For our second blog about the Trusted Partner Network (TPN) platform, we speak to accredited TPN assessor and Jigsaw24 consultant, Philip Winterhalder about the evolution of TPN assessment and the most common stumbling blocks M&E businesses encounter in completing the process.

In a recent blog, we introduced the Trusted Partner Programme (TPN), a global initiative owned and operated by the Motion Picture Association (MPA) that aims to unite content owners, service providers and assessors to avoid content leaks, breaches and hacks. That piece proved to be really popular, but what quickly became apparent is that, whilst the TPN is widely respected and acknowledged as an industry-leading content security initiative, many media suppliers don’t know what to expect from the assessment process – or how to prepare for it.

So, this time around, we’re taking a deeper-dive into TPN assessment and exploring some of the most common ‘stumbling blocks’ that M&E companies encounter in completing the process – with a little help from Jigsaw24’s expert in all things related to information security in general, and the TPN in particular. 

Introducing TPN assessor and consultant Philip Winterhalder

Information security expert Philip Winterhalder was one of the TPN’s first assessors and he continues to deliver assessments for the programme through his company, CISC Limited. He has spent more than half of his career in M&E and now consults as a virtual chief information security officer for a number of companies, including Jigsaw24.

“My main purpose is to provide advice to companies, conduct their information security risk assessments, and help them develop remediation plans so when something happens – and these days it is more a case of ‘when’ than ‘if’ – they have defenses and are prepared,” explains Winterhalder. “I like to refer to my role as one of pulling on a string until you find the risk factors in a business. The TPN assessment is a big part of that string-pulling process.”

All TPN assessors are not the same

As outlined on the TPN website, there are several criteria to qualifying as a TPN assessor. The most important (and perhaps most obvious) being that assessors must have at least one valid security certification to confirm their technical skills and hands-on experience in implementing and managing a security programme. 

But a visit to the TPN website reveals a long list of accredited assessors – so how do you choose the right information security expert to work with? As Winterhalder explains, there are also different levels of TPN assessors – a scale from one to three is based on a combination of the assessor’s formal qualification, amount of relevant experience working in M&E and the number of TPN assessments they’ve completed in the previous year.

Whilst a Level 1 Assessor requires at least one year of M&E experience or applicable coursework, a Level 2 Assessor needs at least two TPN assessments as well as two years of M&E experience or ten TPN assessment in the last year. At the highest tier, Level 3, the assessor also requires at least two TPN assessments, along with three years’ M&E experience or ten TPN assessments in the last year. Assessors are also now certified as Site and/or Cloud Assessors.

Philip – who is a Level 3 Assessor certified for both Site and Cloud assessments – emphasises that it’s definitely not a case of ‘once a TPN assessor, always a TPN assessor’: “You have to requalify every two years and be active an assessor during that period, completing the number of assessments that’s determined by your level.

As you might expect, the security needs of each individual business will determine which level of assessor they choose to engage. Nonetheless, as Philip points out, “there are plenty of skills that you need for this kind of work that aren’t formally required by TPN – the most critical ones being an investigative nature, the ability to listen, a lack of bias, and professionalism through the entire process.”

Choosing the shield that’s right for you

There are two distinct levels to TPN service provider assessment, which allow members to determine the best approach for their business. Drawing inspiration for its name from the Marvel Comics superheroes, Blue Shield status indicates that a TPN member service provider has self-reported its security information on the TPN+ platform, which is the Network’s centralised source of trusted information.

The other status, Gold Shield, confirms that: one, a participating service provider has undergone a third-party assessment performed by a TPN-accredited assessor; and two, the resulting security assessment report is available to member content owners via the TPN+ platform. Inevitably of greater appeal to organisations with complex and/or critical security needs, Gold Shield members have to be re-assessed at least once every two years or automatically lose their qualification.

Service providers often attain Blue Shield status first, then move on to Gold Shield when they have appointed an accredited assessor. But Philip is at pains to point out that the concept of ‘pass’ or ‘fail’ does not apply here. “That’s not the purpose of TPN,” he confirms. “The Gold Shield is not about giving a seal of approval; instead, it confirms that the service provider has had their security assessed. It’s up to the content owners to review the reports written by the assessor to check whether the security meets their needs – then make a decision based on that review.”

