ETCO INDIA SERVICES FOR MOTION PICTURES ASSOCIATION
(MPA) CONTENT PROTECTION BEST PRACTICES FOR
TRUSTED PARTNER NETWORK (TPN) CERTIFICATION AND ITS
MAINTENANCE
Motion Pictures Association (MPA) Content Protection Best Practices For Trusted Partner
Network (TPN) Certification and its maintenance

Please contact us at:
consulting@etcoindia.co

1. Threats to Content and their Transmission/Processing/Storage Assets in Digital Services Sector

Digital Services Businesses in today's competitive world are very complex and are immensely dependent upon Digital
Content, their transmission, processing, storage and security systems. The challenges of managing Digital Content Risks
& their mitigation, Security Controls, Incidents, Root Causes, Organizational Changes, System Knowledge, System
Availability, System Capacity Burn Rate, Service Levels, Disaster Recovery Readiness, Business Contingency and all
supporting Processes are getting more stringent day by day.

A serious malicious action can lead to serious Financial, Customer, and Reputational impacts, leading to loss of business
deals, revenues, and market share. Most of the organizations have their own Damage Control Strategies such that they are
able to contain the damage to some extent. While this is important from reactive perspective, it is critical in today's world
to have Proactive Control strategies. The management shall own a framework that can help in reducing the potential
threats and probability of impacts that is possible given the available resources and the restrictions around them.

Primarily, an Organization looks forward to protection from the following major threats to Business and the
corresponding Information Systems:
(1) System Outage - leading to disruption of Business Services being extended to Customers.
(2) Uncontrolled Changes in Business Systems - can potentially result in a number of threats to Digital Assets from
Confidentiality, Integrity, Availability, Reliability, Trustworthiness, Copyrights, and Fair Usage perspective..
(3) Content Loss or Corruption - Leading to missing or wrong stored content pertaining to Business Systems or a
Customer.
(4) Transaction Execution and Delivery Errors (due to errors in inputs or processing algorithms)
(5) Unauthorized Dealing and Trading Practices.
(6) Theft, Robberies and Raids.
(7) External and Internal Frauds - malicious actions (like Network Penetration, Internet Hacking, etc) by
individuals/communities leading to Financial, Customer, and Reputational impacts, leading to loss of business deals,
revenues, and market share.
(8) Activity by Competition.
(9) Breaches of Legal Requirements and Self-Regulation: Privacy and Trust related
(10) Major Disasters - Partial/Complete interruptions to business activities.
The answer is to implement a powerful, easy to manage and effective Content Security Management System within the
organization. Digital services industry needs to implement Content Security Management System to:
(1) Ensure protection of Customer Information against vulnerabilities in India and the Country of the Customer.
(2) Ensure that they do not become the gateway to exploits into Customer IT environment.
(3) Fulfill the terms of a Master Service Agreement (wherever applicable).
(4) Protect offshore business by tangibly demonstrating a strong and working CSMS framework and its compliance at
India.
(5) Improving process dependence thereby reducing employee dependence thus reducing handover cycles against
attrition of key staff.
(6) Protection of Employees
(7) Protection of Business Critical Information and Content
(8) Establishing a strong edge over competition
(9) Last but not the least - Having an another tangible component in ensuring commitment towards Customer delight
which is the primary mission of all service organizations

2. Scope of Content Security Management System (CSMS) as per MPA Content Security Best
Practices for Trusted Partnership Network (TPN) certification

Content Security Management System (CSMS) is a structured management framework to ensure protection of sensitive
business information. The framework encompasses People, Processes and Technology (IT systems and other
technologies).

The world class standard that defines this framework in detail is BS ISO/IEC 27001:2013 and the best practices are
defined in BS/ISO/IEC 27002. Other standards supporting CSMS implementation are ISACA's COBIT, NIST 800-53,
Cloud Security Alliance, and MPA Content Security Best Practices. In this proposal, the framework of interest is MPA
Content Security Best Practices (supported by all other prescribed standards) as its compliance is the primary
requirement of TPN certification.

Practically every digital services organization has a need for CSMS. The key to success in managing content security is to
know ALL the digital assets of the Organization, their value, the current threats, probability of exposure, the impact, the
risk and the mitigation strategy around them. If planned and implemented carefully, the management of the
Organization can have a centralized control on an end to end framework that can ensure a clear visibility into the threats,
resulting risks and their mitigation strategy.

