Quickly understand MPA Best Practices changes to steer your TPN trajectory

Best Practices

• - Establish, regularly review, and update upon key changes, an Information Security Management System (ISMS) or Information Security Manual (ISM), which is approved by leadership of the organization, to include the following:
• + Establish, regularly review, and update upon key changes, an Information Security Management System (ISMS), Information Security Manual (ISM), or Information Security Policy (ISP) which is approved by leadership of the organization, to include the following:

Additional Recommendations

• - • Establish an independent team for Information Security, including a Governance Committee, to develop policies addressing threats, incidents, risks, etc.
• + • Establish a defined team for Information Security, including a Governance Committee, to develop policies addressing threats, incidents, risks, etc.

Best Practices

• - Establish and regularly review an Acceptable Use Policy (AUP) governing the use of Internet (e.g., social media, communication activities, etc.) to include the following:
• + Establish and regularly review an Acceptable Use Policy (AUP) governing the use of Internet (e.g., social media, communication activities, etc.), to include the following:

Additional Recommendations

No change on this column.

Best Practices

• - Establish and regularly review formal plans for Business Continuity and Disaster Recovery to include the following:
• + Establish and regularly review a formal Business Continuity Plan (BCP) and policy, to include the following:
• - • Teams responsible for developing and maintaining the Business Continuity (BCP) and Disaster Recovery (DR) Plans
• + • Team responsible for developing and maintaining the Business Continuity Plan
• - • Notification to affected business partners and clients in accordance with local laws, regulations, and agreements
• + • Include Incident Response as part of the Business Continuity Plan

Additional Recommendations

• - • Testing procedures of business continuity and disaster recovery processes regularly, to include tabletop exercises
• + • Testing procedures of business continuity processes regularly, to include tabletop exercises
• + • Incorporate a systematic approach that uses likelihood of risk occurrence, impact to business objectives/content protection, and asset classification for assigning priority (e.g., Business Impact Analysis (BIA))
• + • Assign a designated team member to oversee continuity planning efforts
• - • Base on Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• - • Address in Shared Security Responsibility Model (SSRM)
• - For Business Continuity:
• + • Protect security systems from disruption in power
• - For Disaster Recovery:
• - • Priorities for recovery procedures, including steps to restore systems
• - • Cyber Security insurance to help mitigate risks from a cyberattack

Best Practices

• - Establish and regularly review a policy and process for the classification, protection, and handling of Data & Assets throughout its lifecycle, according to local laws, regulations, and agreements.
• + Establish and regularly review a formal policy and plan Disaster Recovery (DR) policy and plan, to include the following:
• + • Team responsible for developing, maintaining, and communicating the Disaster Recovery plan
• + • Include Incident response as part of the Disaster Recovery (DR) plan
• + • Restrict access to modify or delete backups to privileged users with assigned data backup and recovery operation roles

Additional Recommendations

• - • Data retention periods
• - • Classify according to data sensitivity
• - • Third-Party Service Provider data sharing responsibilities (e.g., via contract clauses, SSRM, , etc.)
• + • Testing procedures of disaster recovery processes regularly, to include tabletop exercises
• + • Base on Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• + • Assign a designated team member to oversee recovery efforts
• + • Priorities for recovery procedures, including steps to restore systems
• + • Backups that are marked for full recovery are tested on a regular basis
• + For template examples refer to SANS: https://www.sans.org/information-security-policy/ and FEMA: https://www.fema.gov/

Best Practices

• + Establish and regularly review a policy and process for Data & Assets, to include the following:
• + • Classification
• + • Protection
• + • Database security guidelines
• + • Defined segregation of duties
• + • Handling throughout its lifecycle
• + • In accordance with local laws, regulations, and agreements

Additional Recommendations

• + • Data retention periods
• + • Classify according to data sensitivity
• + • Third-Party Service Provider data sharing responsibilities (e.g., via contract clauses, etc.)
• + • Version control of the policy and process

Best Practices

• - Establish a formal, documented security Risk Management program, to include the following:
• + Establish and regularly review a formal security Risk Management program, to include the following:
• - • Address workflows, assets, and operations
• + • Address workflows, assets, operations, and personnel
• - • Regularly review and upon key changes
• + • Review and update upon key changes

Additional Recommendations

• - • Incorporate a systematic approach that uses likelihood of risk occurrence, impact to business objectives/content protection, and asset classification for assigning priority (e.g., Business Impact Assessment (BIA))
• - • Risks identified should tie into the Business Continuity (BCP) and Disaster Recovery (DR) Plans
• + • Risks identified tie into the Business Continuity (BCP) and Disaster Recovery (DR) Plans
• - • Include risks to all environments and infrastructure
• + • Include risks to all environments and infrastructure, to include Site Security Plan for each site to summarize the implemented security controls (e.g., camera, alarm, and EAC locations) to protect physical access to assets, as well as applicable risks and threats
• - • Leverage NISTIR 8286, FAIR frameworks, or ISO 31000:2018/ISO 31010:2019, ISO 27005, & NIST 800-30
• + • Utilize a Red Team or Cyber Security professionals to identify security vulnerabilities
• + • Cyber Security insurance to help manage financial impact from a cyberattack
• + • Leverage established information security risk management framework (e.g., NISTIR 8286, FAIR frameworks, or ISO 31000:2018/ISO 31010:2019, ISO 27005, & NIST 800-30)

Best Practices

No change on this column.

Additional Recommendations

• - • Use an accredited background screening company
• + • Use a third-party background screening company

Best Practices

• - Establish and regularly review a process for the On-boarding/Off-boarding of all relevant full- and part-time employees, consultants, contractors, interns, freelancers, and temporary workers, by performing the following:
• + Establish and regularly review a process for the On-boarding of all relevant full- and part-time employees, consultants, contractors, interns, freelancers, and temporary workers, to include the following:
• - For On-boarding:
• - • Communicate and require sign-off from all company personnel for all current policies, procedures, and/or client requirements
• + • Communicate and obtain sign-off from all relevant/required/authorized company personnel for all current policies, procedures, and/or client requirements
• - • Confidentiality Agreements, Non-Disclosure Agreements (NDAs), etc., specifically applied for on-boarding
• + • Confidentiality Agreements, Non-Disclosure Agreements (NDAs), etc., specifically applied for On-boarding
• - For Off-boarding:
• - • Transfer ownership of data & access
• - • De-provision physical/digital access
• - • Return all company assets/equipment (e.g., keys, fobs, badges, devices, etc.)
• - • Confidentiality Agreements, Non-Disclosure Agreements (NDAs), etc., specifically applied for off-boarding
• - • Retain all signed agreements

Additional Recommendations

• + • Issue photo ID badge for all relevant employees and third-party personnel
• - • Review disciplinary policy
• + • Country relocations are in accordance with local laws, regulations, and agreements
• - • Issue photo ID badge for all relevant employees and third-party personnel

Best Practices

• - Establish and regularly review a Training & Awareness Program about security policies and procedures and train all relevant full- and part-time employees, consultants, contractors, and interns upon hire and annually, to include the following:
• - • For executive management and owners, tailor specific training
• - • Develop tailored training based on job responsibilities (e.g., interaction with content)
• - • Maintain a log of all training and attendees
• + Establish and regularly review a process for the Off-boarding of all relevant full- and part-time employees, consultants, contractors, interns, freelancers, and temporary workers, to include the following:
• + • Transfer ownership of data & access
• + • De-provision physical/digital access
• + • Return all company assets/equipment (e.g., keys, fobs, badges, devices, etc.)
• + • Confidentiality Agreements, Non-Disclosure Agreements (NDAs), etc., specifically applied for Off-boarding
• + • Retain all signed agreements

Additional Recommendations

• - • Include training for social engineering, ransomware, malware, phishing
• - • Develop a program to test effectiveness of training (e.g., phishing campaigns, tabletop exercises, etc.)
• + • Apply on a per project basis
• + • Review for role/job changes, geographical relocations, and leave of absence
• + • Country relocations are in accordance with local laws, regulations, and agreements
• + • Apply disciplinary policy, when applicable

Best Practices

• + Establish and regularly review a Training & Awareness program about security policies and procedures and train all relevant full- and part-time employees, consultants, contractors, and interns upon hire and annually, to include the following:
• + • For executive management and owners, tailor specific training
• + • Develop tailored training based on job responsibilities (e.g., interaction with content)
• + • Reviewed, updated, and training conducted after introduction of new processes and technologies
• + • Maintain a log of all training and attendees
• - Ensure Contracts & Service Level Agreements (SLAs) with Third-Party Service Providers (i.e., external companies that are paid for services provided), include the following:
• - • Business Continuity (BCP) and Disaster Recovery (DR) Plans
• - • Data handover and disposal upon service termination
• - • Risk Management process
• - • Ability to obtain requested Information Security Compliance Certificates and/or Attestations
• - • Background screening
• - • Confidentiality Agreements/NDAs
• - • Notification if services are outsourced or subcontracted
• - • Handling and reporting of incidents
• - • In accordance with local laws, regulations, and agreements

