![\"\"](\"https:\/\/www.mesalliance.org\/wp-content\/uploads\/2020\/05\/internet-screen-security-protection-60504-scaled-e1596652886202-300x169.jpg\")
We\u2019re All in This Together<\/strong><\/p>\nA representative from one of the Hollywood studios pointed out that few assessors are going out now to do on-site assessments and vendors are being encouraged to do it remotely now. That is a little different, of course, but mostly \u201cacceptable,\u201d he said, adding: \u201cIt\u2019s always based on what kind of risk we\u2019re willing to take for the different type of content\u201d in question. The TPN reports from remote assessments are \u201csufficient\u201d so far to make that decision, he said. His company, meanwhile, is paying careful attention to the security protocols that vendors are using while working at home, he noted. The key is that everybody in the industry must be flexible now because everybody wants to make sure that companies stay in business because, if they don\u2019t, that\u2019s not good for anybody.<\/p>\n
\u201cIt really does come down to that extended questionnaire\u201d that is being used for assessments, according to Finley. \u201cThe idea here is to make sure that people understand that is a viable assessment for them: Not only during the crisis but it can also be used during some renewals as well,\u201d he said.<\/p>\n
TPN provided a three-month extension for assessments to be done due to COVID-19 financial constraints, Finley pointed out, adding: \u201cWe understand how difficult this period is.\u201d If an organization was in process with an assessment or had a renewal date, it should have received a notice that TPN provided that extension, he said.<\/p>\n
After all, \u201cwe\u2019re all in this together,\u201d he said, noting the pandemic has impacted the operations of CDSA and MPA also. \u201cWe don\u2019t want to put any undue strain on a facility, especially during a pandemic like this,\u201d he said, noting on-site is just not an option for a lot of places globally now and over the next four months.<\/p>\n
One issue that has been raised is the price of TPN assessments done remotely vs. on-site, he said, telling viewers that it charges a market rate based on travel to get to the area where a facility is. Remote assessment should cost less than an in-person audit and takes less time also, so it should cost less, he said.<\/p>\n
Major Changes<\/strong><\/p>\n \u201cObviously,\u201d the entire assessment process has \u201cchanged quite a bit,\u201d according to Juan Reyes, a TPN qualified assessor and Convergent Risks senior director of home entertainment and technology. Prior to the pandemic, he explained, his job involved \u201cflying around the world to a couple of different vendors each week and being able to really dive deep in with them, looking around at their facility, looking at the physical security, looking into things like the production workstations, getting some hand-on experience, going into the firewalls.\u201d<\/p>\n And, unfortunately, \u201cyou lose a lot of that capability\u201d now with remote assessments, Reyes said. \u201cBut, at the same time, you still get to concentrate a lot on the really important things that matter,\u201d he said, explaining: \u201cObviously, the questionnaire covers a lot. You have [vendors] ahead of time provide you with documentation on everything that they\u2019re doing \u2013 all of their policies, pictures of the facility, pictures of the cameras and everything that\u2019s going on. So with us and everyone over at Convergent Risks \u2013 all of the assessors there \u2013 we\u2019re just working closely with the vendors to make sure that even though we\u2019re not able to be on the site with them, we\u2019re still able to do things remotely and look at all of the materials that they have \u2026 and then talk about some of the things that they don\u2019t have and the things they lack.\u201d<\/p>\n When all is said and done, \u201cat the end of the day, there are still going to be remediation items \u2013 whether we\u2019re doing [it] on site or whether we\u2019re doing something remotely,\u201d according to Reyes. And it is important to go through them and help [vendors] \u201cto understand where are they in regards to the guidelines around the TPN program so they can help to remediate some of the issues that they have and work more in line with those guidelines,\u201d he said.<\/p>\n Reyes has about 100 assessments under his belt with TPN so far, he went on to say. \u201cIt has been a challenge now with what we are facing,\u201d he told viewers. But he added: \u201cThe vendors have all been extremely receptive and supportive to try to still go through the process so that at the end of the day they can be more up to speed and more in line with the guidelines to support their clients.