CONTENT SECURITY BEST PRACTICES SCREENER DIGITAL TRANSFER SERVICES



Similar documents
CONTENT SECURITY BEST PRACTICES AWARDS SCREENERS (GUILDS AND RECIPIENTS)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Information Technology Branch Access Control Technical Standard

Security Controls for the Autodesk 360 Managed Services

HIPAA Privacy & Security White Paper

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

LogMeIn HIPAA Considerations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

CHIS, Inc. Privacy General Guidelines

Media Shuttle s Defense-in- Depth Security Strategy

GE Measurement & Control. Cyber Security for NEI 08-09

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Compliance and Industry Regulations

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Security Policy Revision Date: 23 April 2009

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Adobe Digital Publishing Security FAQ

Supplier Information Security Addendum for GE Restricted Data

SECURITY DOCUMENT. BetterTranslationTechnology

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Information Security Basic Concepts

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Did you know your security solution can help with PCI compliance too?

Music Recording Studio Security Program Security Assessment Version 1.1

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

PCI DSS Requirements - Security Controls and Processes

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Application Security Policy

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Security Policy JUNE 1, SalesNOW. Security Policy v v

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

MOTION PICTURE ASSOCIATION OF AMERICA, INC. SUBMISSION FOR THE RECORD

KeyLock Solutions Security and Privacy Protection Practices

FormFire Application and IT Security. White Paper

Securing the Service Desk in the Cloud

SonicWALL PCI 1.1 Implementation Guide

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Payment Card Industry Self-Assessment Questionnaire

RSA Authentication Manager 7.1 Basic Exercises

User Guide. Version R91. English

Autodesk PLM 360 Security Whitepaper

How To Secure An Rsa Authentication Agent

BMC s Security Strategy for ITSM in the SaaS Environment

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

SELECTING AN ENTERPRISE-READY CLOUD SERVICE

Miami University. Payment Card Data Security Policy

ITAR Compliant Data Exchange

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

How Managed File Transfer Addresses HIPAA Requirements for ephi

Payment Card Industry (PCI) Compliance. Management Guidelines

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

MovieLabs Specification for Enhanced Content Protection Version 1.0

HIPAA. considerations with LogMeIn

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

vcenter Support Assistant User's Guide

Central Agency for Information Technology

Unleashing the power of real-time collaboration:

Support for the HIPAA Security Rule

itrust Medical Records System: Requirements for Technical Safeguards

Teleran PCI Customer Case Study

CA Technologies Solutions for Criminal Justice Information Security Compliance

Virtual Cabinet Document Portal User Guide

Passing PCI Compliance How to Address the Application Security Mandates

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Estate Agents Authority

Multi-factor authentication

SUPPLIER SECURITY STANDARD

Data Processing Agreement for Oracle Cloud Services

Telemedicine HIPAA/HITECH Privacy and Security

FileCloud Security FAQ

bbc Overview Adobe Flash Media Rights Management Server September 2008 Version 1.5

Portal Administration. Administrator Guide

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

DHHS Information Technology (IT) Access Control Standard

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Web Conferencing: Unleash the Power of Secure, Real-Time Collaboration

Implementation Guide

MiGS Virtual Payment Client Integration Guide. July 2011 Software version: MR 27

Guide to Vulnerability Management for Small Companies

Healthcare Compliance Solutions

PCI DSS requirements solution mapping

DiamondStream Data Security Policy Summary

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

PCI Requirements Coverage Summary Table

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Healthcare Compliance Solutions

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Cybersecurity Plan. Introduction. Roles and Responsibilities. Laboratory Executive Commitee (ExCom)

Transcription:

MPAA Site Security Program CONTENT SECURITY BEST PRACTICES SCREENER DIGITAL TRANSFER SERVICES Version 1.0 December 31, 2011

DOCUMENT HISTORY Version Date Description Author 1.0 December 31, 2011 Initial Public Release PwC LLP MPAA MPAA Member Companies

TABLE OF CONTENTS I. Best Practices Overview 2 II. Overview 3 III. s Best Practice Guidelines 4 Appendix A Glossary 7 Page 1