Additional Recommendations

• - • An independent, third-party review/audit of the effectiveness of the Service Provider security and privacy controls is performed (e.g., MPA Best Practices, CSA Star, ISO, SOC 2 Type 2, etc.)
• - • Audit covers the following: Organizational, Operational, Physical, and Technical Security
• + • Training for business email compromise, social engineering, ransomware, malware, phishing
• + • Develop a program to test effectiveness of training (e.g., phishing campaigns, tabletop exercises, etc.)
• + • Training covers the restriction of personal devices
• + • Training covers not using the same password or passphrase on multiple accounts
• + • Perform project specific training, including access approval process and incident escalation before commencement of project

Best Practices

• + Ensure Contracts & Service Level Agreements (SLAs) with Third-Party Service Providers (i.e., external companies that are paid for services provided), include the following:
• + • Business Continuity (BCP) and Disaster Recovery (DR) Plans
• + • Data handover and disposal upon service termination
• + • Risk Management process
• + • Ability to obtain requested Information Security Compliance Certificates and/or Attestations
• + • Background Screening of all third-party full- and part-time employees, consultants, contractors, and interns
• + • Confidentiality Agreements/NDAs for all third-party full- and part-time employees, consultants, contractors, and interns
• + • Notification if services are outsourced or subcontracted
• + • Handling and reporting of incidents
• + • In accordance with local laws, regulations, and agreements, including third-party consent for Background Screening and Confidentiality Agreements/NDAs

Additional Recommendations

• + • An independent, third-party review/audit of the effectiveness of the Third-Party Service Provider's security and privacy controls is performed (e.g., MPA Best Practices, CSA Star, ISO, SOC 2 Type 2, etc.)
• + • Audit covers the following: Organizational, Operational, Physical, and Technical Security

Best Practices

• - Establish and regularly review a formal Incident Response process, which covers both IT and content incidents/events, to include the following:
• + Establish and regularly review a formal Incident Response policy and process, which covers both IT and content incidents/events, to include the following:
• - • Notification/Escalation
• + • Escalation
• + • Notification of affected business partners and clients, in a timely manner
• + • Utilize this url to report incidents related to piracy https://www.alliance4creativity.com/report-piracy/

Additional Recommendations

• - • Establish a dedicated Incident Response team
• + • Establish an Incident Response team, including a designated lead
• + • Notify impacted Content Owners as soon as possible and provide high-level incident details
• + • Regularly update, through an established cadence with Content Owners, with new information throughout the investigation
• - • Notification of affected business partners and clients
• + • Retain third-party security partner for incidents

Best Practices

• + Establish and regularly review a formal Artificial Intelligence (AI) & Machine Learning (ML) policy aligned to overall Security Management program, to include the following:
• + • Tailor policy to include applicable AI/ML content and applications
• + • Identify and manage risks to include security controls associated with changes to datasets, applications, network infrastructure, and systems
• + • Ensure client approval for AI/ML application use
• + • Review data sources and its integrity before use
• + • Adhere to local laws, regulations, and client policy when using AI/ML data
• + • Outline appropriate usage for AI/ML datasets
• + • Include AI/ML in Acceptable Use Policy

Additional Recommendations

• + • Develop tailored training program for use of AI/ML applications based on job responsibilities
• + • Only use internally managed and sandboxed LLMs

Best Practices

No change on this column.

Additional Recommendations

• + • If physical assets are not normally handled, notify Content Owner(s) when it occurs

Best Practices

No change on this column.

Additional Recommendations

• + • Labels only include address, barcode, aliases (i.e., non-descript)

Best Practices

• - Establish a Shipping process to ship client assets, to include the following:
• + Establish and regularly review a Shipping process to ship client assets, to include the following:
• - • Maintain a shipping log that includes: Time of shipment, recipient name, address of destination, tracking number from shipper
• + • Maintain a shipping log that includes: Time of shipment, recipient name, contact number, address of destination, tracking number from shipper
• + • Use client approved shipping vendor

Additional Recommendations

• - • Content awaiting shipment should be in a secure area under camera surveillance
• + • Content awaiting shipment is in a secure area under camera surveillance
• + • If physical assets are not normally handled, notify Content Owner(s) when it occurs
• + • Delivery confirmation for high value assets
• + • Utilize GPS tracking

Best Practices

• - Establish a process for Transport Vehicles handling content, to include the following:
• + Establish and regularly review a process for Transport Vehicles handling content, to include the following:
• + • Handling during loading and unloading
• - • Apply to third-party couriers
• + • Direct delivery without unnecessary stops
• + • Establish a process for third-party couriers

Additional Recommendations

No change on this column.

Best Practices

• - • On-boarding/Off-boarding
• + • On-boarding
• + • Off-boarding

Additional Recommendations

• + • Training includes permissible working locations (e.g., non-public spaces, rooms out of direct sight line of neighbors and/or others, etc.)
• + • Change home router default passwords

Best Practices

• - Establish and regularly review a process to support the handling of client classified High Security Titles, to include the following:
• + Establish and regularly review a process to support the handling of content for client classified High Security Titles, to include the following:
• + • Use of mobile devices is only used for business purposes, unless client approved

Additional Recommendations

• + • For aliases, ensure the alias is generic and does not reference anything that might hint at the actual project or production name (e.g., characters, locations, genre, etc.)
• + • If aliases are used on any production signage, ensure the signage is plain and does not contain any artwork or reference that might hint at the actual production name

Best Practices

• - Establish and regularly review a process for the physical Disposal of stock/client assets (e.g., discs, storyboards, scripts, hard drives, etc.), to include the following:
• + Establish and regularly review a process for the physical and logical Disposal of stock/client assets (e.g., discs, storyboards, scripts, hard drives, etc.), to include the following:

Additional Recommendations

• - Reference U.S. Department of Defense 5220.22-M & NIST SP 800-88 for digital shredding and wiping standards
• + Reference U.S. Department of Defense 5220.22-M & NIST SP 800-88 for data wiping standards

Best Practices

• - • Secure and cover windows where content could be visible from the outside
• + • Secure and cover ground floor windows where content could be visible from the outside

Additional Recommendations

• + • For signage utilized at the facility or remote site/location, ensure the signage is plain and does not contain any artwork that might hint at the actual production name

Best Practices

No change on this column.

Additional Recommendations

• - • Visitor badge/sticker
• + • Visitors are issued a badge/sticker
• + • Visitor badges/stickers are surrendered before leaving the facility

Best Practices

• - • Retain logs for one year at a minimum, in accordance with local laws, regulations, and agreements
• + • Retain logs for one year at a minimum, in accordance with local laws, regulations, and agreements

Additional Recommendations

No change on this column.

Best Practices

• - • Automated alerts
• + • Automated alerts of each unauthorized/failed attempt, including when physical keys are used to override electronic access controls
• - • Issue alarm codes and administrator rights to authorized personnel and review users regularly
• + • Issue unique alarm codes and administrator rights to authorized individuals
• + • Review users regularly

Additional Recommendations

• - For high security areas:
• + • Log every alarm state change (e.g., Set to Unset) and the time and individual that triggered the change
• + For high security and all areas processing or handling content:

Best Practices

• - • Implement a check-in/check-out process for master keys to track and monitor the distribution
• + • A check-in/check-out process for master keys to track and monitor the distribution

Additional Recommendations

No change on this column.

Best Practices

• - Establish and regularly review a policy and process for Replication Facilities, in accordance with local laws, regulations, and agreements, to include the following:
• + Establish and regularly review a policy and process for Replication Facilities, to include the following:
• - • Regular audit of process
• + • Regular audit to test validity of process
• + • In accordance with local laws, regulations, and agreements

Additional Recommendations

No change on this column.

Best Practices

No change on this column.

Additional Recommendations

• - Environmental Control settings:
• + Environmental Control settings (range):
• - • Temperature (Low End): 64.4 degrees F (18 degrees C)
• + • Temperature (Low End): 64.4 degrees F (18 degrees C) or above
• - • Temperature (High End): 80.6 degrees F (27 degrees C)
• + • Temperature (High End): 80.6 degrees F (27 degrees C) or below
• - • Moisture (Low End): 40% relative humidity and 41.9 degrees F (5.5 degrees C) dew point
• + • Moisture (Low End): 40% relative humidity and 41.9 degrees F (5.5 degrees C) dew point or above
• - • Moisture (High End): 60% relative humidity and 59 degrees F (15 degrees C) dew point
• + • Moisture (High End): 60% relative humidity and 59 degrees F (15 degrees C) dew point or below

Best Practices

• - • Application Hardening Guidelines
• - • Authentication & Authorization
• - • Change Control
• - • Encryption
• - • Endpoint Protection
• - • Identity Access Management
• + • Physical Access Control
• - • Patching
• - • Penetration Testing
• + • Visitors
• - • Web & Cloud Portals

Additional Recommendations

• - When utilizing a Cloud Provider, proof can be provided via policy, procedure, or audit report documents, that includes the following Best Practices:
• + When utilizing a Data Center and/or Co-location, proof can be provided via policy, procedure, or audit report documents, that includes the following:
• + • CCTV captures vendor cabinets
• + • Cabinets are physically segregated from other tenants and data center employees
• - • Review user access list to the client cloud portal regularly
• - • Use of a Cloud Access Security Broker (CASB) to monitor and restrict cloud software usage and access
• - • Cloud Service Providers (CSPs) should provide Cloud Service Consumers (CSC) with the ability to manage their own encryption keys
• - • Intra-tenant segregation between Cloud Service Provider (CSP) and Cloud Service Consumer (CSC)
• - • Cloud hosted directory services (e.g., JumpCloud, OKTA, Azure Active Directory, AWS Directory Service, etc.)