\u201d<\/p>\n Some Slowdowns<\/strong><\/p>\n Michael Wylie, Richey May director of cybersecurity services and a TPN qualified assessor, saw the situation slightly differently. \u201cFor the most part, it hasn\u2019t changed too much for us\u201d at Richey May, he said, adding: \u201cThe challenge mostly has been, [on] the vendor side, they\u2019ve been a little bit slower to respond. So traditionally, we\u2019d go on site and we\u2019d \u2026 knock it out in a day or so and there\u2019s a little bit of follow-up. But the challenge that we\u2019ve had more recently is that we may even just do a walk-though of the facility with one person at the company if it\u2019s a local company.\u201d Assessors will then look at the firewalls remotely, he noted.<\/p>\n But some vendors are then postponing \u201cthose calls or those web meetings and so it drags out a little bit longer,\u201d Wylie said, adding \u201cthat\u2019s been a little bit hard.\u201d<\/p>\n Another issue is that \u201ca lot of the vendors [are] concerned about their security controls not being what [they] used to be\u201d before the pandemic, Wylie said. After all, \u201cthey\u2019ve got people working from home, there\u2019s no security cameras, they might be at their dining room table,\u201d he pointed out. And these vendors \u201creally don\u2019t want those to be marked as remediation items\u2026 so we constantly encourage them to talk with the content owners and walk through their workflows and make sure they\u2019ve got exceptions,\u201d he said, adding: \u201cWe do let them know, if you are doing some of these things, like working on an editing machine in your kitchen there might be a couple more remediation items than when you were back in the office. And, of course, we document those things and try and get \u2013 even more so than usual \u2013 we try and paint a picture for the content owners about why this is happening\u2026 Otherwise, a lot of the workflows have been similar.\u201d<\/p>\n \u201cOne of the key challenges,\u201d meanwhile that James Bourne, TPN Assessor-governance, risk and compliance, said he has faced in Australia, where he is based, is that \u201cthe bulk of the assessments we do are not in English.\u201d While large facilities have been able to carry on without much of a hitch, smaller organizations have had a rougher go of it, in part because many of them did not have remote capabilities in place, he said.<\/p>\n Bourne has been conducting remote assessments via Zoom and other video conferencing services, which presents a series of challenges, including the fact that they typically involve \u201cjust sitting there for 6 to 8 hours\u201d trying to walk through the questionnaires and understand what the vendors provided, said Bourne, who is also founder, owner and security analyst of Groundwire Security and CEO, founder and owner of FireDaemon Technologies.<\/p>\n Now, however, the remote assessment process is \u201cworking quite well,\u201d Bourne added. There was a slowdown because of the extra three months that were given to vendors by TPN, \u201cbut things are kicking back up again,\u201d he said.<\/p>\n One big issue for the industry since the start of the pandemic was that there was no uniform work-from-home policy in place, according to a Hollywood representative. Some of it involves common sense, such as not editing on a big-screen TV and don\u2019t have that TV your computer monitor facing towards the window while working at home, he noted.<\/p>\n A Positive Sign and Future Plans<\/strong><\/p>\n One big positive sign is that we are starting to see some European countries return to business as usual, including Belgium, France and Italy, and TPN is working with facilities there to return to on-site assessments, Reyes said.<\/p>\n When all is said and done, TPN \u201cwould be paralyzed\u201d if it had not started doing remote assessments, according to Finley.<\/p>\n TPN will continue to provide updates on CDSA\u2019s App & Cloud Control Framework, Finley also said, adding: \u201cWe\u2019re having a control release here before the end of this month. Our goal is to get at least even a beta up and running by the fourth quarter.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":" The COVID-19 pandemic has created significant challenges for the Trusted Partner Network (TPN) and the overall media and entertainment industry, including when it comes to the ability of facility security … Continue reading How TPN Assessors Have Overcome the Challenges of COVID-19<\/span> ![\"\"](\"https:\/\/www.mesalliance.org\/wp-content\/uploads\/2018\/02\/cyber-risk-7-e1521745793159-300x171.jpg\")
Other Challenges<\/strong><\/p>\n