The COVID-19 pandemic has created significant challenges for the Trusted Partner Network (TPN) and the overall media and entertainment industry, including when it comes to the ability of facility security assessments to be conducted, according to TPN.
However, TPN has been able to shift to remote assessments and content owners have accepted that as a viable replacement for on-site assessments, Guy Finley, CEO of TPN and president of the Media & Entertainment Services Alliance (MESA), Hollywood studio reps and TPN assessors said recently during the webinar “TPN: Then & Now.”
The webinar also provided a state of the TPN program report and included a discussion on how the TPN “assessment journey” has changed over the past year, as well as TPN’s accomplishments in 2020 and its direction for the fourth quarter of this year.
“We’re working remotely but I don’t think there was any real hiccup in terms of customer service — that was pretty seamless,” Finley told viewers after pointing out how TPN shifted its planned meetings and public update presentations that were scheduled for early this year to the Internet after the Mobile World Congress in Barcelona, Spain and NAB Show in Las Vegas were canceled due to the pandemic.
“Ultimately, this program is about the community,” he said, adding: “It’s about our constituents: Of course the studios and broadcasters, the content creators, the production companies that utilize the tool. But also, more importantly, our facilities around the world as well as our qualified assessor community.”
TPN now has about 40 qualified assessors and, “since our launch, we’ve made 675 published” and completed assessments, “which is huge in contrast to what we used to do annually as both” the Motion Picture Association (MPA) and Content Delivery & Security Association (CDSA) separately, he noted. So “there has been a lot of great progress there,” he said.
Meanwhile, TPN has 500 facilities in the pre-assessment queue and another 500 facilities in its queue for remote or on-site assessment – most of them on-site, with 100 of those reassessments of facilities in their second year of TPN assessments, he said. So there is a total of 1,000 facilities waiting for assessments – 200 of those in contract with TPN, he added.
We’re All in This Together
A representative from one of the Hollywood studios pointed out that few assessors are going out now to do on-site assessments and vendors are being encouraged to do it remotely now. That is a little different, of course, but mostly “acceptable,” he said, adding: “It’s always based on what kind of risk we’re willing to take for the different type of content” in question. The TPN reports from remote assessments are “sufficient” so far to make that decision, he said. His company, meanwhile, is paying careful attention to the security protocols that vendors are using while working at home, he noted. The key is that everybody in the industry must be flexible now because everybody wants to make sure that companies stay in business because, if they don’t, that’s not good for anybody.
“It really does come down to that extended questionnaire” that is being used for assessments, according to Finley. “The idea here is to make sure that people understand that is a viable assessment for them: Not only during the crisis but it can also be used during some renewals as well,” he said.
TPN provided a three-month extension for assessments to be done due to COVID-19 financial constraints, Finley pointed out, adding: “We understand how difficult this period is.” If an organization was in process with an assessment or had a renewal date, it should have received a notice that TPN provided that extension, he said.
After all, “we’re all in this together,” he said, noting the pandemic has impacted the operations of CDSA and MPA also. “We don’t want to put any undue strain on a facility, especially during a pandemic like this,” he said, noting on-site is just not an option for a lot of places globally now and over the next four months.
One issue that has been raised is the price of TPN assessments done remotely vs. on-site, he said, telling viewers that it charges a market rate based on travel to get to the area where a facility is. Remote assessment should cost less than an in-person audit and takes less time also, so it should cost less, he said.
“Obviously,” the entire assessment process has “changed quite a bit,” according to Juan Reyes, a TPN qualified assessor and Convergent Risks senior director of home entertainment and technology. Prior to the pandemic, he explained, his job involved “flying around the world to a couple of different vendors each week and being able to really dive deep in with them, looking around at their facility, looking at the physical security, looking into things like the production workstations, getting some hand-on experience, going into the firewalls.”
