top of page
What is TPN Assessment - the Process
TPN Assessment Audit Process

TPN+ Assessment Process

What is a TPN+ Assessment?

A Trusted Partner Network (TPN+) Assessment is a cybersecurity supply chain audit aimed at service providers (a.k.a. vendors) where your business' Information Security Management System (ISMS) implementation, risk management philosophy, physical security, digital security, cloud security, software development practices, and secure content handling workflows are benchmarked for conformance with the Motion Picture Association (MPA) Content Security Best Practices framework. The assessment process is designed to deliver a comprehensive risk and control treatment report to MPA, CDSA, and ACE member studio content owners including Walt Disney Studios, Sony Pictures, Netflix, Paramount Pictures, Warner Brothers Entertainment, and Universal Pictures detailing your ISMS implementation, approach to risk and business continuity management, framework control implementation, control treatment, and to identify areas of non-conformance for remediation. The need to comply with the MPA Content Security Best Practices is strictly voluntary. TPN+ Assessments are voluntary. TPN+ Assessment is not an accreditation program.

MPA Content Security Best Practices

The MPA Content Security Best Practices (MPA CSBP) is an ISMS control framework derived from and mapped to AICPA TSC 2017, CSA CCM v4.03, ISO/IEC 27001:2022, ISO/IEC 27002:2022, and NIST 800-53 Rev. 5. MPA CSBP are industry-specific and are designed to be of use by any organisation that is engaged in the Media and Entertainment (M&E) industry supply chain. The framework can be used standalone or blended with other ISMS or risk management regimes including ISO/IEC 27001:2022, NIST CSF 1.1, ITIL v4, and COBIT 2019.

Important Update #1 - January 2023: TPN Assessments based on MPA Content Security Best Practices v4.10 has ended

As of January 11, 2023, all new TPN+ Assessments are to be conducted against the new and updated MPA CSBP v5.1. This revised framework supersedes and replaces MPA CSBP v4.10. As part of your ISMS implementation, you should now download the latest control framework, devise a control mapping, determine which controls are applicable to your organisation, and then ensure you complete a risk assessment and risk treatment plan against each applicable control. The new framework can be downloaded via the two links below:

Important Update #2 - February 2023: New TPN+ Membership Program

The TPN has moved to a membership-based subscription model. The new assessment program was launched on February 6, 2023. The assessment program is based on the MPA CSBP v5.0 control framework. The new framework (see links above) incorporates facility, application, cloud, and software development cybersecurity controls. To participate in the program you will need to join the TPN, and then download, complete, and submit a TPN Vendor Membership Enrollment Form. You will then need to submit the form directly to the TPN. Once that is submitted you will need to pay your annual membership fee based on your annual turnover. Once the fee is paid, you will be granted access to the TPN+ Portal where you will complete a self-attestation(a.k.a self-reporting) assessment and upload the necessary documents, policies, procedures, drawings, and other evidence to support your purported cybersecurity posture.

Important Update #3 - February 2023: TPN+ Blue Shield Assessment - Self-Attestation

Once you have joined the TPN as a member, you will complete your self-attestation assessment. Once that is complete, your facility will be able to use the "Blue Shield" to signify participation in the program. You do not need to contact or involve a TPN Accredited Assessor to obtain Blue Shield status. Blue Shield status is valid for 12 months on the proviso you continue to pay your annual membership fee. Please ensure you carefully review the TPN Vendor Membership Enrollment Form to understand the use, requirements, and limitations of Blue Shield.

Important Update #4 - February 2023: TPN+ Gold Shield Assessment - Independently Audited

The next step, should you wish to pursue it, is to obtain "Gold Shield" status. This is where your cybersecurity posture as disclosed as part of the Blue Shield self-attestation process is scoped, assessed, audited, validated, and verified by a TPN Accredited Assessor. You should contact a TPN Accredited Assessor directly in order to obtain a quote to complete a Gold Shield TPN+ Assessment. Under the new program, TPN+ Assessments are conducted directly by a TPN Accredited Assessor against your facility's ISMS posture as disclosed in the TPN+ Portal. All relevant controls found in the MPA CSBP v5.1 will be inspected and validated for conformance by your Assessor. The TPN is no longer involved in the payment process. You will pay the TPN Accredited Assessor directly. Gold Shield TPN+ Assessments must be completed and submitted within 15 business days of agreeing to commence the assessment. Once the assessment is complete and approved by the TPN you will be able to use the Gold Shield to signify that your cybersecurity posture has been independently audited. The onus will be on your business to resolve remediation items in a timely manner. Gold Shield status is valid for 2 years on the proviso you continue to pay your annual membership fee. Please ensure you carefully review the TPN Vendor Membership Enrollment Form to understand the use, requirements, and limitations of Gold Shield. 

Blue Shield Process

TPN+ Blue Shield Process

01. Implement an Information Security Management System

 

The first thing you will need to do is implement an Information Security Management System (ISMS). To get started, download the control framework via the links below:


you will then need to review the framework controls. Assess which controls are relevant to your facility, then complete a risk assessment against each control, and treat each applicable risk based on the control's requirements and implementation guidance. If you have an existing ISMS in place based on another risk management framework (e.g. ISO/IEC 27001:2022) then that can be used instead of the MPA CSBP.

02. Join the TPN and pay the membership fee

 

In order to begin the process to obtain your TPN+ Blue Shield, you must join the TPN. You will be required to review, sign and submit the TPN Membership Form and Enrollment Agreement to the TPN. You will then be required to pay the annual membership fee. Once payment is received, your company account will be unlocked in the TPN+ Portal, and you will be granted Blue Shield publishing status. Gold Member Content Owners will now be able to access your security status via the TPN+ Portal. 