Best Practices

• + When utilizing a Cloud Provider, proof can be provided via policy, procedure, or audit report documents, that includes the following Best Practices:
• + • Application Configuration Guidelines
• + • Authentication & Authorization
• + • Change Control
• + • Contracts & Service Level Agreements
• + • Encryption
• + • Endpoint Protection
• + • Identity Access Management
• + • Incident Response
• + • Network Topology Diagram
• + • Patching
• + • Penetration Testing
• + • Risk Management
• + • Shared Security Responsibility Model
• + • Systems Configuration
• + • Vulnerability Management
• + • Web & Cloud Portals

Additional Recommendations

• + When utilizing a Cloud Provider, proof can be provided via policy, procedure, or audit report documents, that includes the following:
• + • Review user access list to the client cloud portal regularly
• + • Use of a Cloud Access Security Broker (CASB) to monitor and restrict cloud software usage and access
• + • Cloud Service Providers (CSPs) provide Cloud Service Consumers (CSC) with the ability to manage their own encryption keys
• + • Intra-tenant segregation between Cloud Service Provider (CSP) and Cloud Service Consumer (CSC)
• + • Cloud hosted directory services (e.g., JumpCloud, OKTA, Azure Active Directory, AWS Directory Service, etc.)

Best Practices

• - • Use dedicated data I/O systems to move content between external networks (Internet) and internal networks (data I/O network, production)
• + • Use dedicated (i.e., isolated) data I/O systems to move content between external networks (Internet) and internal networks (data I/O network, production)
• - • Segmented data I/O network and workflows
• - • Implement separate isolated networks for data I/O and production
• - • Implement strict (IP and port) layer 2/3 Access Control Lists (ACLs) to allow outbound network requests from the more trusted inner layer, and deny all inbound requests from the less trusted outer layers
• + • Strict (IP and port) layer 2/3 Access Control Lists (ACLs) to allow outbound network requests from the more trusted inner layer, and deny all inbound requests from the less trusted outer layers
• + • When preparing or transferring content, utilize dedicated rooms with fully covered windows and closed door when work is in progress

Additional Recommendations

• - • If Fully Qualified Domain Names (FQDN) are used for allow listing, the firewall should contain a valid Domain Name System (DNS) entry
• + • If Fully Qualified Domain Names (FQDN) are used for allow listing, the firewall contains a valid Domain Name System (DNS) entry

Best Practices

• - • Leverage hardening guidelines provided by application providers
• + • Prohibit the use of wireless transfer applications (e.g., Bluetooth, NFC, Airdrop, etc.) on production systems
• + • Screensavers and/or screen-lock software activates after a maximum of 10 minutes of inactivity

Additional Recommendations

• - • Screensavers and/or screen-lock software activates after a maximum of 10 minutes of inactivity
• + • Utilize centralized configuration (e.g., Group Policy, MDM, etc.) to standardize security baselines for systems

Best Practices

• - Establish and regularly review a process for Default Administrator Accounts and other Default Accounts, to include the following:
• + Establish and regularly review a process for Default Administrator Accounts and other Default Accounts (i.e., infrastructure and applications), to include the following:

Additional Recommendations

No change on this column.

Best Practices

• - • Updating anti-virus/anti-malware definitions regularly and performing regular scans on systems
• + • Update anti-virus/anti-malware definitions regularly and performing regular scans on systems

Additional Recommendations

• - • Local firewalls
• - • Installation of Endpoint Detection and Response (EDR), XDR (Extended Detection and Response), or MXDR (Managed Extended Detection and Response)
• + • Install Endpoint Detection and Response (EDR), XDR (Extended Detection and Response), or MXDR (Managed Extended Detection and Response)

Best Practices

• - • Mobile Device Management (MDM) and/or Mobile Application Management (MAM)
• + • Mobile Device Management (MDM)
• + • Mobile Application Management (MAM)
• - • Require encryption of the entire device
• + • Encryption of the entire device

Additional Recommendations

• + • Training & Awareness for key personnel who handle content
• + • To prevent unauthorized content recording, enforce requirements for mobile devices, specifically outlining where mobile devices are permitted

Best Practices

• + • Log all remote access activities
• + • Logs and associated logging data must be encrypted over external networks
• + • Log the following fields for network activity: Source IP address, Destination URL or IP address, Username, Action Attempted, Action Result, Execution/file path, Timestamp

Additional Recommendations

• + • Implement dual authorization for movement and deletion of audit log
• + information
• - Alert configurations should include the following:
• + Alert configurations include the following:

Best Practices

• - For passwords and passphrases:
• + • Ensure that one of the factors is provided by a separate service (e.g., authenticator apps or bio-metrics) from the system gaining access
• + For Multi-Factor Authentication (MFA), apply to the following:
• + • Any Internet facing systems, including webmail and web portal
• + • Source code repository
• + For passwords and passphrases (if MFA is not available):
• - • Minimum password or passphrase length of at least 12 characters
• + • Minimum password or passphrase length of at least 16 characters
• - • Can't reuse last 5 passwords or passphrases (not applicable to service accounts)
• + • Do not reuse last 5 passwords or passphrases (not applicable to service accounts)
• + • Randomly generate newly assigned and temporary passwords that are unique and comply with password complexity rules in place
• - For Multi-Factor Authentication (MFA), apply to the following:
• - • Any Internet facing systems, including webmail and web portal
• - • Source code repository

Additional Recommendations

• + • Validate users against existing authentication platforms (e.g., Active Directory) through integration to a Single Sign-On service
• + • Utilize passkeys instead of passwords
• + • Standardize naming conventions for usernames
• + For passwords and passphrases:
• + • Do not include context-specific words such as account name, service name, or company name, individual's name, date of birth, or any personal details, etc.
• + • Do not include repeating characters or patterns (e.g., 123123)
• + • Do not include weak, compromised, and/or commonly known passwords

Best Practices

• - • Implement Identity Access Management (IAM) (e.g., role-based access control (RBAC), attribute-based access control (ABAC), single sign on system, identity federation standards, and directory service (e.g., Active Directory, Open Directory, LDAP, Zero Trust Architecture, etc.))
• + • Identity Access Management (IAM) (e.g., role-based access control (RBAC), attribute-based access control (ABAC), Single Sign On system (SSO), identity federation standards, and directory service (e.g., Active Directory, Open Directory, LDAP, etc.)
• + • Authorize and document user and group accounts
• + • Regularly review user and group accounts to ensure privileges and system access is current and remove unnecessary privileges

Additional Recommendations

• + • Configure systems and applications for administrator actions to log and record: username, time stamp, action, action parameters
• - Configure systems and applications for administrator actions, at a minimum, to include the following:
• - • Log and record: username, time stamp, action, action parameters

Best Practices

• - Establish and regularly review a process to provide Shared Security Responsibility Model (SSRM) guidance to the Cloud Service Provider (CSP) and Cloud Service Consumer (CSC).
• + Establish and regularly review a process to provide Shared Security Responsibility Model (SSRM) guidance to the Cloud Service Provider (CSP) and Cloud Service Consumer (CSC), to include the following:
• + • Regular governance set up by CSC for all of it's CSPs and other software Service Providers
• + • Third-Party Risk Management (TPRM) for Third-Party software Service Provider or CSP or any Third-Party Service Provider as part of SSRM

Additional Recommendations

No change on this column.

Best Practices

• + • Update documentation when infrastructure changes occur

Additional Recommendations

No change on this column.

