is also a technical test and vetting process for the assessor to gain accreditation.
What are the criteria (standards) the TPN Assessors review my facility against?
The TPN assesses against a set of controls specific to your business operations and is directly based on the industry-recognized MPA Content Security Best Practices.
Does the TPN endorse or recommend vendors?
The TPN does not endorse, recommend, or certify vendors. The TPN provides a unified, consistent framework of assessment recognized by the industry as the benchmark for content security. Upon completion of their TPN assessment, the vendor facility may display the TPN logo to show the world they participate in the TPN and strive for the highest levels of security for their client’s content.
Does the TPN endorse, evaluate, or recommend hardware or software solutions for security?
At this time, the TPN does not evaluate or address specific hardware or software solutions at the product or service level. The TPN is focused on assessments of facilities and workflows that directly handle intellectual property and programming content of creators and title rights holders.