TPN Assessment Process
What is a TPN Assessment?
A Trusted Partner Network (TPN) Assessment is a cybersecurity supply chain audit aimed at service providers (a.k.a. vendors) where your business' Information Security Management System (ISMS) implementation, risk management philosophy, physical security, digital security, cloud security, secure software development practices, and secure content handling workflows are benchmarked for conformance with the Motion Picture Association (MPA) Content Security Best Practices cybersecurity framework. The assessment process is designed to deliver a comprehensive risk and control treatment report to MPA, CDSA, and ACE member studio content owners including Walt Disney Studios, Sony Pictures, Netflix, Paramount Pictures, Warner Brothers Entertainment, and Universal Pictures. The report details your ISMS implementation, approach to risk and business continuity management, framework control implementation, and control treatment, and identifies areas of non-conformance and unacceptable risk that need to be addressed and remediated. The need to comply with the MPA Content Security Best Practices is strictly voluntary. TPN Assessments are voluntary. TPN Assessment is not an accreditation program.
MPA Content Security Best Practices
The MPA Content Security Best Practices (MPA CSBP) is an ISMS control framework derived from and mapped to AICPA TSC 2017, CSA CCM v4.03, ISO/IEC 27001:2022, ISO/IEC 27002:2022, and NIST 800-53 Rev. 5. MPA CSBP are industry-specific and are designed to be of use by any organisation that is engaged in the Media and Entertainment (M&E) industry supply chain. The framework can be used standalone or blended with other international and regional ISMS / risk governance and management regimes including ISO/IEC 27001:2022, NIST CSF 1.1 or 2.0, ISACA COBIT, CIS 18, Australian Signals Directorate Essential 8 and Information Security Manual, and Japan NISC Common Standards FY2021.
TPN Assessments based on MPA CSBP v5.2 Control Framework
All TPN Assessments are conducted against MPA CSBP v5.2. The revised framework supersedes and replaces MPA CSBP v4.10. As part of your ISMS implementation, you should download the latest version of the control framework, devise a control mapping, determine which controls apply to your organisation, and then ensure you complete a risk assessment and risk treatment plan against each applicable control.
TPN+ Membership Program
The TPN offers a membership-based subscription model. The new assessment program was launched on February 6, 2023. The assessment program is based on the MPA CSBP v5.2 control framework. The new framework (see above) incorporates facility, application, cloud, and software development cybersecurity controls. To participate in the program you will need to join the TPN, and then download, complete, and submit a TPN Vendor Membership Enrollment Form directly to the TPN. Once that is submitted you will need to pay the annual membership fee based on your annual turnover. Once the fee is paid, you will be granted access to the TPN+ Portal where you will manage and complete Blue Shield and Gold Shield TPN Assessments.
Annual TPN Blue Shield Self-Attestation Cybersecurity Assessment
Once you have joined the TPN as a member, you will complete your Blue Shield self-attestation assessment, optionally uploading necessary documents, policies, procedures, drawings, and other evidence to support your declared cybersecurity posture. Once that is complete, your facility will be able to use the "Blue Shield" to signify participation in the program. You do not need to contact or involve a TPN Accredited Assessor to obtain Blue Shield status. Blue Shield status is valid for 12 months on the proviso you continue to pay your annual membership fee. Please ensure you carefully review the TPN Vendor Membership Enrollment Form to understand the use, requirements, and limitations of Blue Shield.
Biennial TPN Gold Shield Independently Audited Cybersecurity Assessment
The next step, should you wish to pursue it, is to obtain Gold Shield status. This is where your cybersecurity posture disclosed as part of the Blue Shield self-attestation process is scoped, assessed, audited, validated, and verified by a TPN Accredited Assessor. You should contact a TPN Accredited Assessor directly to obtain a quote to complete a Gold Shield TPN Assessment. Under the program, TPN Assessments are conducted directly by a TPN Accredited Assessor against your facility's ISMS posture as disclosed in the TPN+ Portal. All relevant controls found in MPA CSBP v5.2 will be inspected and validated for conformance by your Assessor. The TPN is no longer involved in the payment process. You will pay the TPN Accredited Assessor directly. Gold Shield TPN Assessments must be conducted, completed, and submitted within 15 business days of agreeing to commence the assessment. Once the assessment is complete and approved by the TPN you will be able to use the Gold Shield to signify that your cybersecurity posture has been independently vetted. The onus will be on your business to resolve remediation items promptly. Gold Shield status is valid for 2 years on the proviso you continue to pay your annual membership fee. Please ensure you carefully review the TPN Vendor Membership Enrollment Form to understand the use, requirements, and limitations of Gold Shield.
TPN Blue Shield Process
01. Implement an Information Security Management System
The first thing you will need to do is implement an Information Security Management System (ISMS). To get started, download the control framework via the links below:
You will then need to review the framework controls. Assess which controls are relevant to your facility, then complete a risk assessment against each control, and treat each applicable risk based on the control's requirements and implementation guidance. If you have an existing ISMS in place based on another risk management framework (e.g. ISO/IEC 27001:2022) then that can be used instead of the MPA CSBP.
02. Join the TPN and pay the membership fee
In order to begin the process to obtain your TPN Blue Shield, you must join the TPN. You will be required to review, sign and submit the TPN Membership Form and Enrollment Agreement to the TPN. You will then be required to pay the annual membership fee. Once payment is received, your company account will be unlocked in the TPN+ Portal, and you will be granted Blue Shield publishing status. Gold Member Content Owners will now be able to access your security status via the TPN+ Portal.
03. Complete your Company Profile
Once you have access to the TPN+ Portal, you will be able to complete your Company Profile. This involves adding sites, services, ISMS certifications, and completing the Site Baseline Questionnaire.