Best Practices

• - Establish and regularly review a process for Secure Software Development Lifecycle (SSDLC) for application design, development, deployment, and including a software testing strategy, regardless of location, to include the following:
• + Establish and regularly review a process for Secure Software Development Life Cycle (SSDLC) for application design, development, deployment, and including a software testing strategy, regardless of location, to include the following:
• + • Do not deploy testing functions created for development production. This can include debug functions and flags
• - • Include scanning (e.g., TFSEC) coverage for Continuous Integration (CI)/Continuous Delivery (CD) automated pipelines and deployments (e.g., Terraform)
• + • Scanning (e.g., TFSEC) coverage for Continuous Integration (CI)/Continuous Delivery/Deployment (CD) automated pipelines and deployments (e.g., WhiteHat)
• + • A robust IAM to manage the access to CI/CD components
• - • Include scanning open-source libraries
• + • Scanning open-source libraries
• + • Do not hard code passwords and other authentication data into source code or scripts
• + • Mask passwords and other authentication data when displayed on screen

Additional Recommendations

• - • If manual scanning tools or code analysis tools are used, a scan should be conducted at each code change and/or production code push
• + • If manual scanning tools or code analysis tools are used, a scan is conducted at each code change and/or production code push
• + • Version control of the source code
• + • Exception handling routines
• + • Error messages do not display any confidential Information
• + • Both client and server software employ inspection relay techniques to prevent man-in-the-middle (MITM) attacks
• + • Open source software (OSS) and third-party software or source code are tested for vulnerabilities
• - Reference NIST's Secure Software Development Framework (SSDF) NIST 800-218 (https://csrc.nist.gov/Projects/ssdf) as an example for Threat Modeling and on how to develop a Secure Software Development Lifecyle (SSDLC) process for coverage of training, requirements, design, development, testing, release, and response
• + Reference NIST's Secure Software Development Framework (SSDF) NIST 800-218 (https://csrc.nist.gov/Projects/ssdf) as an example for Threat Modeling and on how to develop a Secure Software Development Life Cycle (SSDLC) process for coverage of training, requirements, design, development, testing, release, and response

Best Practices

• - Establish and regularly review a process to develop systems and applications based upon principles of Security by Design (SbD) and Privacy by Design (PbD), to include the following:
• + Establish and regularly review processes to develop systems and applications based upon principles of Security by Design (SbD) and Privacy by Design (PbD), to include the following:
• - • According to local laws, regulations, and agreements
• + • In accordance with local laws, regulations, and agreements

Additional Recommendations

No change on this column.

Best Practices

• - • Disable Virtual Private Network (VPN) access to transfer systems

Additional Recommendations

• + • Do not embed usernames and passwords into content links or cache them in browsers
• + • Distribute user credentials and content links using separate forms of communication (e.g., username via corporate email & password via SMS)
• + • Assign Static IPs and/or utilize MAC filtering

Best Practices

• - For in-house developed applications, document and maintain Application Hardening Guidelines to harden host and guest OS, hypervisor or infrastructure control plane used on configured corporate systems, include the following:
• - • Follow testing procedures before deploying into production environment
• + For Licensed Applications, source and implement secure Application Configuration Guidelines provided by the licensee to configure applications used on configured corporate systems, to include the following:
• + • Apply to host and guest OS
• + • Ensure licensing agreement is from an authorized source, and is not expired
• + • Change vendor default authentication information, such as default passwords, immediately after installation and review other important default security-related parameters
• - • Review and update the application hardening guidelines annually and/or when system components are installed or upgraded
• + • Review and update the application configuration guidelines annually and/or when system components are installed or upgraded

Additional Recommendations

• + • Package being installed matches published version
• + • Verified checksums, if available
• - For licensed applications, source and implement Application Hardening Guidelines provided by the licensee to harden host and guest OS, hypervisor or infrastructure control plane used on configured corporate systems, include the following:
• - • Ensure licensing agreement is from an authorized source, and is not expired
• - • Change vendor default authentication information, such as default passwords, immediately after installation and review other important default security-related parameters
• - • Review and update the application hardening guidelines annually and/or when system components are installed or upgraded
• - • Minimize the number of identities with privileged or administrator level access
• - • Disable unnecessary, unused, or unsecure identities
• - • Disable or restrict unnecessary functions and services
• - • Invoke time-out facilities that automatically log off applications after a predetermined period of inactivity
• - • Install anti-virus/anti-malware on systems where applications are installed

Best Practices

• + For In-House Developed Applications or scripts, document and maintain secure Application Configuration Guidelines used on configured corporate systems, to include the following:
• + • Follow testing procedures before deploying into production environment
• + • Review and update the application configuration guidelines annually and/or when system components are installed or upgraded
• + • Review and update the application design document(s) annually and/or when system components are installed, upgraded, or decommissioned
• + • Minimize the number of identities with privileged or administrator level access
• + • Disable unnecessary, unused, or unsecure identities
• + • Disable or restrict unnecessary functions and services
• + • Invoke time-out facilities that automatically log off applications after a predetermined period of inactivity
• + • Install anti-virus/anti-malware on systems where applications are installed

Additional Recommendations

• + For In-House Developed Applications:
• + • Document components that are used as the application building blocks
• + • Red Team or Cyber Security professionals to identify security vulnerabilities in areas such as source code, source code repositories (e.g., GitHub), API integrations, etc.

Best Practices

• - Establish and regularly review a process to secure any point-to-point Connection(s) by using dedicated, private connections, and/or encryption, to include the following:
• + Establish and regularly review a process to secure any point-to-point Connections by using dedicated, private connections, and/or encryption, to include the following:

Additional Recommendations

• - Review connections regularly
• + Review Connections regularly

Best Practices

No change on this column.

Additional Recommendations

• - Including WAN, DMZ, LAN, WLAN (wireless), VLAN, firewalls, switches, endpoints, etc.
• + Include WAN, DMZ, LAN, WLAN (wireless), VLAN, firewalls, switches, endpoints, etc.

Best Practices

• - • Port security to be enabled
• + • Port security is enabled
• - • Disable Simple Network Management Protocol (SNMP) if it is not in use. Use SNMP v3 or higher with strong passwords for community strings
• + • Disable Simple Network Management Protocol (SNMP) if it is not in use
• + • Use SNMP v3 or higher with strong passwords for community strings

Additional Recommendations

No change on this column.

Best Practices

• - Establish and regularly review a policy and process to separate external network(s)/WAN(s) from the internal network(s) by using stateful inspection firewall(s), to include the following:
• + Establish and regularly review a policy and process to separate external network(s)/WAN(s) from the internal network(s) by using stateful inspection Firewall(s), to include the following:
• - • Deploy a Web Application Firewall (WAF) in front of Internet facing web applications and APIs
• - • WAN network to prohibit direct network access to the internal content/production network
• + • A dedicated service or management network in place to manage core services (DNS, antivirus, logging, etc.)

Additional Recommendations

• + • Regularly review the list of approved incoming and outgoing requests
• + • Already identified malicious sites are blocked at external and internal firewall level
• + • All attempts to access malicious web addresses are logged and monitored
• + • Deploy a Web Application Firewall (WAF) in front of Internet facing web applications and APIs

Best Practices

• - • Layer 1 physical air gap
• - • Logical segmentation via Layer 2 or Layer 3 VLAN ACLs
• + • Layer 1 physical air gap and/or Logical segmentation via Layer 2 or Layer 3 VLAN ACLs

Additional Recommendations

No change on this column.

Best Practices

• - • Firewall to have a subscription to anti-virus and intrusion detection updates
• + • Firewall to have a subscription to anti-virus, sandbox, and intrusion detection updates

Additional Recommendations

No change on this column.

Best Practices

• - • Implement basic border gateway services (e.g., gateway anti-virus, URL filtering, etc.)
• + • Basic border gateway services (e.g., gateway anti-virus, URL filtering, etc.)

Additional Recommendations

No change on this column.

Best Practices

• - • Implement firewall rules to deny all outbound traffic by default, including to the Internet and other internal networks

Additional Recommendations

No change on this column.

Best Practices

• + • Disable or limit the functionality of clipboard to prevent unauthorized data transfer (e.g., global settings for remote access applications)
• + • Terminate remote sessions upon 30 minutes of inactivity
• - • Application Hardening Guidelines
• + • Application Configuration Guidelines

Additional Recommendations

• - • Use secure methods for remote access (e.g., SSH, SFTP, etc.)
• + • Use secure methods for remote access (e.g., SSH, HTTPS, PCOIP, etc.)
• + • Utilize pixel streaming applications to avoid content transfer to local systems
• + • Utilize proxy, broker, or gateway technologies for authentication to remote environments
• + Utilize host security profile checks to allow VPN connections from untrusted zones. Profile checks confirm the following at a minimum:
• + • OS Version
• + • Antivirus Version
• + • Disk Encryption
• + • Patch Management

Best Practices

• - Establish and regularly review a process for corporate Web Filtering to address the following:
• + Establish and regularly review a process for Web Filtering to address the following:

Additional Recommendations

No change on this column.

Best Practices

• - • Enable WPA2-PSK (AES), and/or WPA3-SAE
• + • Enable WPA2-EAP (AES), and/or WPA3-SAE

Additional Recommendations

No change on this column.

Best Practices

• - Establish and regularly review a process to monitor, encrypt, and restrict Network Connections between environments to only authenticated and authorized connections, to include the following:
• + Establish and regularly review a process to monitor, encrypt, and restrict Network Connections to only authenticated and authorized connections, to include the following:

Additional Recommendations

• - • Regularly review network connections between environments for unauthorized connections
• + • Regularly review Network Connections for unauthorized connections

Best Practices

• - • Access to keys should only be granted to authorized personnel
• + • Access to keys is only be granted to authorized personnel

Additional Recommendations

• - • All relevant key transactions/activity should be recorded (logged) in the Cryptographic Key Management System (CKMS)
• + • All relevant key transactions/activity are recorded (logged) in the Cryptographic Key Management System (CKMS)

Best Practices

No change on this column.