03. Complete your Company Profile

 

Once you have access to the TPN+ Portal, you will be able to complete your Company Profile. This involves adding sites, services, ISMS certifications, and supplying other baseline company profile information.

04. Complete TPN Best Practices Questionnaire

 

You will now proceed to complete a Site or Application TPN Best Practices Questionnaire. This involves you answering a series of questions in relation to each control present in the MPA CSBP. Each question will ask you explicitly how you have treated each relevant control.

Confidential Information Disclosure Warning

The TPN+ Portal allows you to upload evidence (e.g. certifications, organisational structure, policy documents, training records, network diagrams, etc.) to support each control treatment claim. Any information that you upload to the TPN+ Portal will not be reviewed or verified as part of your Blue Shield self-attestation. The dissemination of any business confidential information should be subject to your business's information protection requirements and information lifecycle requirements. We strongly recommend you do not upload any confidential information to the TPN+ Portal if you are only intending to complete Blue Shield status. The reason for this is simple: if the TPN+ Portal is breached, your confidential information may be lost and misused. If you are intending to complete the Gold Shield status then liaise with your TPN Assessor first and ask them how you should disclose confidential information in order to complete the Gold Shield assessment and control implementation verification.

05. TPN+ Blue Shield status granted

 

Once the questionnaire is complete, you can publish the questionnaire. At that point, you will be granted Blue Shield status. You can now optionally move on to obtaining Gold Shield status.

Gold Shield Process

TPN+ Gold Shield Process

01. Complete the TPN+ Blue Shield process

 

You must complete the TPN+ Blue Shield process prior to attempting to obtain TPN+ Gold Shield status. So scroll up and review the TPN+ Blue Shield process. Once you have TPN+ Blue Shield status you can then obtain TPN+ Gold Shield status.

02. Choose a TPN Accredited Assessor

 

TPN+ Gold Shield requires you to have your company's ISMS implementation audited independently by a TPN Accredited Assessor. You will be able to choose an assessor via the TPN+ Portal.

03. Assessment quote and TPN Accredited Assessor vetting

 

Once you have chosen a TPN Accredited Assessor (Assessor) and that Assessor has agreed to complete your audit, you will now begin the process of collaborating with the Assessor to perform the audit. Initially, you should request a quote for the assessment. Payment for assessment is made directly to the Assessor and not the TPN. So ensure your Assessor provides you with a master services agreement (or equivalent), confidentiality agreement, and quote, ideally from an incorporated entity (e.g. Australian Pty Ltd) with a verifiable entity ID (e.g. Australian ACN or ABN) managed by individuals with the necessary accreditations that have had their identity verified (e.g. Australian Company Director ID). Ensure the quote has the necessary taxes (e.g. GST) applied if the service is delivered onshore by the Assessor (e.g. delivery of assessment in Australia by an Australian-based Assessor).

 

The TPN fully vets Assessors prior to granting them TPN Accredited Assessor status. However, we recommend, as part of any cybersecurity engagement, that you complete a background check on your Assessor, based on the requirements of your ISMS, prior to supplying them with any of your company's confidential information. Ensure your Assessor provides the necessary evidence to allow you to verify whether they are actually accredited by the TPN, can legally operate in your jurisdiction, are suitably insured, and have the necessary certifications and skills to provide advice and complete your assessment based on your company type (e.g. physical facility, IaaS provider, PaaS provider, SaaS provider, hyper scaler, etc.) and your workflows (e.g. VFX, post-production, subtitle and dubbing, replication, asset management, etc.). If the Assessor is to complete an onsite assessment you should fully verify their identity prior to allowing them access to your facility (e.g. via Zoom or Teams meeting before they arrive on site).

04. Pre-Assessment collaboration

 

Your Assessor should now have agreed to complete the assessment. You should now collaborate with your Assessor to review the TPN Best Practices questionnaire and any evidence that you have supplied. At this point, you can still update questionnaire answers based on discussions with your Assessor.

05. Perform the assessment

 

Once you have finished the collaboration phase, you can then commence the assessment proper. Your questions in the questionnaire will be locked and no longer modifiable. You have 15 business days to perform and submit the assessment. Your Assessor must submit findings and remediations within 15 business days.

06. Quality assurance and report publishing

 

Once the Assessment report is submitted, it will now be reviewed and quality assured by the TPN. If there are any issues, then you or the Assessor will be notified and required to correct the Assessment report. Once the Assessment report is approved it will be published and marked as complete.

07. TPN+ Gold Shield status granted

Once the Assessment report is published, you will then receive Gold Shield status. Under the TPN+ program certificates are no longer issued. However, you will be able to download your report and your report will be able for viewing by MPA, CDSA, and ACE member studio content security teams subscribed as Gold Member Content Owners to the platform.

08. Remediation Item Resolution

You will be required to provide evidence and updates via the TPN+ Portal to ensure you have treated any risk in relation to any remediation items discovered by your Assessor against any specific control. Hence, you will need to get to work resolving remediation items. Gold Member Content Owners may contact you to prioritise the resolution of remediation items. 

Re-Assessment Process

Re-Assessment Process

01. Re-Assessment

 

TPN+ Blue Shield status is valid for 12 months. TPN+ Gold Shield status is valid for 24 months from the date the Assessment report was published. Hence, you will then need to complete a TPN+ Blue Shield self-attestation assessment every 12 months. You will need to complete a TPN Gold Shield independently audited assessment and control validation every 24 months. You will need to continue paying your TPN membership fee in order for your TPN+ Blue Shield and / or TPN+ Gold Shield status to remain active. If you have any questions regarding assessment or re-assessment please contact the TPN directly.

Have questions?
bottom of page