Complying with MPA and Netflix’s Content Security Best Practices

Examining the requirements of MPA’s TPN, Netflix’s NPFP and the NIST Security Frameworks

Filip Milovanovic
Post-production expert,

Kristoffer Laursen
Regional Manager, Nordics,

Every modern post-production facility faces the same conundrum – How does one maximise remote collaboration and workflow effectiveness without compromising security. This is a tough question as these concepts often fall on different ends of the spectrum. Usually, the company would need to find a sweet spot in this balancing act and design their infrastructure and policies around it. Because not everyone addresses this topic with the same sense of importance, the giants of the media and entertainment industry have put forward their sets of best practices for partners to adhere to. This means that on your next project, you might be required to join the MPA’s “TPN” (Trusted Partner Network), or to follow other ISMS frameworks like ISO 27002 or the NIST Security Framework. These varying best practice standards have a big overlap in requirements and each one covers management and organisational procedures, as well as physical and digital security. In this blog, we would like to give you a brief summary of these requirements. Please bear in mind that this is not a checklist, but more of a quick reference to help you understand what security measures you may be required to implement. For a full list of requirements, please refer to the documents listed on the end of the page.

Management and procedure awareness for running a safe operation

  • Plan and budget for security measures. This includes security initiatives, upgrades, and maintenance.
  • Define sound security policies and review them regularly (quarterly, biannually or annually) as well as with key workflow changes.
  • Conduct external and internal network vulnerability scans and external penetration testing.
  • Assign a dedicated security team that does not work with assets.
  • Establish policies and procedures regarding asset and content security. Example topics: Business continuity, content transfer processes, confidentiality policy, digital recording devices, password controls, visitor control etc.
  • Define, review and test backup policies at least annually, along with clearly scoped Recovery time objectives (RTO) and Recovery point objectives (RPO).
  • Define checkpoints for workflow states. e.g. delivery, ingest, data movement, destruction etc. to keep track of all assets.
  • Segregate duties to avoid overlap between different roles. e.g. a runner shouldn’t have access to vault/data etc.
  • Everyone working with content must sign an NDA.
  • Keep control of all data. Be aware of third-party services and freelancers, including third party IT staff and cloud services.
  • Develop an awareness program focused on security policies and procedures and make sure to train company personnel and third-party workers.
  • Establish a formal plan that ensures business continuity and assign a team to it.

Physical security and handling

  • All entry/exit points to the facility should be locked, and access controlled.
  • Areas should segregate into to security zones with the least possible overlap.
  • Employees and visitors must be checked in and out when entering or leaving the facility.
  • Visitors log and info to be entered and kept for at least 12 months.
  • Segregate work areas in separate areas.
  • Review access to restricted areas (e.g., vault, server/machine room) at least quarterly.
  • Obscure studio/client/project names.
  • All physical assets must be ID marked and checked in/out according to policy. All activity related to access should be logged.
  • Blank/raw media should be assigned an ID when arriving, and not when used, to ensure traceability.

Digital security

  • WAN locked down to absolutely minimum with use of DMZ etc. – only open what’s needed – not the other way around.
  • Allow only whitelisted IP’s both inbound and outbound.
  • No internet on production computers or production network.
  • Operate on a least-privilege basis throughout the entire facility.
  • Client computers should be kept as safe as possible, including: Anti-virus, disabled guest accounts and no access to external drives such as USB sticks etc.
  • No mail or file transfer sites allowed.
  • Segregate computers and servers for different purposes – e.g. ingest, editing, file transfer services etc.
  • Use centralised user management.
  • Auto expire accounts not being used for a certain period.
  • Enforce strong password policy and two-factor authentication.
  • Keep tight logging of all data ingest, transfer and deletion.
  • Use local storage and portals as much as possible. Use of cloud and third-party services must be documented and secured extensively, incl. use of encryption etc.
  • Be aware of mobile devices.


Reading this short summary might leave you feeling a little lost, but this shouldn’t be the case. Keep in mind that these guidelines have been designed to address just about every possible vulnerability in a video production facility and can’t possibly be equally applicable to every company size, large or small. However, even if you can’t implement every point, each one that you can brings you closer to running a safer operation. A smart way to go about this task is to choose the right consultants and implement only those tools that were designed with these requirements in mind. 

At ELEMENTS we strongly support the security initiatives of the industry and have therefore been designing our systems, as well as large customer environments, so that they conform with the policies and procedures put forward by these guidelines. Every ELEMENTS system comes equipped with a number of tools that allow you to comply with the best practice requirements and securely execute your workflows.

Use our in-built Automation engine to bridge security zones and move content between separate systems or to schedule backups and keep you informed of everything happening on the system. Precise permission management allows you to easily determine who can access what and the workspace names can be obscured with a flick of a switch. Active Directory integration lets you manage users centrally, and for an extra security layer, turn on the Two-factor authentication.

Through our experience in consulting on security standards and the use of the powerful toolset offered by ELEMENTS systems, we can build a perfect environment for your needs, one that conforms with the industries best practices.

Read full security documents:

MPA Content Security Best Practices

Netflix Content Security Best Practices



COBIT ist ein international anerkanntes Rahmenwerk für das Management und die Governance von Informationstechnologie. Es bietet ein umfassendes Regelwerk von Prinzipien, Praktiken und analytischen Instrumenten und Modellen zur Steuerung der unternehmensweiten IT.