TPN Assessment Process
What is TPN Assessment?
A Trusted Partner Network (TPN) Assessment is a cybersecurity supply-chain audit aimed at vendors (a.k.a. service providers) where your business' ISMS implementation (i.e. management system, physical security, and digital security) and corresponding content handling workflows are benchmarked for conformance with the MPA Content Security Best Practices Common Guidelines by an Accredited TPN Assessor. The assessment process is designed to deliver a comprehensive report to MPA, CDSA, and ACE member studio content owners including Walt Disney Studios, Netflix, Sony Pictures, Paramount Pictures, Warner Brothers and Universal Pictures detailing your ISMS implementation, approach to risk and business continuity management, control implementation and treatment and to detail areas of non-conformance for remediation in the future. The need to comply with the MPA Content Security Best Practices Common Guidelines is voluntary. TPN Assessment is not an accreditation program.
Important Update #1 - September 2022: TPN Assessment 2023 Submission Deadline
TPN Assessments and related audit reports that are undertaken against the MPA Content Security Best Practices v4.10 framework must be submitted to the TPN for quality assurance (QC) review no later than January 11, 2023. If you are working to complete your assessment, contact your TPN Assessor to ensure they are on track to submit your report for final QC and publishing no later than January 11, 2023. There are no exceptions to this deadline.
Important Update #2 - October 2022: The TPN Assessment process is changing
The TPN is moving to a membership-based model. The assessment program will be based on the MPA Content Security Best Practices v5.0 control framework. This framework incorporates facility, application, and cloud cybersecurity controls. As part of the revised program, vendors will be offered self-reporting mechanisms in preference to being audited by a TPN Assessor. You will not need to seek the services of a TPN Assessor to obtain membership or complete the self-reporting. The TPN will issue you with a "Blue Trademark" badge to demonstrate your participation in the program. You, as a vendor, can optionally request to be audited by a TPN Assessor in order to obtain a "Gold Trademark" badge to demonstrate that your ISMS implementation has been verified to conform with the new control framework. For more information regarding membership details and requirements please ensure you carefully review the TPN FAQs, review the TPN Vendor Membership Enrollment Form, or contact the TPN directly. TPN Assessments that are verified against the new control framework will commence in early 2023.
MPA Best Practices: Common Guidelines
The Motion Picture Association (MPA) Content Security Best Practices Common Guidelines (CSBP-CG) is an Information Security Management System (ISMS) framework derived from ISO/IEC 27001, ISO/IEC 27002, and NIST 800-53. The MPA Content Security Best Practices Common Guidelines are industry-specific and designed to be of use by any organisation that is engaged in the Media and Entertainment Industry (M&E). The framework can be used standalone or blended with other ISMS or risk management regimes such as the ISO/IEC 27000 family, ITIL and COBIT.
TPN Assessment Process
Once you are ready for your TPN Assessment, please see below the start the assessment process, assessment process and re-assessment process. We can also assist you with getting prepared for a scheduled TPN Assessment so contact us for a free 30 minute consultation. TPN Assessments can take up to 90-days to complete.
Start the Assessment Process
01. Understand the TPN Assessment Process
Please familiarise yourself with the TPN Assessment Process, the MPA Content Security Best Practices and this assessment process.
02. Request TPN Assessment or TPN Re-Assessment
In order to get your facility assessed or re-assessed, you MUST complete the TPN's Vendor Assessment Request Form.
03. Get a Quote For Your Assessment
Please complete our Pre-Assessment Questionnaire. Once that's done we will send you a quote to assess your facility.
04. Review & Sign the Security Assessment Agreement
Once you have received, reviewed and approved our quote we will send you the Security Assessment Agreement to review and sign.
05. Send Quote and Agreement to the TPN
Once you have signed the Security Assessment Agreement we will send both documents to the TPN for processing. This can occur prior to you completing the TPN Assessment Initial and Extended Questionnaires in the next step.
06. Complete TPN Assessment Initial and Extended Questionnaires
Once your TPN Vendor Assessment Request in Step 2 has been fulfilled, you will need to complete the initial and extended questionnaires via the TPN Vendor Portal.
07. Choose Your TPN Accredited Assessor
Once you have completed the questionnaires you can choose the TPN Assessor via the TPN Vendor Portal. Please choose your Assessor. Your assessor should match the assessor that was specified on the Security Assessment Agreement.
08. Receive Executed Security Assessment Agreement and Invoice from the TPN
You will receive a copy of the fully executed Security Assessment Agreement and an invoice directly from the TPN. This can take around 2-5 business days.
09. Pay the TPN for the Assessment
Once you have received the invoice, you will need to pay the TPN for the assessment. You can wire transfer the funds or use an International money transfer service. You do not pay Groundwire Security. Once payment is received by the TPN, your assessment will be ungated and released to your Assessor.
The TPN Assessment
10. Schedule the Kickoff Meeting and Assessment
Once Agreement is signed and payment is received by TPN, your assessor will schedule a kickoff meeting and the onsite assessment date or remote assessment date. Your assessor will also submit a materials request to you.
11. Materials Request Preparation and Assessment
Prepare your assessment materials as directed by your assessor. Your assessor will then visit your facility to complete and onsite assessment or complete the remote assessment interviews with your via your preferred video conferencing method (e.g. Teams, Zoom).
12. Assessment and Draft Report Submission to the TPN
Once your assessor has completed the onsite or remote assessment, they will write a draft assessment report. Your assessor will submit the draft assessment report to the TPN. This typically takes 10 business days but may take longer if additional information is requested.
13. Draft Report Release and Review
The draft report will be released to you for review via the TPN Vendor Portal. You will work with your assessor to ensure the report is accurate and correct any inaccuracies or invalid remediation items as necessary.
14. Final Report Submission
Once you approve the draft report, your assessor will submit the report to the TPN for final quality assurance.
15. Final Quality Assurance and Publishing
The TPN's Audit Team in California will then review, quality assure and publish your report. The quality assurance process can take up to 10 business days.
16. Assessment Process Completion
Once the report is published, you will receive your assessment certificate, feedback questionnaire, and TPN logos. Please refer to the style guide in relation to TPN logo use. Your report will be made available to all MPA, CDSA, and ACE member studio content security teams.
17. Remediation Items
You will then get to work resolving remediation items. Submit remediation items evidence for review by the TPN Audit Team in California via the TPN Vendor Portal. Once you have completed / closed off all remediation items you will be required to complete the quarterly check-in.
Re-Assessment Process
18. Re-Assessment
Your assessment is valid for 12-months from the date the report was published. You will then need to be re-assessed. To commence the re-assessment process, go to Step 02 of the Preparing for Assessment Process above.
The TPN has extended the validity of 2021 assessments by 3 months (90-days) as follows:
-
Assessments that commenced in 2021
-
Assessments that completed in 2021 from March onward.
Please contact the TPN directly to re-confirm your assessment expiry date, confirm your extended expiry date, and have your program participation certificate re-issued with the new validity date.