What to expect from Gold Assessment

Necessity being the mother of (re)invention, the circumstances of the last few years have led to major changes to the Gold Assessment process. In addition to the Best Practices Guidelines being reworked to reflect the rise of remote workflows, remote assessments have also been introduced.  This is in stark contrast to the situation pre-Covid, where all assessments were conducted on-site (except for Tier 2 content which is less likely to be leaked in a breach.)

“The pandemic meant that it wasn’t possible to travel much for 18 months, so we had to conduct assessments remotely via Zoom,” says Philip. “Subsequent to the pandemic, remote assessments have become the default for many. Personally, I do a mixture of onsite and remote, as I find it beneficial to ensuring a good rapport with each team being audited.” Otherwise, the assessment process remains pretty much unchanged, with assessors documenting evidence that a company is meeting the requirements contained in the Best Practices document. The report then goes to TPN for a final quality control stage.

However, as Philip points out, the way each assessor works is different and that’s a big part of the process, too. “There’s no proscribed approach,” he says. “Yes, audits are based on evidence, but the way that each auditor gathers the evidence is different and entirely up to them. That’s a big reason why companies need to spend time researching and selecting an assessor that they have a rapport with. Rather than thinking that this is someone who has come into your business to ‘judge’ you – and potentially be disruptive! – it’s much better to think of them as a person who is there to help you and identify the weaknesses in your security.”

Common pitfalls (and how to avoid them)

So, now that we’ve shed some light on how the TPN assessments work, we asked Philip to share the most common issues he encounters when assessing M&E service providers for the TPN. Here are the top 5 issues he suggests addressing before the assessor arrives on site.    

• Unlicensed firewalls

Cost is always a factor, and for the smaller business this impact is magnified. Firewalls involve major investments in hardware and licensing costs - the latter being one of those things that can be allowed to lapse when times are tough and budgets become more limited. And if that happens, the firewall is no longer patched and will not receive updates for new risks. That’s a serious threat to businesses as attack methods are always evolving.

An alternative option is to use open-source technology, which means the software code is publicly shared and bugs identified by the wider community. Open-source in general has free tiers so you can deploy the firewall software on your own server hardware. The main cross against this approach – and it is a big one! – is that free tiers don’t usually come with updates and are not licensed for commercial use.

• Insufficient network segmentation

An important area to focus on is the segmentation of internal computer networks, and restricting the transfer between different segments in order to maintain confidentiality. This acknowledges that there are different data classifications – some known to the public, some for internal use only, and then at the very top tier the IP owned by the company and/or its customers.

To give you an example of how this works, a VFX company with artists should be working on a network segment that cannot access the Internet or corporate systems like email and finance. Introducing this ‘air gap’ can be challenging as artists may feel justified in needing to access reference material from the Internet and customers. If more exceptions to this rule are introduced over time it can end up increasing the overall risk to the business.

• Lack of adequate malware protection

Traditional antivirus calls for at least daily access to the Internet for updates, and modern malware protection (known as EDR – Extended Detection and Response) is managed from the cloud. This means exceptions need to be made for the firewall to permit access to the Internet.

Many users in M&E complain that these solutions cause an impact to their workstation, which contains some truth depending on the vendor and tailoring of the solution. While there are some cost-free solutions, they tend to provide a minimal level of protection, unless maintained well by manual engineering. Enterprise solutions cost upwards of £10 per user/month, which is another budget to be justified.

• Insufficient control of data IO

The transfer of content is known as “data IO” and established methodologies are documented by TPN (in the MPA Best Practices) and expected by international content owners. Content should pass through a layered network and be orchestrated by an authorised individual (or small team) who does not work with the content; this is an application of the principal of duty segregation. If an M&E company has not enforced this methodology then it leaves general users with the ability to transfer content themselves, which means the business is not aware or in control. The risks here are probably the greatest in terms of content leak because both accidents and intentional actions can occur.

• Operating with vulnerabilities in their service

Vulnerability management is the process of determining if your systems can be compromised by an attacker. Even systems that are frequently patched and well-configured can be susceptible. Very few M&E companies, particularly the smaller businesses, properly implement vulnerability scanning – and if they do, it is for public facing systems only. When scans of the internal network are conducted, it is common for many vulnerabilities to be discovered due to the combination of operating systems at different levels, old and unsupported software, and unauthorised software installed by users. The key risk here is that if an attacker compromises one internal system, then navigation to others – including on “protected” content networks – is made easy.