04. Complete TPN Best Practices Questionnaire
You will now proceed to complete a Site or Cloud TPN Best Practices Questionnaire. This involves you answering a series of questions about each control present in the MPA CSBP. Each question will ask you explicitly how you have treated each relevant control.
Confidential Information Disclosure
The TPN+ Portal allows you to upload evidence (e.g. certifications, organisational structure, policy documents, training records, network diagrams, etc.) to support each control treatment claim. Any information that you upload to the TPN+ Portal will not be reviewed or verified as part of your Blue Shield self-attestation. The dissemination of any business confidential information should be subject to your business's information protection requirements and information lifecycle requirements. MPA CSBP OR-1.3 requires you to classify, protect, and handle data and assets. MPA CSBP OR-2.0 requires you to apply the principles of confidentiality, integrity, and availability as part of your risk management program. Hence, ensure you conduct an internal risk assessment before disseminating confidential information in any form. As such, we recommend you do not upload any confidential information to the TPN+ Portal if you are only intending to complete Blue Shield status. The reason for this is simple. If the TPN+ Portal is breached, your confidential information may be lost and misused. If you intend to complete the Gold Shield status then liaise with your TPN Assessor first and ask them how you should disclose confidential information to complete the Gold Shield assessment and control implementation verification.
05. TPN Blue Shield status granted
Once the questionnaire is complete, you can publish the questionnaire. At that point, you will be granted Blue Shield status. You can now optionally move on to obtaining Gold Shield status.
TPN Gold Shield Process
01. Complete the TPN Blue Shield process
You must complete the TPN Blue Shield process prior to attempting to obtain TPN Gold Shield status. So scroll up and review the TPN Blue Shield process. Once you have TPN Blue Shield status you can then obtain TPN Gold Shield status.
02. Choose a TPN Accredited Assessor
TPN Gold Shield requires you to have your company's ISMS implementation audited independently by a TPN Accredited Assessor. You will be able to choose an assessor via the TPN+ Portal.
03. Assessment quote and TPN Accredited Assessor vetting
Once you have chosen a TPN Accredited Assessor (Assessor) and that Assessor has agreed to complete your audit, you will now begin the process of collaborating with the Assessor to perform the audit. Initially, you should request a quote for the assessment. Payment for assessment is made directly to the Assessor and not the TPN. So ensure your Assessor provides you with a master services agreement (or equivalent), confidentiality agreement, and quote, ideally from an incorporated entity (e.g. Australian Pty Ltd) with a verifiable entity ID (e.g. Australian ACN or ABN) managed by individuals with the necessary accreditations that have had their identity verified (e.g. Australian Company Director ID). Ensure the quote has the necessary taxes (e.g. GST) applied if the service is delivered onshore by the Assessor (e.g. delivery of assessment in Australia by an Australian-based Assessor).
The TPN fully vets Assessors prior to granting them TPN Accredited Assessor status. However, we recommend, as part of any cybersecurity engagement, that you complete a background check on your Assessor, based on the requirements of your ISMS, prior to supplying them with any of your company's confidential information. Ensure your Assessor provides the necessary evidence to allow you to verify whether they are actually accredited by the TPN, can legally operate in your jurisdiction, are suitably insured, and have the necessary certifications and skills to provide advice and complete your assessment based on your company type (e.g. physical facility, IaaS provider, PaaS provider, SaaS provider, hyper scaler, etc.) and your workflows (e.g. VFX, post-production, subtitle and dubbing, replication, asset management, etc.). If the Assessor is to complete an onsite assessment you should fully verify their identity prior to allowing them access to your facility (e.g. via Zoom or Teams meeting before they arrive on site).
04. Pre-Assessment collaboration
Your Assessor should now have agreed to complete the assessment. You should now collaborate with your Assessor to review the TPN Best Practices questionnaire and any evidence that you have supplied. At this point, you can still update questionnaire answers based on discussions with your Assessor.
05. Perform the assessment
Once you have finished the collaboration phase, you can then commence the assessment proper. Your questions in the questionnaire will be locked and no longer modifiable. You have 15 business days to perform and submit the assessment. Your Assessor must submit findings and remediations within 15 business days.
06. Quality assurance and report publishing
Once the Assessment report is submitted, it will now be reviewed and quality assured by the TPN. If there are any issues, then you or the Assessor will be notified and required to correct the Assessment report. Once the Assessment report is approved it will be published and marked as complete.
07. TPN Gold Shield status granted
Once the Assessment report is published, you will then receive Gold Shield status. Under the TPN program certificates are no longer issued. However, you will be able to download your report and your report will be able for viewing by MPA, CDSA, and ACE member studio content security teams subscribed as Gold Member Content Owners to the platform.
08. Remediation Item Resolution
You will be required to provide evidence and updates via the TPN+ Portal to ensure you have treated any risk in relation to any remediation items discovered by your Assessor against any specific control. Hence, you will need to get to work resolving remediation items. Gold Member Content Owners may contact you to prioritise the resolution of remediation items.
TPN Blue Shield status is valid for 12 months. TPN Gold Shield status is valid for 24 months from the date the Assessment report was published. Hence, you will then need to complete a TPN Blue Shield self-attestation assessment every 12 months. You will need to complete a TPN Gold Shield independently audited assessment and control validation every 24 months. You will need to continue paying your TPN membership fee in order for your TPN Blue Shield and / or TPN Gold Shield status to remain active. The cadence is as follows:
2023: Blue Shield + Gold Shield
2024: Blue Shield
2025: Blue Shield + Gold Shield
2026: Blue Shield:
If you have any questions regarding assessment or re-assessment please contact the TPN directly.