TPN Assessment Process
The Motion Picture Association (MPA) Content Security Best Practices Common Guidelines (CSBP-CG) is an Information Security Management System (ISMS) framework derived from ISO/IEC 27002-2013 and NIST 800-53. The CSBP-CG is industry specific and designed to be of use by any organisation that is engaged in the Media and Entertainment Industry. The framework can be used standalone or in conjunction with other ISMS or risk management regime such as the ISO/IEC 27000 family, ITIL and COBIT.
A Trusted Partner Network (TPN) Assessment is a cybersecurity audit where your ISMS implementation (i.e. management system, physical security and digital security) and corresponding content handling workflows are benchmarked for conformance with the CSBP-CG by an Accredited TPN Assessor. The assessment process is designed to deliver a comprehensive report to MPA, CDSA and ACE member studio content owners detailing your ISMS implementation, approach to risk and business continuity management, control implementation and treatment and to detail areas of non-conformance for remediation in the future. The need to comply with the CSBP-CG is voluntary. The TPN Assessment Process is not an accreditation program. The steps below outline the pre-assessment process, assessment process and re-assessment process. If you have any questions or concerns regarding the assessment process then please contact us.
Preparing for Assessment
5. Send Quote and Agreement to the TPN
Once you have signed the Security Assessment Agreement we will send both documents to the TPN for processing. This can occur prior to you completing the TPN Assessment Initial and Extended Questionnaires in the next step.
6. Complete TPN Assessment Initial and Extended Questionnaires
Once your TPN Vendor Assessment Request in Step 2 has been fulfilled, you will need to complete the initial and extended questionnaires via the TPN Vendor Portal.
7. Choose Your TPN Accredited Assessor
Once you have completed the questionnaires you can choose the TPN Assessor via the TPN Vendor Portal. Please choose your Assessor. Your assessor should match the assessor that was specified on the Security Assessment Agreement.
8. Receive Executed Security Assessment Agreement and Invoice from the TPN
You will receive a copy of the fully executed Security Assessment Agreement and an invoice directly from the TPN. This can take around 2-5 business days.
9. Pay the TPN for the Assessment
Once you have received the invoice, you will need to pay the TPN for the assessment. You can wire transfer the funds or use an international money transfer service. You do not pay Groundwire Security. Once payment is received by the TPN, your assessment will be ungated and released to your Assessor.
1. Schedule the Assessment
Once Agreement is signed and payment is received by TPN, your assessor will schedule a kickoff meeting and the onsite assessment date or remote assessment date. Your assessor will also submit a materials request to you.
2. Materials Request Preparation and Assessment
Prepare your assessment materials as directed by your assessor. Your assessor will then visit your facility to complete and onsite assessment or complete the remote assessment interviews with your via your preferred video conferencing method (e.g. Teams, Zoom).
3. Draft Report Submission to the TPN
Once your assessor has completed the onsite or remote assessment, they will write a draft assessment report. Your assessor will submit the draft assessment report to the TPN. This typically takes 10 business days but may take longer if additional information is requested.
4. Draft Report Release and Review
The draft report will be released to you for review via the TPN Vendor Portal. You will work with your assessor to ensure the report is accurate and correct any inaccuracies or invalid remediation items as necessary.
5. Final Report Submission
Once you approve the draft report, your assessor will submit the report to the TPN for final quality assurance.
6. Final Quality Assurance and Publishing
The TPN's Audit Team in California will then review, quality assure and publish your report. The quality assurance process can take up to 10 business days.
7. Assessment Process Completion
Once the report is published, you will receive your assessment certificate, feedback questionnaire and TPN logos. Please refer to the style guide in relation to TPN logo use. Your report will be made available to all MPA and CDSA member studio content owners including Disney, Warner Brothers, Sony, Paramount, Bad Robot, Amazon, HBO and Marvel.
8. Remediation Items
You will then get to work resolving remediation items. Submit remediation items evidence for review by the TPN Audit Team in California via the TPN Vendor Portal. Once you have completed / closed off all remediation items you will be required to complete the quarterly check-in.
Your assessment is normally valid for 12-months from the date the report was published. You will then need to be re-assessed. To commence the re-assessment process, go to Step 2 of the Preparing for Assessment Process above.
The TPN has extended the validity of assessments in 2021 by 3 months (90-days). This applies to:
Assessments due for renewal in 2021
Assessments currently in progress in 2021
Assessments that have completed in 2021.
The TPN will add the extension at the 12-month anniversary date of your assessment. Please contact the TPN directly to re-confirm your assessment expiry date, confirm your extended expiry date, and have your program participation certificate re-issued with the new validity date.