The end goal of the Trusted Partner Network (TPN) — the industrywide content security initiative launched by the Motion Picture Association of America (MPAA) and the Content Delivery & Security Association (CDSA) — sounds simple: increase the security of pre-release content by better vetting the vendors content owners work with.
But it’s been years in the making, according to TPN’s top executives, and getting everyone on the same page continues to be a journey.
“We’re trying to unite all efforts, optimize workflows, elevate and scale security across the media and entertainment industry,” Guy Finley, TPN’s CEO, said during a recent webinar that took a deeper look at TPN.
Two of the goals of the TPN is to create a single, central directory of trusted vendors (dubbed the “Vendor Roster”) that have gone through an assessment process, and the creation of a qualified assessor program, one that’s worldwide and gives vendors a large selection of specialists to choose from.
“Really what this vendor roster does is identify people who’ve been assessed by a qualified assessor [within] the TPN framework,” Finley said. “And without great assessors out there in the field, it would jeopardize the program. Ultimately, that’s a core, fundamental principle, to have a level-set playing field — much like other industries — of qualified assessors within our industry.”
The TPN platform itself has everyone operating online, taking away burdensome email, Excel, and phone calls around assessments, identifying vulnerabilities, and communicating remediation items. More than 20 content companies — including the six major Hollywood studios — are currently on board with the TPN program.
Ben Stanbury, CTO for TPN, said the programs framework was well-thought out before its April unveiling, with the tech side offering a segregated, internet-accessible assessment subject portal, that encompasses all the interactions within the TPN system. Qualified assessors can work on-site via an iPad app to conduct their assessments, “all in real time,” and a vendor portal will be accessible by all TPN member content owners, where they can find every assessed vendor, worldwide.
“In order to build a program that scales up to … potentially thousands of assessments per year as we ramp up the program, it’s important to have a secure repository for the highly sensitive data we collect during the assessment process, and to set up self-service functionality for all of our core user groups,” Stanbury said.
“The vendor portal will be an opportunity for service providers to update the content community when more services are being provided,” Stanbury said. “The baseline assessment is the service that TPN provides, and content owners will make that judgment call about how that security posture is suitable to the assets they want to share.”
Kurt Fischer, COO of TPN, noted that the qualified assessment program makes sure each individual assessor undergoes a strict review and approval process, covering their expertise around securing pre-release entertainment content. The MPAA will handle governance and quality assurance for the assessor program and administer qualified assessor testing at their locations around the world. Candidates will be vetted with credential reviews and reference checks, and must have information systems assessment proficiency, and knowledge of the entertainment supply chain.
TPN vendors go about requesting an assessment from a Qualified Assessor from the secure, online vendor portal, and negotiate the associated fee directly with the assessors outside of the system, Fischer added.
Finley pointed out that one of TPN’s greatest advantages is that, not only do content owners have confidential access to the platform, vendors own their assessment reports, which they can share with anyone.
“In the past, if one content owner did an assessment, only that content owner got to see the assessment,” Finley said. “If the MPAA did an assessment, only its member companies got to see the assessment.” TPN’s Vendor Roster is designed to provide an easy interface for content owners to see what vendors are participating in or have undergone a TPN assessment.
The first phase of TPN, concentrating on facility site security, will be up and running in June, with the first vendor assessments taking place, Finley said. Stanbury added that the next two phases – application security then cloud – will be begin the governance and implementation process after the initial round of site security assessments within the TPN are finished.
“We want vendors and facilities to increase their security awareness, their security preparedness, and their capabilities. That’s critical to this program,” Finley said. Reducing the number of assessments conducted at each facility annually — reducing vendor fatigue around oft-repetitive security inspections — is also a key driver.
“On the content owner side, this single, central repository is critical,” he added. “We’re trying to educate participants across a very large supply chain, looking all the way upstream from home entertainment, encompassing every piece, production, post, long-term archive, and asset management. The TPN platform is a path for that.”