Additional Recommendations

• - Ensure that encryption key expiration dates conform to client instructions
• + • Ensure that encryption key expiration dates conform to client instructions
• + • Log receipt and configuration of all DKDMs and KDMs

Best Practices

• - Establish and regularly review a policy and process to perform Penetration Testing of all external IP ranges, hosts, and web applications, to include the following:
• + Establish and regularly review a policy and process to perform Penetration Testing of all external IP ranges, hosts, web applications, and content transfer tools, to include the following:
• + • Application and Network Architecture review
• + • Encryption at rest and in transit
• + • Private storage review

Additional Recommendations

No change on this column.

Best Practices

• - Establish and regularly review a Patching process for endpoints, servers, applications, virtual machines, network infrastructure devices (e.g., firewalls, routers, switches, etc.), Storage Area Networks (SAN), and Network Attached Storage (NAS), to include the following:
• + Establish and regularly review a Patching process for endpoints, servers, applications, virtual machines, databases, network infrastructure devices (e.g., firewalls, routers, switches, etc.), Storage Area Networks (SAN), and Network Attached Storage (NAS), to include the following:
• - • Subscribe to security and patch notifications from Service Providers, other third-parties, and security advisories
• + • Subscribe to security and patch notifications from Third-Party Service Providers, other third-parties, and security advisories
• + • Implement an exception process in place for patches that are incompatible with current technology with management approval and vendor patch details

Additional Recommendations

No change on this column.

Best Practices

• + Establish and regularly review a process for a Zero Trust Architecture (ZTA) - Authentication, to include the following:
• + • Authenticate each user before they are allowed to join or access a workflow/system
• + • Authenticate all systems and services before being used in any workflow
• + • Ensure all service communication is directed through a policy enforcement point
• + • Validate certificates used for authentication against a trusted certificate authority before being accepted
• + For Mutual Authentication:
• + • Mutually authenticate connections between two systems or services
• + • Establish an encrypted connection via Mutual Authentication before communication between proxies/endpoints can take place

Additional Recommendations

• + • Connect SaaS applications internal identity management to a system-wide authentication system (i.e., Single Sign-On Service)
• + • Apply Zero-Trust Architecture Best Practices at the application layer to ensure threat coverage

Best Practices

• + Establish and regularly review a process for managing Zero Trust Architecture (ZTA) - Authorization Policies, to include the following:
• + • For all access to assets, services, and systems
• + • Ensure all connections are authorized by an Authorization Policy
• + • Store Authorization Policies in an easily identifiable location
• + • Map native access controls to the requirements of Authorization Policies, including SaaS applications

Additional Recommendations

• + • Utilize global organizational policies when creating Authorization Policies
• + • Set Authorization Policies to expire after the shortest period needed to conduct necessary tasks
• + • Deploy a discrete policy enforcement point in front of SaaS applications when Authorization Policies cannot be used
• + • Utilize applications where Authorization Policies are automatically generated by workflow management rules

Best Practices

• + Establish and regularly review a process for managing Zero Trust Architecture (ZTA) - Protect Surfaces for all organizational data, applications, assets, and services, to include the following:
• + • Define and map all organizational Protect Surfaces
• + • Apply ZTA to defined Protect Surfaces
• + • Place ZTA security controls at the point of access for the Protect Surface (i.e., Policy Enforcement Point)

Additional Recommendations

• + • Document classification of all data and assets (e.g., sensitive, confidential, public)
• + • Tailor the protection and security controls based on data classification
• + • Use Multi-Factor Authentication (MFA) with adaptive authentication to continuously validate users and devices before granting access

Best Practices

• + Establish, document, and regularly review a workflow and process for Artificial Intelligence & Machine Learning (AI/ML) - Data I/O Workflows and Systems, to include scanning of all pre-trained large language models (LLMs), datasets, and models from public repositories before use to prevent the importing of malware or unwanted data.

Additional Recommendations

• + • Import all pre-trained LLMs into a private cloud before use
• + • Employ real-time monitoring for machine learning functionality deviations
• + • Maintain audit trail of data set usage and associated assets per logging retention

Best Practices

• + For Artificial Intelligence & Machine Learning (AI/ML) applications, source and implement secure Application Configuration Guidelines provided by the licensee to configure applications used on configured corporate systems, to include the following:
• + • Apply to host and guest OS
• + • Implement application level encryption and access control for sensitive user data

Additional Recommendations

• + • Complete a model card or equivalent for each AI/ML application in use

Best Practices

• - Establish, regularly review, and update upon key changes, an Information Security Management System (ISMS), Information Security Manual (ISM), or Information Security Policy (ISP) which is approved by leadership of the organization, to include the following:
• + Establish and regularly review an Information Security Management System (ISMS), Information Security Manual (ISM), or Information Security Policy (ISP), approved by leadership, to include the following:
• + • Update upon significant changes

Additional Recommendations

• - • Reference established Information and Content Security frameworks (e.g., MPA Best Practices, ISO 27001, NIST 800-53, SANS, CoBIT, CSA, CIS, etc.)
• + • Reference established Information and Content Security frameworks (e.g., ISO 27001, NIST 800-53, SANS, CoBIT, CSA, CIS, etc.)
• - • Establish a defined team for Information Security, including a Governance Committee, to develop policies addressing threats, incidents, risks, etc.
• + • Establish a designated team for Information Security, including a Governance Committee, to develop policies addressing threats, incidents, risks, etc.
• - • Prepare organization charts and job descriptions to facilitate the designation of roles and responsibilities as it pertains to security
• + • Prepare organizational charts and job descriptions to facilitate role designation and responsibilities pertaining to security

Best Practices

• - Establish and regularly review an Acceptable Use Policy (AUP) governing the use of Internet (e.g., social media, communication activities, etc.), to include the following:
• + Establish and regularly review an Acceptable Use Policy (AUP) governing Internet use (e.g., social media, communication activities, etc.), to include the following:
• - • Do not share on any social media platform, forum, blog post, or website: information related to pre-release content and related project activities, unless expressed written consent from the client is obtained
• + • Do not share on any social media platform, forum, blog post, or website any information related to pre-release content and related project activities, unless express written consent from the client is obtained

Additional Recommendations

• - • Acceptable uses of technologies
• + • Define acceptable uses of technologies
• - • Use dedicated, company administered accounts for marketing and communication purposes
• + • Use dedicated, company-administered accounts for marketing and communication purposes

Best Practices

• - • Team responsible for developing and maintaining the Business Continuity Plan
• + • Team responsible for developing, maintaining, and communicating the BCP
• - • Define threats to critical assets, locations, infrastructure, and business operations (e.g., loss of power or communications, systems failure, natural disasters, pandemics, breach, etc.)
• + • Define threats to critical assets, locations, infrastructure, and business operations (e.g., loss of power or communications, systems failure, natural disasters, pandemics, breaches, etc.)
• - • Include Incident Response as part of the Business Continuity Plan
• + • Include Incident Response as part of the BCP
• + • For applications, outline Application Security Testing in the BCP

Additional Recommendations

• - • Testing procedures of business continuity processes regularly, to include tabletop exercises
• + • Validate BCP via tabletop exercises
• + • Define and document Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical services and operations as defined in the Business Impact Analysis (BIA)
• - • Workarounds, alternate solutions, etc.
• + • Define workarounds, alternate solutions, etc.
• - • Protect security systems from disruption in power
• - For template examples refer to SANS: https://www.sans.org/information-security-policy/ and FEMA: https://www.fema.gov/
• + • Protect security systems from disruption in power (e.g., alarms, electronic access, etc.)
• + For template examples, refer to FEMA: https://www.ready.gov/business/emergency-plans/continuity-planning, or TPN Partner Resource Center in TPN+: https://plus.ttpn.org/partner-resources

Best Practices

• - Establish and regularly review a formal policy and plan Disaster Recovery (DR) policy and plan, to include the following:
• + Establish and regularly review a formal Disaster Recovery Plan (DR) and policy, to include the following:
• - • Team responsible for developing, maintaining, and communicating the Disaster Recovery plan
• + • Team responsible for developing, maintaining, and communicating the DR Plan
• - • Include Incident response as part of the Disaster Recovery (DR) plan
• + • Include Incident Response as part of the DR Plan
• - • Restrict access to modify or delete backups to privileged users with assigned data backup and recovery operation roles
• + • Restrict access to modify or delete backups to only authorized users
• + • Perform regular backups of business-critical data per client requirements
• + • Encrypt regular backups of business-critical data per client requirements

Additional Recommendations

• + • Validate DR Plan via testing (e.g., tabletop exercises, partial disaster, full-scale disaster, etc.) to defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• - • Testing procedures of disaster recovery processes regularly, to include tabletop exercises
• - • Base on Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• - For template examples refer to SANS: https://www.sans.org/information-security-policy/ and FEMA: https://www.fema.gov/
• + • Store regular backups of business-critical data in multiple locations per client requirements
• + For template examples, refer to FEMA: https://www.ready.gov/business/emergency-plans/recovery-plan, or TPN Partner Resource Center in TPN+: https://plus.ttpn.org/partner-resources

Best Practices

• - • Handling throughout its lifecycle
• + • Handling throughout data life cycle

Additional Recommendations

• - • Classify according to data sensitivity
• + • Classification according to data sensitivity
• - • Third-Party Service Provider data sharing responsibilities (e.g., via contract clauses, etc.)
• + • Third-party Service Provider data sharing responsibilities (e.g., via contract clauses, etc.)