I. BEST PRACTICES OVERVIEW Introduction For more than three decades, the Motion Picture Association of America, Inc. (MPAA) has managed site security inspections on behalf of its Member Companies (Members): Walt Disney Studios Motion Pictures; Paramount Pictures Corporation; Sony Pictures Entertainment Inc.; Twentieth Century Fox Film Corporation; Universal City Studios LLC; and Warner Bros. Entertainment Inc. The MPAA is committed to protecting the rights of those who create entertainment content for audiences around the world. From creative arts to the software industry, more and more people make their living based on the power of their ideas. This means there is a growing stake in protecting intellectual property rights and recognizing that these safeguards are a cornerstone of a healthy global information economy. Decisions regarding the use of vendors by any particular Member are made by each Member solely on a unilateral basis. Best practices outlined in this document are subject to local, state, regional, federal and country laws or regulations. Best practices outlined in this document, as well as the industry standards and supplementary documents, are subject to change periodically. Compliance with best practices is strictly voluntary. This is not an accreditation program. Questions or Comments If you have any questions or comments about the best practices, please email: mpaasitesecurity@mpaa.org Purpose and Applicability The purpose of this document is to promote security best practices related to the creation and handling of motion picture screeners. A screener is broadly defined as a copy of a motion picture provided to industry professionals. There are different types of screeners (e.g., awards or promotional), different recipients (e.g., censorship boards or media outlets) and numerous entities involved (e.g., guilds or studios). This document seeks to set general security expectations for entities that provide digital transfer services for any type of screener. Page 2

II. SCREENER OVERVIEW Types of s A screener is a copy of a motion picture (i.e., film, television show or related media) provided to awards voters, producers, distributors, critics, censorship boards and other industry professionals. The table below summarizes the five screener types: Risks Since screeners are distributed prior to the intended release window, there is a heightened risk of content theft. The table below outlines typical risks for the various types of screeners. Type of Promotional Awards Censorship Sales Hospitality Type of Pre- Theatrical Description Content that is physically or digitally distributed to critics and other media outlets Content that is physically or digitally distributed to awards voters Content that is physically or digitally distributed to censorship boards Content that is physically or digitally distributed to distributors and retailers Content that is physically or digitally distributed to airlines, hotels and other entities (e.g., military installations) in the nontheatrical window Theatrical Non- Theatrical Pre-Home Video Promotional X X X Awards X X X X Censorship X X X Sales X X X Hospitality X X X Type of Typical Risks Promotional Awards Censorship Sales Distribution of highly sensitive pre-theatrical and pre-home entertainment content that could be intercepted and leaked Responding to late screener requests leads to the use of non-standard delivery methods and chain of custody tracking Large volume (over 500,000) of screeners distributed every season increases the likelihood of a screener loss Restrictions against visible watermarking Improper handling of screeners by couriers, agencies, and recipients Inaccurate or dated address distribution lists, and informal guild member identification and verification processes Multiple copies of the same title sent to a single recipient Regulations in foreign countries often restrict against visible watermarking Improper handling of screeners by couriers and recipients Large volume of screeners distributed Improper handling of screeners by couriers and recipients Page 3

MPAA Site Security Program August 1, 2011 III. SCREENERS BEST PRACTICE GUIDELINES No. Best Practice Digital Transfer Services Implementation Guidance SCR-3.0 SCR-3.1 SCR-3.2 SCR-3.3 SCR-3.4 Enforce the use of unique usernames and passwords for recipients to access the digital screeners portal/application Enforce a strong password policy for gaining access to the digital screeners portal/application Require the content owner to approve each new user that has registered for a digital screeners account before access is granted Require two-factor authentication for new user registration and logon to the digital screeners portal/application Display anti-piracy warnings upon user registration and on the default screen of the digital screeners portal/application Establish policies to enforce the use of unique usernames and passwords Require authentication to access screener content, using unique usernames and passwords at a minimum Do not allow multiple accounts for a single email address Create a password policy that consists of the following: - Minimum password length of 8 characters - Minimum of 3 of the following parameters: upper case, lower case, numeric, and special characters - Maximum password age of 90 days - Minimum password age of 1 day - Maximum invalid logon attempts of between 3 and 5 attempts - Password history of ten previous passwords Require authorized business personnel to grant user access to specific screener titles Segregate new user enrollment privileges to backend IT administrators Implement a process to review the approvals of business personnel and the activities performed by IT administrators. Require individuals to provide two of the following for new user registration: - Information that the individual knows (e.g., account number, security questions) - A unique physical item that the individual has (e.g., registration card with unique ID number, token) - A unique physical quality that is unique to the individual (e.g., fingerprint, retina)

