(https://www.mpaa.

org)

CONTENT PROTECTION
1 / OBJECTIVE
2 / BACKGROUND
3 / BEST PRACTICES
4 / BEST PRACTICES DOWNLOADS
5 / FACILITY-PAID INSPECTIONS
6 / SELF-ASSESSMENT QUESTIONNAIRES
7 / FAQ
8 / REPORT PIRACY
9 / CONTACT
 OBJECTIVE
The MPAA is committed to protecting the rights of those who create
entertainment content for audiences around the world. From creative arts to the
(https://www.mpaa.org)
software industry, more and more people make their living based on the power of
their ideas. This means there is a growing stake in protecting intellectual property
rights and recognizing that these safeguards are a cornerstone of a healthy global
information economy.

Our objective is to strengthen security practices in the worldwide supply chain

holding pre-release content. There are four guiding principles behind our content
security best practices:

Dont lose content.

Dont let someone steal content.
If content is lost or stolen, report it immediately.
Dont let security measures disrupt production.

For more than three decades, the Motion Picture Association of America, Inc.
(MPAA) has managed content security assessments at facilities on behalf of its
Member Companies (Members): Walt Disney Studios Motion Pictures;
Paramount Pictures Corporation; Sony Pictures Entertainment Inc.; Twentieth
Century Fox Film Corporation; Universal City Studios LLC; and Warner Bros.
Entertainment Inc.

Starting in 2008, these security assessments were performed using a

standardized survey model, process and report. Since then, over 500 facilities
have been inspected in 35 countries.
 BACKGROUND

The MPAA strengthens the process by which content is protected during

production, post-production, marketing and distribution. This is accomplished
(https://www.mpaa.org)
by:

Issuing a set of MPAA best practices by facility service that outline standard
controls that help to secure Member content.
Assessing and evaluating content security at third-party facilities against
the MPAA best practices.
Reinforcing the importance of securing Member content.
Providing a standard assessment vehicle for further individual discussions
regarding content security between Members and their business partners.

BEST PRACTICES

Content security best practices are designed to take into consideration the
services the facility provides, the type of content the facility handles, and in what
release window the facility operates. The purpose of these guidelines is to provide
current and future third party vendors engaged by MPAA Members with an
understanding of general content security expectations and current industry best
practices. Decisions regarding the use of vendors by any particular Member are
made by each Member solely on a unilateral basis.

Best practices outlined in this document are subject to local, state, regional,
federal and country laws or regulations.
Best practices outlined in this document, as well as the industry standards or ISO
references contained herein, are subject to change periodically.
Compliance with best practices is strictly voluntary. This is not an accreditation
program.

MPAA CONTENT SECURITY BEST PRACTICES COMMON

GUIDELINES SECURITY MODEL
Best practices are organized according to the MPAA Content Security Model,
which provides a framework for assessing a facilitys ability to protect a clients
content. It is comprised of 48 main security topics across its management system,
physical security and digital security. The components of the MPAA Content
Security Model are drawn from relevant ISO standards (27001/27002), security
standards (i.e., NIST) and industry best practices.
(https://www.mpaa.org)

(/wp-
content/uploads/2015/09/chart.png)

MPAA CONTENT SECURITY BEST PRACTICES APPLICATION AND

CLOUD/DISTRIBUTED ENVIRONMENT SECURITY GUIDELINES
SECURITY MODEL

The best practices for Application and Cloud are also organized according to the
MPAA Content Security model and are comprised of 6 main security topics across
application security and cloud security.

(/wp-
content/uploads/2015/09/bigchart1.png)

BEST PRACTICES DOWNLOADS

LAST UPDATED April 2015

There are now two documents which provide the MPAA Best Practices. The
Common Guidelines apply to all facilities that handle motion picture content. The
Application and Cloud/Distributed Environment Guidelines apply to facilities
 that offer applications and cloud hosting products and services. Below are the
links to downloadable versions of the MPAA Best Practices in six different
languages.
(https://www.mpaa.org)
Application and Cloud
Common Guidelines Language
Guidelines
Download (/wp- Download (/wp-
content/uploads/2015/11/MPAA-Best- content/uploads/2015/12/MPAA
Practices-Common- English Best-Practices-App-and-
Guidelines_V3_0_2015_04_02_FINAL- Cloud_V1-0-20150507-
r7.pdf) RELEASE-CANDIDATE-6.docx)
Download (/wp- Download (/wp-
content/uploads/2015/12/MPAA-Best- content/uploads/2015/12/MPAA
Practices-Common- Chinese Best-Practices-App-and-
Guidelines_V3_0_2015_04_02_FINAL- Cloud_V1-0-20150507-DRAFT-
r7_ZH-CN.docx) r2_zh-CN.docx)
Download (/wp- Download (/wp-
content/uploads/2015/12/MPAA-Best- content/uploads/2015/12/MPAA
Practices-Common- Japanese Best-Practices-App-and-
Guidelines_V3_0_2015_04_02_FINAL- Cloud_V1-0-20150507-DRAFT-
r7_JA.docx) r2_JA.docx)
Download (/wp- Download (/wp-
content/uploads/2015/12/MPAA-Best- content/uploads/2015/12/MPAA
Practices-Common- Korean Best-Practices-App-and-
Guidelines_V3_0_2015_04_02_FINAL- Cloud_V1-0-20150507-DRAFT-
r7_KO.docx) r2_KO.doc)
Download (/wp- Download (/wp-
content/uploads/2015/12/MPAA-Best- content/uploads/2015/12/MPAA
Portuguese
Practices-Common- Best-Practices-App-and-
(Br.)
Guidelines_V3_0_2015_04_02_FINAL- Cloud_V1-0-20150507-DRAFT-
r7_PT-BR.docx) r2_PT-BR.doc)
Download (/wp- Download (/wp-
content/uploads/2015/12/MPAA-Best- content/uploads/2015/12/MPAA
Spanish
Practices-Common- Best-Practices-App-and-
(Lat.)
Guidelines_V3_0_2015_04_02_FINAL- Cloud_V1-0-20150507-DRAFT-
r7_ES-LA.docx) r2_ES-LA.doc)