Best Practices

• - • Address workflows, assets, operations, and personnel
• + • Address workflows, assets, operations, applications, and personnel
• - • Review and update upon key changes
• + • Review and update upon significant changes
• + • Classify and prioritize risks by severity (e.g., Critical, High, Medium, etc.)
• - • Document decisions on risk management, to include monitoring and reporting remediation status with relevant stakeholders
• + • Document decisions on Risk Management to include monitoring and reporting remediation status with relevant stakeholders

Additional Recommendations

• - • Define a clear scope for the security risk assessment and modify as necessary
• + • Define a clear scope for the security risk assessment
• + • Document and maintain a Threat Modeling and Analysis process
• + • Regularly meet with management and key stakeholders to identify and document risks
• - • Risks identified tie into the Business Continuity (BCP) and Disaster Recovery (DR) Plans
• + • Risks identified are addressed in Business Continuity (BCP) and Disaster Recovery (DR) Plans
• + • Include risks to all environments and infrastructure, along with a Site Security Plan for each location
• - • Include risks to all environments and infrastructure, to include Site Security Plan for each site to summarize the implemented security controls (e.g., camera, alarm, and EAC locations) to protect physical access to assets, as well as applicable risks and threats
• - • Conduct meetings with management and key stakeholders regularly to identify and document risks
• - • Document and maintain a Threat Modeling and Analysis process
• - • Utilize a Red Team or Cyber Security professionals to identify security vulnerabilities
• + • Utilize a Red Team or cybersecurity professionals to identify vulnerabilities
• - • Cyber Security insurance to help manage financial impact from a cyberattack
• + • Cybersecurity insurance to help manage financial impact from a cyberattack
• - • Leverage established information security risk management framework (e.g., NISTIR 8286, FAIR frameworks, or ISO 31000:2018/ISO 31010:2019, ISO 27005, & NIST 800-30)
• + • Leverage established Information Security Risk Management framework (e.g., NISTIR 8286, FAIR frameworks, ISO 31000:2018/ISO 31010:2019, ISO 27005, and/or NIST 800-30)

Best Practices

• - • Perform in accordance with local laws, regulations, agreements, and cultural considerations
• + • In accordance with local laws, regulations, agreements, and cultural considerations

Additional Recommendations

No change on this column.

Best Practices

• - • Communicate and obtain sign-off from all relevant/required/authorized company personnel for all current policies, procedures, and/or client requirements
• + • Communicate and obtain sign-off from all relevant company personnel for all current policies, procedures, and/or client requirements
• - • Provision physical/digital access
• + • Provision physical and digital access
• + • Create an audit trail, which includes access provisioning or access enabled date, with system admin sign off

Additional Recommendations

• - • Apply on a per project basis
• + • Apply on a per-project basis
• - • Issue photo ID badge for all relevant employees and third-party personnel
• + • Issue photo ID badge for all relevant full- and part-time employees, consultants, contractors, interns, freelancers, temporary workers, and third-party personnel
• - • Review for role/job changes, geographical relocations, and leave of absence
• + • Review for role/job changes, geographical relocations, and leaves of absence
• - • For Third-Party IT Service Provider, access to be limited to a specific time frame and enforced via account lockout
• + • For third-party IT Service Provider, limit access to a specific time frame and enforce via account lockout

Best Practices

• - • Transfer ownership of data & access
• + • Transfer ownership of data and access
• - • De-provision physical/digital access
• + • De-provision physical and digital access
• + • Create an audit trail, which includes access removal or access disabled date, with system admin sign off

Additional Recommendations

• - • Apply on a per project basis
• + • Apply on a per-project basis
• - • Apply disciplinary policy, when applicable

Best Practices

• - Establish and regularly review a Training & Awareness program about security policies and procedures and train all relevant full- and part-time employees, consultants, contractors, and interns upon hire and annually, to include the following:
• + Establish and regularly review a Training & Awareness Program about security policies and procedures and train all relevant full- and part-time employees, consultants, contractors, interns, freelancers, and temporary workers, upon hire and annually, to include the following:
• + • For developers, support, and maintenance personnel of the application, tailor specific training (e.g., secure coding, etc.)
• - • Reviewed, updated, and training conducted after introduction of new processes and technologies
• + • Review, update, and conduct training after introduction of new processes and technologies

Additional Recommendations

• - • Training for business email compromise, social engineering, ransomware, malware, phishing
• + • Training for business email compromise, social engineering, ransomware, malware, and phishing
• - • Training covers not using the same password or passphrase on multiple accounts
• + • Training covers Authentication Best Practices (TS-1.6) (e.g., complexity, multiple account usage, etc.)
• - • Perform project specific training, including access approval process and incident escalation before commencement of project
• + • Perform project-specific training, including access approval process and incident escalation, before commencement of project

Best Practices

• - Ensure Contracts & Service Level Agreements (SLAs) with Third-Party Service Providers (i.e., external companies that are paid for services provided), include the following:
• + Confirm that Contracts & Service Level Agreements (SLAs) with third-party Service Providers (i.e., external companies that are paid for services provided, including support, development, and maintenance of applications), include the following:
• + • Incident Response process
• - • Data handover and disposal upon service termination
• + • Data handover and destruction upon service termination
• - • Ability to obtain requested Information Security Compliance Certificates and/or Attestations
• + • Ability to obtain requested Information Security compliance certificates and/or attestations
• - • Background Screening of all third-party full- and part-time employees, consultants, contractors, and interns
• + • Background screening of all third-party full- and part-time employees, consultants, contractors, interns, freelancers, and temporary workers
• - • Confidentiality Agreements/NDAs for all third-party full- and part-time employees, consultants, contractors, and interns
• + • Confidentiality Agreements/NDAs for all third-party full- and part-time employees, consultants, contractors, interns, freelancers, and temporary workers
• - • Notification if services are outsourced or subcontracted
• + • Client notification if services are outsourced or subcontracted
• - • Handling and reporting of incidents

Additional Recommendations

• - • An independent, third-party review/audit of the effectiveness of the Third-Party Service Provider's security and privacy controls is performed (e.g., MPA Best Practices, CSA Star, ISO, SOC 2 Type 2, etc.)
• + • An independent, third-party review/audit of the effectiveness of the third-party Service Provider's security and privacy controls (e.g., MPA Content Security Best Practices, CSA Star, ISO, SOC 2 Type 2, etc.)
• - • Audit covers the following: Organizational, Operational, Physical, and Technical Security

Best Practices

• + • Analysis
• - • Evidence/Forensics
• + • Evidence/forensics
• - • Analysis
• - • Reporting and Metrics
• + • Reporting and metrics
• - • A corrective action process, to include root cause, lessons learned, preventative measures taken, etc.
• + • A corrective action process to include Root Cause Analysis (RCA), lessons learned, preventative measures taken, etc.
• - • Notification of affected business partners and clients, in a timely manner
• + • Notification of affected business partners and clients in a timely manner
• - • Utilize this url to report incidents related to piracy https://www.alliance4creativity.com/report-piracy/
• + • Utilize this URL to report piracy incidents: https://www.alliance4creativity.com/report-piracy/

Additional Recommendations

• - • Notify impacted Content Owners as soon as possible and provide high-level incident details
• + • Notify impacted clients as soon as possible and provide high-level incident details
• - • Regularly update, through an established cadence with Content Owners, with new information throughout the investigation
• + • Regularly update, through an established cadence with clients, with new information throughout the investigation
• - • Retain third-party security partner for incidents
• + • Hire third-party cybersecurity partner for incidents, as needed

Best Practices

• - Establish and regularly review a formal Artificial Intelligence (AI) & Machine Learning (ML) policy aligned to overall Security Management program, to include the following:
• + Establish and regularly review a formal Artificial Intelligence (AI) & Machine Learning (ML) Security Management policy for in-house developed or third-party licensed AI/ML, to include the following:
• - • Ensure client approval for AI/ML application use
• + • Obtain client approval for AI/ML application use
• - • Review data sources and its integrity before use
• + • Review data sources and data integrity before use
• - • Adhere to local laws, regulations, and client policy when using AI/ML data
• + • In accordance with local laws, regulations, agreements, and client policy when using AI/ML data
• - • Include AI/ML in Acceptable Use Policy
• + • Include AI/ML in Acceptable Use Policy Best Practices (OR-1.1)

Additional Recommendations

No change on this column.