A single lose end has enough potential to cause a significant damage. It is like one of the weak gates of a strong fort.
Hence, it is important to implement the entire process framework and resulting controls without missing on even one of
them. It has been our experience that most of the loose ends remain because of inadvertent ignorance rather than lack of
funds. Investment on the best in class security systems of the world may not be enough unless the processes and controls
around them are adequately implemented.

3. Applicability of MPA Content Security Best Practices in Your Esteemed Organisation

The purpose of the MPA code of best practices for content security is to guide an Organization on the level of security
controls implementation feasible as per the organizational business needs and customers' security requirements. They
guide the organization to implement a structured Content Security Management System with an approach of Risk
Assessment & Business Impact Analysis that shall incorporate world class best practises in management of the existing
systems running in the Organization in the form of a Framework. The Framework would include:

(1) Executive Security Awareness/Oversight
(2) Risk Management (Risk Assessment, Business Impact Analysis, Risk Treatment)
(3) Security Organisation Structure
(4) Policies and Procedures
(5) Incident Management and Response
(6) Business Continuity and Disaster Recovery
(7) Change Control and Configuration Management
(8) Workflow Security
(9) Segregation of Duties
(10) Background Verifications of Employees and Contractors
(11) Confidentiality Agreements
(12) Third Party Use and Screening
(13) Entry and Exit Security
(14) Management of Visitors
(15) Identification
(16) Perimeter Security
(17) Alarms
(18) Authorisation
(19) Electronic Access Control
(20) Physical and Digital (Cryptographic) Keys
(21) CCTV Cameras
(22) Logging and Monitoring
(23) Searches
(24) Assets and Inventory Management
(25) Media Receiving, Handling, Shipping, and Disposals
(26) External Networking/WAN Security
(27) Internet Access Security
(28) Internal Network/LAN Security
(29) Wireless Security
(30) I/O Device Security
(31) Systems Security
(32) Account Management and Authentication
(33) Mobile Security
(34) Security Techniques
(35) Content Tracking
(36) Human Resources Policies and Procedures
(37) Transfer Systems Security
(38) Transfer Device and Methodology
(39) Client Portal Access Security

Post implementation of the above framework, ETCO India shall assist Your Esteemed Organisation for a formal
registration, assessment, and certification on MPA Content Security Best Practices from a certified TPN security assessor
via the application process described on the TPN website.

4. Proposed Objectives of ETCO India in implementing MPA content security best practices, and
achieving and maintaining TPN certification for Your Esteemed Organisation

To achieve a well documented and implemented CSMS Framework and its controls framework for compliance with MPA
Content Security Best Practices as mandated by TPN.

(1) To implement a structured Framework by means of documentation, communication, trainings, workshops,
certifications and Security agreements.

(2) To support your esteemed organisation in procuring, deploying, and configuring all the required hardware, software,
networking infrastructure, systems and data centre security solutions, physical security solutions, content processing,
transmission, and storage security solutions, AAA and access control solutions, and application security solutions
required to meet the requirements of MPA Content Security Best Practices.

(3) To document and implement effective security controls to meet the requirements of MPA Content Security Best
Practices.

(4) To create a comprehensive and transparent security reporting system for the Management, Clients, and other
Stakeholders, and to help you in "Demonstrating Compliance during External Audits" conducted by your existing and
new Clients, Regulators, and their Representatives.

(5) To engage with a TPN certified assessor for pre-assessment, and then apply for TPN assessment through their
prescribed process and coordinate with their assessor till final certification. The TPN's directory of assessors may be
accessed from here: https://www.ttpn.org/consultant-directory/


5. About Trusted Partnership Network (TPN) and MPA Content Security Best Practices
compliance, and our role in it

TPN (Trusted Partnership Network) is a global initiative through partnership between Motion Picture Association (MPA)
and the Content Delivery & Security Association (CDSA). Almost every major motion picture producing company and
media content owner is member of these two associations. TPN is specifically designed for service providers and
outsourced production and/or workflow partners of production companies and any type of content owners. The
objective of TPN is to certify compliances to the controls framework designed under MPA Content Security Best
Practices, which are as per ISO 27001 and NIST 800-53 standards. TPN offers assessments through a network of certified
professional assessors for compliance to MPA Content Security Best Practices.