And, unfortunately, “you lose a lot of that capability” now with remote assessments, Reyes said. “But, at the same time, you still get to concentrate a lot on the really important things that matter,” he said, explaining: “Obviously, the questionnaire covers a lot. You have [vendors] ahead of time provide you with documentation on everything that they’re doing – all of their policies, pictures of the facility, pictures of the cameras and everything that’s going on. So with us and everyone over at Convergent Risks – all of the assessors there – we’re just working closely with the vendors to make sure that even though we’re not able to be on the site with them, we’re still able to do things remotely and look at all of the materials that they have … and then talk about some of the things that they don’t have and the things they lack.”
When all is said and done, “at the end of the day, there are still going to be remediation items – whether we’re doing [it] on site or whether we’re doing something remotely,” according to Reyes. And it is important to go through them and help [vendors] “to understand where are they in regards to the guidelines around the TPN program so they can help to remediate some of the issues that they have and work more in line with those guidelines,” he said.
Reyes has about 100 assessments under his belt with TPN so far, he went on to say. “It has been a challenge now with what we are facing,” he told viewers. But he added: “The vendors have all been extremely receptive and supportive to try to still go through the process so that at the end of the day they can be more up to speed and more in line with the guidelines to support their clients.”
Michael Wylie, Richey May director of cybersecurity services and a TPN qualified assessor, saw the situation slightly differently. “For the most part, it hasn’t changed too much for us” at Richey May, he said, adding: “The challenge mostly has been, [on] the vendor side, they’ve been a little bit slower to respond. So traditionally, we’d go on site and we’d … knock it out in a day or so and there’s a little bit of follow-up. But the challenge that we’ve had more recently is that we may even just do a walk-though of the facility with one person at the company if it’s a local company.” Assessors will then look at the firewalls remotely, he noted.
But some vendors are then postponing “those calls or those web meetings and so it drags out a little bit longer,” Wylie said, adding “that’s been a little bit hard.”
Another issue is that “a lot of the vendors [are] concerned about their security controls not being what [they] used to be” before the pandemic, Wylie said. After all, “they’ve got people working from home, there’s no security cameras, they might be at their dining room table,” he pointed out. And these vendors “really don’t want those to be marked as remediation items… so we constantly encourage them to talk with the content owners and walk through their workflows and make sure they’ve got exceptions,” he said, adding: “We do let them know, if you are doing some of these things, like working on an editing machine in your kitchen there might be a couple more remediation items than when you were back in the office. And, of course, we document those things and try and get – even more so than usual – we try and paint a picture for the content owners about why this is happening… Otherwise, a lot of the workflows have been similar.”
“One of the key challenges,” meanwhile that James Bourne, TPN Assessor-governance, risk and compliance, said he has faced in Australia, where he is based, is that “the bulk of the assessments we do are not in English.” While large facilities have been able to carry on without much of a hitch, smaller organizations have had a rougher go of it, in part because many of them did not have remote capabilities in place, he said.
Bourne has been conducting remote assessments via Zoom and other video conferencing services, which presents a series of challenges, including the fact that they typically involve “just sitting there for 6 to 8 hours” trying to walk through the questionnaires and understand what the vendors provided, said Bourne, who is also founder, owner and security analyst of Groundwire Security and CEO, founder and owner of FireDaemon Technologies.
Now, however, the remote assessment process is “working quite well,” Bourne added. There was a slowdown because of the extra three months that were given to vendors by TPN, “but things are kicking back up again,” he said.
One big issue for the industry since the start of the pandemic was that there was no uniform work-from-home policy in place, according to a Hollywood representative. Some of it involves common sense, such as not editing on a big-screen TV and don’t have that TV your computer monitor facing towards the window while working at home, he noted.
A Positive Sign and Future Plans
One big positive sign is that we are starting to see some European countries return to business as usual, including Belgium, France and Italy, and TPN is working with facilities there to return to on-site assessments, Reyes said.
When all is said and done, TPN “would be paralyzed” if it had not started doing remote assessments, according to Finley.
TPN will continue to provide updates on CDSA’s App & Cloud Control Framework, Finley also said, adding: “We’re having a control release here before the end of this month. Our goal is to get at least even a beta up and running by the fourth quarter.”