Best Practices

No change on this column.

Additional Recommendations

• - • For receiving log, include the following information: name and signature of courier/delivering entity, name and signature of recipient, time and date of receipt
• + • For receiving log, include the following information: name and signature of courier/delivering entity, name and signature of recipient, and time and date of receipt
• - • If physical assets are not normally handled, notify Content Owner(s) when it occurs
• + • If physical assets are not normally handled, notify client(s) when physical assets are received

Best Practices

No change on this column.

Additional Recommendations

• - • Secure containers depending on asset value (e.g., Pelican case with a combination lock)
• + • Secure containers depending on asset value (e.g., case with a combination lock)
• - • Tamper-evident tape, packaging, and/or seals
• + • Utilize tamper-evident tape, packaging, and/or seals

Best Practices

• - Establish and regularly review a Shipping process to ship client assets, to include the following:
• + Establish and regularly review a Shipping process for client assets, to include the following:
• - • Maintain a shipping log that includes: Time of shipment, recipient name, contact number, address of destination, tracking number from shipper
• + • Maintain a log that includes: Time of shipment, recipient name, contact number, address of destination, and tracking number from shipper
• - • Retain shipping log for one year at a minimum
• + • Retain log(s) for one year at a minimum, or the maximum time allowed, in accordance with local laws, regulations, and agreements
• - • Use client approved shipping vendor
• + • Use client-approved shipping vendor

Additional Recommendations

• - • Generate a work/shipping order to authorize client asset shipments in/out of the facility
• + • Generate a work/shipping order to authorize client asset shipments
• - • If physical assets are not normally handled, notify Content Owner(s) when it occurs
• + • If physical assets are not normally handled, notify client(s) when physical assets are received
• - • Delivery confirmation for high value assets
• + • Delivery confirmation

Best Practices

• - Establish and regularly review a process for Transport Vehicles handling content, to include the following:
• + Establish and regularly review a process for Transport Vehicles handling assets, to include the following:
• - • Ensure packages are out of view
• + • Verify packages are out of view
• - • Establish a process for third-party couriers
• + • Third-party couriers

Additional Recommendations

• - • Theft insurance when transporting sensitive assets or as requested by client
• + • Theft insurance when transporting sensitive assets or per client requirements
• - • Restrict courier access into high security areas
• + • Restrict courier access into high-security areas

Best Practices

• - Establish and regularly review a policy and process for Work From Home (WFH)/Remote Workers, in accordance with local laws, regulations, and agreements, and apply the following Best Practices:
• + Establish and regularly review a policy and process for Work From Home (WFH)/Remote Workers, in accordance with local laws, regulations, and agreements, and apply the following MPA Content Security Best Practices, tailored to WFH/Remote Workers:
• - • Authentication & Authorization
• + • Authentication (TS-1.6)
• + • Authorization (TS-1.7)
• - • Background Screening
• + • Background Screening (OR-3.0)
• - • Business Continuity Plan
• + • Business Continuity Plan (OR-1.2)
• - • Endpoint Protection
• + • Endpoint Protection (TS-1.3)
• - • Identity Access Management
• + • Identity Access Management (TS-1.8)
• - • On-boarding
• + • On-boarding (OR-3.1)
• - • Off-boarding
• + • Off-boarding (OR-3.2)
• - • Remote Access
• + • Remote Access (TS-2.9)
• + • Remote Sites & Locations (OP-2.1)
• - • Risk Management
• + • Risk Management (OR-2.0)
• - • Training & Awareness
• + • Training & Awareness Program (OR-3.3)
• - • Wireless Networks
• + • Wireless Networks (TS-2.11)

Additional Recommendations

• - • Apply Incident Response Best Practices
• + • Apply Incident Response Best Practices (OR-4.0)
• - • For on-boarding, confidentiality agreements for other members at the remote location (e.g., roommate, spouse, etc.)
• + • For on-boarding, confidentiality agreements for other members at the remote location (e.g., roommate, spouse, etc.) per client requirements
• - • Regularly review user list for discrepancies, and unusual or suspicious activity
• + • Regularly review user list for discrepancies and unusual or suspicious activity
• - • Training includes permissible working locations (e.g., non-public spaces, rooms out of direct sight line of neighbors and/or others, etc.)
• - • Change home router default passwords
• + • Training includes permissible working locations (e.g., non-public spaces, areas where content is visible to unauthorized parties, etc.)
• + • Change default credentials on home networking equipment
• + For sensitive content and data, per client requirements:
• + • Apply Alarm System Best Practices (PS-1.4)
• + • Apply Camera System Best Practices (PS-3.0)
• + • Apply Entry/Exit Points Best Practices (PS-1.0)

Best Practices

• - Establish and regularly review a policy and process to secure Remote Sites & Locations, and apply the following Best Practices:
• + Establish and regularly review a policy and process to secure Remote Sites & Locations, and apply the following MPA Content Security Best Practices:
• - • Disaster Recovery
• + • Disaster Recovery Plan (OR-1.3)
• - • Entry/Exit Points
• + • Entry/Exit Points (PS-1.0)
• - • Remote Access
• + • Remote Access (TS-2.9)

Additional Recommendations

• - • Restrict unauthorized access to content from others at the remote working location (e.g., roommate, spouse, etc.)
• + • Restrict unauthorized access to content from others at the remote working location
• - • Attach privacy screens to monitors where content or sensitive information is visible to others
• + • Attach privacy screens to monitors where content or sensitive information is visible to unauthorized parties
• - • Logs for content accessed, processed, and/or stored
• + • Apply Tracking Best Practices (OP-3.0)
• - • Apply Alarm System Best Practices
• + • Apply Alarm System Best Practices (PS-1.4)
• - • Apply Camera System Best Practices
• + • Apply Camera System Best Practices (PS-3.0)

Best Practices

• - • Leverage a Content Asset Management System
• + • Leverage a content asset management system
• - • Utilize a unique asset identifier (e.g., barcode, unique ID, etc.) in the system, to include the location, time, and date of each asset transaction
• + • Utilize a unique asset identifier (e.g., barcode, unique ID, etc.) to include the location, time, and date of each asset transaction
• - • Retain transaction logs for at least one year
• + • Retain transaction logs for at least one year, or the maximum time allowed, in accordance with local laws, regulations, and agreements

Additional Recommendations

• - • Review transaction logs regularly for anomalies
• + • Regularly review transaction logs for anomalies
• - • Implement watermarking as instructed by client (e.g., spoiling, visible, forensic, etc.)
• + • Watermark assets per client requirements (e.g., spoiling, visible, forensic, etc.)

Best Practices

• - Establish and regularly review a process to support the handling of content for client classified High Security Titles, to include the following:
• + Establish and regularly review a process to support the handling of content for client-classified High-Security Titles, to include the following:

Additional Recommendations

• - • Use client assigned security title aliases on assets and in asset tracking systems, including lifecycle management (e.g., handling of alias pre- vs post-release)
• + • Use client-assigned security title aliases on assets and in asset tracking systems including life cycle management (e.g., handling of alias pre- vs. post-release)
• - • Segregate communications/assets to not include alias and client title
• + • Communications do not include both project alias and client title together (e.g., emails, memos, etc.)
• - • Use of separate network (e.g., physical or logical segmentation)
• + • Use of separate network (i.e., physical or logical segmentation)
• - • Store physical assets for high security titles (e.g., scripts, art, external hard drives, etc.) in a secured area while not in use
• + • Store physical assets for High-Security Titles (e.g., scripts, art, external hard drives, etc.) in a secured area while not in use
• - • For aliases, ensure the alias is generic and does not reference anything that might hint at the actual project or production name (e.g., characters, locations, genre, etc.)
• + • For aliases, use a generic alias that does not reference anything that might hint at the actual project or production name (e.g., characters, locations, genre, etc.)
• - • If aliases are used on any production signage, ensure the signage is plain and does not contain any artwork or reference that might hint at the actual production name
• + • If aliases are used on any production signage, use generic signage that does not contain any artwork that might hint at the actual project or production name

Best Practices

• - Establish and regularly review a process for the physical and logical Disposal of stock/client assets (e.g., discs, storyboards, scripts, hard drives, etc.), to include the following:
• + Establish and regularly review a process for the Destruction of stock/client assets (e.g., discs, storyboards, scripts, hard drives, data files, etc.), to include the following:
• - • Store assets in a secure location/container prior to disposal
• + • Store assets in a secure location/container prior to destruction
• - • Erasing, degaussing, shredding, or physically destroying before disposal
• + • Erase, degauss, shred, or destroy prior to physical disposal

Additional Recommendations

• - • When using a third-party company for destruction, obtain a Certificate of Destruction (CoD)
• + • When using a third-party company for Destruction, obtain a Certificate of Destruction (CoD)
• - • Complete destruction within 30 days
• + • Complete Destruction within 30 days
• - • Maintain a log of asset disposal for at least one year
• + • Maintain destruction logs for at least one year

Best Practices

• - Establish and regularly review a process to physically secure all Entry/Exit Points at facilities, to include the following:
• + Establish and regularly review a process to physically secure all Entry/Exit Points, to include the following:
• - • Apply to facility server room, screening room, loading docks, etc.
• + • Apply to server room, screening room, loading docks, etc.