ETCO India's role in TPN is the following:

(a) Taking accountability and responsibility of procurement, implementation, and documentation of IT infrastructure
security, software and applications security, data centre security, physical security, and content processing security as
recommended in the content security controls of the MPA Content Security Best Practices;
(b) Engaging with a TPN assessor;
(c) Coordination with the TPN assessor for pre-assessment such that all implemented controls can be verified from the
perspective of a certified assessor;
(d) Applying to TPN for formal assessment expressing the TPN assessor hired for pre-assessment as our preferred
assessor;
(e) Coordinating with the TPN assessor and achieving TPN certification;
(f) Repeating the TPN assessment cycle every year (because the certificate's validity is one year);
(g) Supporting your esteemed organisation in demonstrating your compliance to clients, external auditors, authorities,
regulators, or whoever concerned about your content security controls and best practices.


6. Advantages of MPA Content Security Best Practices and related TPN certification in Your
Esteemed Organisation at Corporate Level

Following are the benefits of CSMS that the Management of the organization can achieve tangibly at the corporate level:

(1) Customers will be assured about Content Security seriousness of the Organization.

(2) Companies that are strict about Content Security would feel very comfortable dealing with Your Esteemed
Organisation.

(3) The Organization would have a structured approach to Content Security with effective Risk Management.

(4) Employees, Contractors and Suppliers will take security seriously amidst adequate policies and penalties for any
security breach.

(5) Investments on IT and other security areas would be in the right direction (fulfilling Customer and overall Business
requirements) with an accurate distribution of spending.

(6) Money would not be invested against marketing skills of a security product company rather there would be a sound
analysis on risks and controls required.

(7) As a Digital Services Organization, Your Esteemed Organisation shall have a sound advantage over direct
competition because the Service Delivery personnel and Service Ambassadors would be CSMS trained.

(8) Detailed documentation framework with activity tracking and log-sheets that can be readily extended to other
Locations.

(9) Adequate Disaster Recovery and Business Continuity Plans.

(10) Strong branding in a highly competitive industry

7. Advantages of MPA Content Security Best Practices in Your Esteemed Organisation at
Department Level

Following are the benefits of CSMS that the Head of a Department can achieve tangibly at the Department level:

(1) Post the trainings imparted, all Department Heads and other nominated people will have knowledge about a new
domain (Information Security) which is one of the fastest growing business in the Global Digital Media industry.

(2) All Information Assets of the department will be clearly identified and listed in an Asset Master.

(3) Risk Assessment and Business Impact Analysis against loss/mishandling of departmental assets would be clearly
visible to the department head.

(4) As a part of Role definitions and KRAs of the department employees, Security compliance will be included with
quantifiable measurement.

(5) Department level internal audits will have Security Auditing included.

(6) A structured risk assessment methodology will be published which the department head can trigger at a periodic
level to review department level risks.

(7) The Department Head can map certain department level risks to an impact affecting entire organization such that they
can be escalated and treated at a Corporate level.

(8) Security controls applicable at a department level would be applied effectively.

(9) Control Effectiveness Measurement will be carried out at a department level and all Heads will have a clear visibility
into the same.

We have designed a massive repository of tailorable templates of policies, standards, processes and workflows those can
be customized as per Customer needs in very short time reducing the implementation cycles and costs significantly. In
order to get a detailed understanding of our approach of implementation at every step of the entire framework, we offer
you to browse our site.
You may please contact us at the published numbers or may write to us at
consulting@etcoindia.co

We shall be delighted to serve your esteemed organisation. We shall undertake 100%
responsibility and accountability to implement all IT and related infrastructure components,
content security controls, coordinate with the assessors, and coordinate with everyone engaged in
the project till the final TPN certification is achieved, and manage the annual renewal cycles.
Please contact us at:
consulting@etcoindia.co

IT and ISMS Consultancy and Third Party Auditing: Risk Assessment and Business Impact Analysis, Disaster Recovery and Business
Continuity, Information Security, IT Service Management Framework
Copyright 2020 ETCO INDIA. All Rights Reserved