No. SCR-3.5 SCR-3.6 SCR-3.7 SCR-3.8 SCR-3.9 SCR-3.10 SCR-3.11 Best Practice Digital Transfer Services Implement a process for approving, tracking and logging devices that access the digital screeners portal/application, and limit the number of registered devices to 3 per user Implement access controls to limit the playback of screeners through the digital screeners portal/application, including the following at a minimum: Set a maximum view count for each title Prohibit concurrent logins Restrict user access to only specific screeners that they are authorized to view Expire access to screener content after a set period of time Option to revoke access to content upon request Implement access control policies to limit administrative access to the digital screeners portal/application Review access rights to the digital screeners portal/application monthly Retain access logs for the digital screeners portal/application every six months Control the download of screeners from the digital screeners portal/application Limit the amount of buffering or caching to what is required to stream content Implementation Guidance Consider generating a unique hardware signature for each device that accesses a user account; the hardware signature can be a hash of the device's MAC address, hard drive signature, IP address, etc., Restrict access to the portal to a set number of allowed digital signatures Implement an exception process for users to exceed the maximum number of devices upon approval by the studios Consider the following: - Issue an account activation key only upon user validation by the studios - Require a unique account for each individual administrator - Restrict administrative access only to host machines within valid IP address ranges - If administration is performed through a standalone application, allow each installation to be applied to only a single machine Remove access rights from users that no longer require access due to a change in job role, employment, guild membership, or industry activity Remove or disable any inactive accounts Store content logs on a centralized server that can be accessed only by specific users and is secured in an access-controlled room Limit to just in time buffering or caching Seek prior approval on workflow from content owner Page 5

No. SCR-3.12 SCR-3.13 SCR-3.14 SCR-3.15 SCR-3.16 SCR-3.17 SCR-3.18 Best Practice Digital Transfer Services Stream screener content in the lowest resolution that is acceptable for the screener's intended purpose Apply dynamically-generated visible watermarking to digitally streamed screener content Apply invisible forensic watermarking to digitally streamed and/or downloaded screener content Maintain records whenever content is streamed or downloaded that tie visible and invisible watermarking to identify a specific title, specific user, company affiliation, device MAC address, IP address, time and date Perform penetration testing on servers, databases and applications that host screener content at least annually, immediately before peak periods (e.g., awards season), and when there is a system change Remove screener content from the digital screeners portal/application after a predefined period of time (e.g., after voting periods, awards seasons, etc.) Implement several layers of security controls for the screener portal: Web Application Firewall Intrusion Prevention System Geographic restrictions Secure coding principles Audit logging, monitoring and alerting Transmission and storage encryption Implementation Guidance Apply visible watermarking as permitted by involved parties (e.g., guilds, government agencies) Consider a moving watermark that changes locations intermittently Ensure that the watermarks cannot be easily edited out of the screen Employ a third party to perform penetration testing Rotate between different third parties each year Use industry accepted testing guidelines, such as those issued by the Open Web Application Security Project (OWASP) to identify common web application vulnerabilities Page 6

APPENDIX A GLOSSARY This glossary of basic terms and acronyms are most frequently used and referred to within this publication. In the best practices guidelines, all terms that are included in this glossary are highlighted in bold typeface. Term or Acronym Description Term or Acronym Description Access Control Access Rights Advanced Encryption Standard (AES) Asset Management Awards Censorship Chain of Custody Form Digital s Portal / Application Forensic Watermarking Any safeguard that restricts access to a physical area or information system. Permission to use/modify an object or system. A NIST symmetric key encryption standard that uses 128-bit blocks and key lengths of 128, 192, or 256 bits. The system by which assets are tracked throughout the workflow, from acquisition to disposal. A screener that is physically or digitally distributed to awards voters. A screener that is digitally or physically distributed to censorship boards. A document that is used to track and record the chronological movement of an item; it typically includes information such as name of the person in custody of the item, date/time of hand-off, and reason for custody. The digital platform by which digital screeners are accessed. A digital technology that is used to uniquely identify the originator and intended user of content Hospitality Incident Response Promotional Sales Transfer Tools Two-Factor Authentication Visible Watermarking Content that is physically or digitally distributed to airlines, hotels and other entities (e.g., military installations) in the non-theatrical window. The detection, analysis, and remediation of security incidents. A screener that is digitally or physically distributed to critics and other media outlets. A screener that is physically or digitally distributed to distributors and retailers. A copy of a motion picture provided to industry professionals. Tools used for the electronic transmission of digital assets through a network, usually with acceptable encryption and authentication mechanisms. A method of authentication by which a user's identity is verified by the presentation of two of the following: a) something the user is; b) something the user has; and c) something the user knows. A digital technology that is used to embed a visible watermark onto the content to deter copyright infringement and content piracy. Guild Membership List A list containing the name and address of all guild members that is used for the distribution of awards screeners. Hardware Signature A digital signature that uniquely identifies the set of hardware that is used to access a system. Page 7

END OF DOCUMENT

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information