Additional Recommendations

• - • Attach privacy screens to monitors where content or sensitive information is visible to others
• + • Attach privacy screens to monitors where content or sensitive information is visible to unauthorized parties
• - • For signage utilized at the facility or remote site/location, ensure the signage is plain and does not contain any artwork that might hint at the actual production name
• + • For signage utilized at the facility or remote site/location, use generic signage that does not contain any artwork that might hint at the actual project or production name

Best Practices

• - Establish a process for Visitors who have access to high security areas, to include the following:
• + Establish a process for Visitors who have access to high-security areas, to include the following:
• - • Visitor log
• + • Visitor logs
• - • Retain visitor logs for one year at a minimum, in accordance with local laws, regulations, and agreements
• + • Retain visitor log(s) for one year at a minimum, or the maximum time allowed, in accordance with local laws, regulations, and agreements
• - • Verification of identity via valid government issued photo ID (e.g., driver's license, passport, etc.)
• + • Verification of identity via valid government-issued photo ID (e.g., driver's license, passport, etc.)
• - • NDA/Confidentiality Agreement for visitors with access to sensitive content
• + • NDA/Confidentiality Agreement for Visitors per client requirements

Additional Recommendations

• - • Visitor log to capture: name, company, entry/exit time, reason for visit, person(s) visiting, and signature of visitor
• + • Visitor log(s) to capture: name, company, entry/exit time, reason for visit, person(s) visiting, and signature of Visitor
• - • Conceal the names of previous visitors
• + • Conceal the names of previous Visitors in log(s)
• - • Make visitor badges/stickers easily distinguishable from company personnel badges
• + • Make Visitor badges/stickers easily distinguishable from company personnel badges
• - • Accompanied by an authorized employee
• + • Visitors are accompanied by an authorized employee according to security considerations

Best Practices

• - Establish and regularly review a process to implement Electronic Access Control (EAC) to cover all high security areas, to include the following:
• + Establish and regularly review a process to apply Electronic Access Control (EAC) to cover all high-security areas, to include the following:
• - • Designate an individual(s) to authorize access
• + • Designate personnel to authorize access
• - • Assign electronic access to specific areas based on job function and responsibilities (e.g., vault, server/machine room, etc.) to authorized personnel only
• + • Assign electronic access to specific areas based on job function and responsibilities (e.g., vault, server/machine room, etc.)
• - • Restrict electronic access system administration to appropriate personnel
• + • Restrict Electronic Access system administration to appropriate personnel
• - • Keep a log that ties the device (e.g., badge, keycard/fob, etc.) to each company personnel
• + • Keep a log that ties the device (e.g., badge, keycard/fob, etc.) to personnel
• - • Store and manage badge, keycard/fob stock securely
• + • Store and manage badge and keycard/fob stock securely
• - • Deploy access control system on a dedicated network, separate from production
• + • Deploy Electronic Access Control system on a dedicated network

Additional Recommendations

• - • Set third-party, contractor, etc., to approved timeframe with expiration date (e.g., 90 days)
• + • Set third-party (e.g., consultant, contractor, etc.) to approved timeframe with expiration date (e.g., 90 days)
• - • Keep records of any changes to access rights
• + • Log access rights changes

Best Practices

• - • System enabled logging for all applicable areas
• + • System enabled logging
• - • Retain logs for one year at a minimum, in accordance with local laws, regulations, and agreements
• + • Retain logs for one year at a minimum, or the maximum time allowed, in accordance with local laws, regulations, and agreements

Additional Recommendations

• - • Review logs regularly for discrepancies
• + • Regularly review logs for discrepancies

Best Practices

• - Install and maintain an Alarm System that covers all entry/exit points to high security areas (including emergency exits), windows, loading docks, fire escapes, and restricted areas (e.g., vault, server/machine room, etc.), to include the following:
• + Install and maintain an Alarm System that covers all entry/exit points to high-security areas (including emergency exits), windows, loading docks, fire escapes, and restricted areas (e.g., vault, server/machine room, etc.), to include the following:
• - • Automated alerts of each unauthorized/failed attempt, including when physical keys are used to override electronic access controls
• + • Automated alerts of each unauthorized/failed attempt including when physical keys are used to override electronic access controls
• - • Review users regularly
• - • Test alarm system regularly
• + • Regularly review users
• + • Regularly test Alarm System

Additional Recommendations

• - • Log every alarm state change (e.g., Set to Unset) and the time and individual that triggered the change
• + • Log every alarm state change (e.g., Set changing to Unset), the time, and the individual that triggered the change
• + • Install Alarm System in all areas of the facility, including non-high-security areas
• - For high security and all areas processing or handling content:
• + For high-security and all areas processing or handling content:

Best Practices

• - • A check-in/check-out process for master keys to track and monitor the distribution
• + • A check-in/check-out process for master keys to track and monitor distribution
• - • Maintain a list of company personnel who are allowed to check out master keys and review the list regularly
• + • Maintain and regularly review a list of company personnel who are allowed to check out master keys
• - • All keys should be stored in a safe location (e.g., lockbox or safe)
• + • Store all keys in a safe location (e.g., lockbox or safe)
• - • Change the locks when missing keys to restricted areas cannot be accounted for
• + • Change the locks when keys to restricted areas cannot be accounted for

Additional Recommendations

• - A check-in/check-out process to track and monitor the distribution of non-master Keys
• + • A check-in/check-out process for non-master keys to track and monitor distribution

Best Practices

• - • Searches performed at key entry/exit points
• + • Perform searches at key entry/exit points

Additional Recommendations

• - • Apply to recording/storage devices (e.g., USB thumb drives, digital cameras, cell phones, etc.) in high security areas
• + • Restrict recording/storage devices (e.g., USB thumb drives, digital cameras, cell phones, etc.) in high-security areas
• - • Use of transparent bags and containers
• + • Use transparent bags and containers

Best Practices

• - Install and maintain a Camera System that covers all entry/exit points to high security areas (including emergency exits), windows, loading docks, fire escapes, and restricted areas (e.g., vault, server/machine room, etc.), to include the following:
• + Install and maintain a Camera System that covers all entry/exit points to high-security areas (including emergency exits), windows, loading docks, fire escapes, and restricted areas (e.g., vault, server/machine room, etc.), to include the following:
• - • Restrict physical and/or logical access to the surveillance camera console and to camera equipment (e.g., DVRs, NVRs, etc.) to authorized personnel only
• + • Restrict access to the surveillance camera console and camera equipment (e.g., DVRs, NVRs, etc.) to authorized personnel only
• - • Camera positioning and recordings for adequate coverage, image quality, lighting conditions, accurate date and time stamp, and frame rate of surveillance footage
• + • Configure cameras to capture adequate coverage of recorded areas, image quality, lighting, date and time stamps, frame rate, etc.

Additional Recommendations

• - • All camera cables and wiring are discretely hidden from view and not within reach
• + • Discretely hide all camera cables and wiring from view and keep out of reach
• - • Avoid capturing content on display
• + • Avoid capturing content on displays
• - • Ensure surveillance equipment functions properly, including an uninterruptable power supply
• + • Verify surveillance equipment functions properly, including an uninterruptable power supply
• - • All cameras provided by the building or landlord are adequate, and footage is accessible
• + • All cameras provided by the building or landlord are adequate and footage is accessible
• - • Install cameras in all areas of the facility, including non-high security areas
• + • Install cameras in all areas of the facility, including non-high-security areas

Best Practices

• - For an owned and operated Data Center and/or Co-location, or when utilizing a Cloud Provider, proof can be provided via policy, procedure, or audit report documents, that includes the following Best Practices:
• + When utilizing a Data Center and/or Co-location, provide proof via policy, procedure, or audit report documents, that the following MPA Content Security Best Practices are implemented:
• - • Alarm System
• + • Alarm System (PS-1.4)
• - • Camera System
• + • Camera System (PS-3.0)
• - • Contracts & Service Level Agreements
• + • Contracts & Service Level Agreements (OR-3.4)
• - • Entry/Exit Points
• + • Entry/Exit Points (PS-1.0)
• - • Environmental Controls
• + • Environmental Controls (PS-3.1)
• - • Incident Response
• + • Incident Response (OR-4.0)
• - • Network Topology Diagram
• + • Network Topology Diagram (TS-2.2)
• - • Physical Access Control
• - • Risk Management
• + • Risk Management (OR-2.0)
• - • Shared Security Responsibility Model
• + • Shared Security Responsibility Model (TS-1.11)
• - • Systems Configuration
• + • Systems Configuration (TS-1.1)
• - • Visitors
• + • Visitors (PS-1.1)
• - • Vulnerability Management
• + • Vulnerability Management (TS-4.0)