TPN Assessments
Last update: 10/02/2024

Useful Links:
--TPN Main site
--Assessor Directory
--Getting Started PDF
--Service Provider PDF

What is the Trusted Partner Network?

Per TPN:
"The Trusted Partner Network (TPN) is a driving force for content security preparedness in the media and entertainment industry.

Securing content is our mission. With members across 60+ countries and wholly owned by the Motion Picture Association (MPA), we're committed to raising content security awareness and standards and helping companies identify vulnerabilities, increase security capabilities, and efficiently communicate security status to customers.

TPN helps Service and Application Providers identify and reduce duplicate security reporting efforts to their Studio customers by leveraging TPN+ which is centralized and standardized, saving time and precious resources.

By maintaining the MPA Content Security Best Practices, TPN offers a critical framework and set of security preparedness controls for securing content in the cloud and on-site, including work-from-home and software applications."



What does this mean?

The Trusted Partner Network primarily aims to increase security awareness among Service Providers and allow Content Owners (the major Studios) to use TPN assessments in place of their own. Instead of each individual studio doing a security deep-dive with each Service Provider they want to bring on to a project, they ask Service Providers to get assessed by TPN instead. This greatly simplifies the process of securing sensitive content and reducing work for both Service Providers and the Studios. TPN and the Studios regularly discuss issues in the industry and update the MPA Content Security Best Practices to reflect priorities in the industry. Note that TPN Assessments are not just for the Content Owners - Service Providers can use TPN Assessments to judge the security posture of other Service Providers they might want to work with.

The MPA Content Security Best Practices is a real security framework and can be presented outside the industry to show compliance to a security framework. A TPN Assessment is not a pass/fail audit. It merely attempts to get a true picture of a Service Providers' security posture.


Know the lingo

Blue Shield - the TPN Blue Shield indicates to Content Owners that you have completed the TPN Questionnaire. If you Self-Report and submit, your Blue Shield is valid for 1 year. If you then decide to have an Assessor perform an assessment, upon completion your Blue Shield will now be valid for 2 years.

Gold Shield - a TPN Gold Shield indicates that you had an assessor assess your environment and release a report, and you the Service Provider put in a Remediation Plan for items that did not meet the MPA Best Practices. A Remediation Plan is a list of changes/alternate solutions that you put in place or promise to put in place to secure your environment and bring it up to MPA Best Practices.

Self-reported Questionnaire - the Self-Reported Questionnaire is a Questionnaire Service Providers can fill out to assess their own environment. This typically takes a long time and involves doing a deep dive in to your environments and business practices. Typically this is done with the help of your IT department, but Assessors might offer a service where they guide you along the Questionnaire and provide support and clarity.

Content Owners/Studios - a Company who owns or distributes content, and procures services from Service Providers.

Assessor - an individual who is accredited by TPN to perform TPN assessments.

Service Provider - a Company who provides services and/or software to Content Owners.

Scope - scoping can refer to the initial signup process to TPN, where Service Providers have to determine what membership level applies to them and their business. In the context of Assessments, Scope refers to the nature of the Assessment that the Assessor will perform - will the Assessment require a Site Visit (Site Assessment)? Or is the business wholly in the Cloud, in which case you perform a Cloud Assessment? Assessors will use answers from the company profile, Self-reported Questionnaire and discussions with the business to determine the Scope.


How are Assessment initiated?
  • First a Service Provider registers with TPN - please refer to the Getting Started PDF linked above.

  • Typically Service Provider fills out the Self-Reported Questionnaire and upon completion receives the Blue Shield for 1 (one) year.

  • Service Provider reaches out to an Assessor and the assessor gathers information (company profile, questionnaire answers, discussions with SP) to see what kind of assessment needs to take place (Scoping). You will need to give the Assessor access to your Self-reported Questionnaire in order for them to make a comprehensive decision on the Scope of the Assessment.

  • Once the Assessor and Service Provider agree on terms, a few sessions are scheduled to discuss Questionnaire answers, gather additional information and evidence. The sessions are usually few but can last several hours while the Assessor confirms information with the Service Provider.

  • When all information and evidence is gathered, the Assessor will officially initiate the Assessment. Upon completion, Assessor will submit their findings and the Assessment goes to the TPN QC team. QC will reach out to the Assessor to discuss any issues with the Assessment. Once corrections are made, TPN accepts the Assessment.

  • Once the Assessment is accepted, the client's Blue Shield is now valid for 2 (two) years.

  • If client wishes to get Gold Shield status, they must fill out a Remediation Plan for any outstanding issues that do not meet the MPA Best Practices.

  • Upon completion of the Remediation Plan the Service Provider receives their Gold Shield for 2 (two) years.

How much?

The most widely asked question is "how much?". There is no set fee schedule for these types of assessments. There a numerous considerations that Assessors have to make before deciding how much to charge. Here are a few:

  • Does the Service Provider use Cloud services? What kind?

  • Does the Service Provider have a physical office? Multiple offices? Where are they located? Will the Assessor need to travel in order to make a proper assessment or can the assessment be completed remotely?

  • Does the Service Provider host equipment/services that are reachable through the public Internet?

  • Does the Service Provider store materials belonging to Content Owners?

  • Does the Service Provider host Cloud Services offered to other Service Providers or Content Owners?

  • Does the Service Provider develop applications used in the industry?

Every Assessor operates under a different set of limitations. Assessors living in Europe might charge you more for an Assessment in Asia. Assessors working under the umbrella of a larger company might charge more than small and independent Assessors. Our suggestion is to find Assessors in your area and shop around - not all Assessors are the same.


If you have questions about the TPN process do not hesitate to reach out to us at [email protected]. We do not charge fees to scope an Assessment.