July 7, 2020
Securing Film and Television Content Created in Remote Work Environments
If you’re like many companies involved in the creation of film or television content, you’ve moved most, if not all, of your work to remote environments in response to the recent pandemic. If so, you may be concerned about keeping your valuable content secure and maintaining compliance with industry security standards as you continue developing content remotely.
The Trusted Partner Network (TPN) is a joint venture between the Motion Picture Association (MPA) and the Content Delivery & Security Association (CDSA). MPA offers an excellent set of best practices—the “MPA best practices”—and controls to help film and television content creators and their vendors to secure their work environments. TPN leverages the MPA best practices as well as assist in reviewing and approving TPN Qualified Assessors that can assess content creators’ environments for conformance with MPA best practices and controls.
This blog highlights the best practices and controls that may be particularly helpful in securing your remote work environment and provides recommendations for bringing your remote environment into compliance.
Assessing Remote Work Environments
DS-3.2 Restrict remote access to the content / production network to only approved personnel who require access to perform their job responsibilities.
To assess your remote work environment, we recommend that you begin by asking your team members to document key aspects of their remote environment, including office security, physical asset storage, lock systems for home offices, and networks used. Be sure to include the number and configuration of remote workstations and device policies in use (BYOD, company asset, etc.).
Consider how your device policy impacts your ability to protect sensitive content.
Document the types of content used by each user on each remote workstation. Adjust access rights and privileges as needed to ensure that each user only has access to the content, workstations, and production network assets that are required for them to perform their job responsibilities.
DS-3.6 Consider implementing host-based intrusion detection system software on all workstations.
DS-6.2.1 Local firewalls should be implemented on workstations to restrict unauthorized access to the workstation.
If you plan to continue creating content remotely for an extended period, we recommend deploying dedicated, preconfigured workstations. While BYOD policies are great for enabling a rapid migration to remote work, requiring the use of company devices that are provisioned with robust configurations and security software/tools is generally a better way to protect your sensitive content.
Physical Security at Home
PS-1.1 Control access to areas where content is handled by segregating the content area from other facility areas.
The area where your people are performing remote work must be secure and secluded. For example, if a team member is creating content on a workstation at their kitchen table in a home where family and friends can hear or see their work, their environment is not secure.
Workspaces used for content creation or remote access to content must be in an area that can be physically locked to prevent access by people other than the authorized worker. People outside the room must not be able to view workstation monitors (e.g., via a window).
We recommend setting up webcams to monitor physical access to remote work areas. You can do this quickly and inexpensively using products from companies such as Nest and Ring. Webcam activity should be logged to a local server or the cloud and mechanisms should be established to create alerts when non-standard activity is observed (e.g., home work area is accessed after hours, or when a team member is out of town).
Make sure that your data stays within your environment by implementing I/O port protection on all remote workstations. In addition to accurate asset management for the movement of hard drives to talent for distributed creative content creation.
Consider implementing different workstation security profiles—one to be used when a workstation is connected to the internet to download or upload content, and another for use in creating content when not connected to the internet.
We also recommend creating a specific remote work asset storage policy to ensure your assets are protected from compromise.
Virtual Private Networks
DS-1.10 Connections over the Internet or public networks should be encrypted using site-to-site VPN.
Protect your network traffic by implementing Virtual Private Network (VPN) connections on all remote workstations. VPN connections send your data through encrypted tunnels so that all traffic is obfuscated and secured. These connections are easy to set up and ensure a high level of security at a low cost to your business.
While configuring VPN connections, we recommend ensuring the following security controls are in place, at a minimum.
- Using advanced encryption standard (e.g., AES 256 or higher)
- Enforcing multi-factor authentication (MFA) (see DS-8.1 within this blog post for further information)
- Monitoring all activity logs (e.g., login and activity)
DS-6.0 Install anti-virus and anti-malware software on all workstations, servers, and on all devices.
Ensure that your critical data and content is protected from malware attacks by implementing strong anti-virus software on all workstations and other devices such as phones or tablets that are used to access or create content.
Content Obfuscation and Watermarking
DS-11.0 Ensure that security techniques (e.g., spoiling, invisible/visible watermarking) are available for use and are applied when instructed.
Use watermarks visually (for visual assets) or digitally (for sound, etc.) on all assets that are accessed from remote locations.
Make sure that hard drives or file transfer services used to send content to remote workstations have AES-256 encryption or higher.
Implement processes and policies that create a systematic approach to obfuscating and tracking your data.
Update Privacy Policies
MS-1.1 Consider adjustments to policies and procedures from the following changes:
- Organization’s business, services offered, etc.
- Technology infrastructure
- Client requirements
- Regulations or laws
- Risk landscape
Review and update your privacy policies to include changes that are needed to address the unique requirements of remote work environments. Make sure to include policies to specifically address content privacy and workstation security for remote workstations.
Secure Physical Assets
PS-1.2 Control access where there are collocated businesses in a facility, physically segregating work areas from public areas.
Implement agreements with remote workers that outline privacy and security expectations for their workstations and content. Be sure to include expectations regarding third-parties in the home. While your personnel may have signed a non-disclosure agreement, their housemates most likely have not!
Be sure to maintain lockout times for all workstations and manage password requirements and expirations; with a large number of remote workstations, these security steps are vital.
MS-3.0 Provide online or live training to prepare security personnel on policies and procedures that are relevant to their job function.
It’s essential that all personnel within your infrastructure are well-trained on their security responsibilities related to company assets and client content.
Find a training solution that works for you. While in-person classroom training may not be an option during the pandemic, there are plenty of other options such as pre-recorded online classes or live, instructor-led webinars or video conferences.
We recommend refreshing information from previous security training and adding content that focuses on the specific security responsibilities associated with a remote work environment. Be sure to cover the need for heightened workstation security and physical security requirements for working at home. It’s also important to include organization charts and contingency roles to facilitate the designation of roles and responsibilities as they pertain to securing your assets.
“Zero Trust” Principle
DS-8.1 Utilize multi-factor authentication (MFA) that uses a combination of two or more the following:
- Something they know and only they know (e.g., password)
- Something they have and only they have (e.g., soft or hard token)
- Something they and only they are (e.g., biometrics)
Consider implementing a “Zero Trust” policy to protect your essential assets. The Zero Trust mantra is “Never Trust, Always Verify”. With this approach, MFA is used to verify the identity of all individuals accessing your organization’s data infrastructure, regardless of whether the individual is working in a remote location or the office.
Tevora Can Help
Our expert team of security specialists has more than 10 years of experience working with industry-leading film and television content creators and their vendors in 30 countries. We’ve worked with production, post-production, and distribution operations throughout the entertainment supply chain to help them secure their environments. This experience gives us a deep understanding of the security issues that are unique to your industry.
Tevora can partner with you to assess the security of your remote work environment, identify gaps that need to be addressed to comply with MPA best practices and controls, and help you close the gaps to ensure your valuable content is secure.
Our team includes Qualified Assessors that are approved by TPN to assess your work environment for compliance with MPA best practices and controls. When your environment is deemed to be in compliance, our assessors will prepare documentation that can be shared with customers to demonstrate your compliance.
If you’d like to learn more about how Tevora can help secure your remote content creation environment, just give us a call at (833) 292-1609 or email us at email@example.com.
About the Authors
Obrian Goriel is an Information Security & Privacy Consultant at Tevora.
Elliot Carroll is an Information Security Associate at Tevora.