AWARDS SCREENERS BEST PRACTICES

The purpose of these guidelines is to promote security best practices related to

the creation and handling of motion picture screeners. A screener is broadly
defined as a copy of a motion picture provided to industry professionals. There
 are different types of screeners (e.g., awards or promotional), different recipients
(e.g., censorship boards or media outlets) and numerous entities involved (e.g.,
guilds or studios).
(https://www.mpaa.org)

Award Screeners

Content that is physically or digitally distributed to awards voters

Download
(http://www.fightfilmtheft.org/docs/Awards.pdf)

FACILITY-PAID INSPECTIONS

Although the MPAA does not offer a certification for content security, we do
perform security assessments of facilities and report the findings of these surveys
back to our Members through the MPAA Content Security Program. A facility
may make a security assessment request directly to the MPAA. The cost of the
assessment for a facility request is the responsibility of the vendor. A separate
agreement is signed for this and pre-payment is required. To receive a no
obligation quote for the cost to conduct and issue a Content Security Report for
your facility, please complete the application (below) and return it to
contentsecurity@mpaa.org (mailto:contentsecurity@mpaa.org.).

Facility Direct Request Application

Download (/wp-content/uploads/2015/11/MPAA-Pre-Site-
Questionnaire.docx)

Within a week of receiving the completed questionnaire, the MPAA will provide a
detailed quote that will be valid for one month. If you wish to proceed, the MPAA
will provide you with an Agreement and invoice. Once the MPAA has received a
signed Agreement and payment in full, the MPAA will schedule a date for the
inspection or MPAA will instruct its outside consulting firm to contact you about
scheduling a date for the inspection. A Content Security Report is then issued
about one month after this inspection occurs.

Prior to inspecting a facility, the facilitys management

team consents to participate in the program and
completes a questionnaire in order to provide
background on its services and operations.
 The MPAA sends MPAA personnel or a third-party firm
to conduct the security assessment, which generally lasts
one day to one week. This inspection includes interviews
(https://www.mpaa.org)
with key personnel (such as the Director of Operations)
and validation of controls in place through observation,
examination of documentation and re-performance.
Topic areas are outlined in the MPAA Content Security
Best Practices Common Guidelines, as well as the MPAA
Content Security Best Practices for Application and
Cloud/Distributed Environment Security Guidelines.

The outcome of this assessment is a Content Security

Report, which includes considerations for improvement
to meet the best practices for a given facility type.
Except in limited instances, a draft of the Content
Security Report is shared with the vendor being
assessed prior to finalization and distribution of such
report. The facilitys management is given an
opportunity to respond to theContent Security Report
within 10 business days. After 10 business days, the final
Content Security Report is distributed exclusively to the
MPAA, its Members, and their affiliates and
subsidiaries. If an assessed facility makes enhancements
to security after the Content Security Report is issued,
the vendor is encouraged to report the enhancements to
the MPAA.

Content Security Reports are provided to the MPAA and its Members solely as a
basis for individual discussions with the vendor about security at their facility.
Reports may also be distributed at MPAAs discretion, to other similarly situated
producers or distributors of audiovisual content.

SELF-ASSESSMENT QUESTIONNAIRES

The MPAA provides the opportunity for facilities to do a self-assessment against

the best practices via applicable Questionnaire(s).

Facilities may choose to utilize 2 different Questionnaires to indicate compliance

against the respective Best Practices:
 The Common Guidelines Questionnaire (/wp-
content/uploads/2016/06/Vendor-CG-Questionnaire-
Version-1.11.xlsx) is applicable to all facilities.
(https://www.mpaa.org)
The Application and Cloud Questionnaire (/wp-
content/uploads/2016/06/Vendor-AC-Questionnaire-
Version-0.992.xlsx) adds additional information applicable to vendors /
facilities providing these services.

It is in the discretion of the facility to determine if they wish to self-evaluate

against one or both sets of Best Practices. Please note that each questionnaire has
multiple tabs to complete.

These questionnaires allow facilities to evaluate themselves in preparation for a

potential assessment by the MPAA or other entities. The questionnaires provide a
general overview of areas that an auditor might review in assessing the degree of
compliance a facility would have against Best Practices, but are not all inclusive of
actual assessment criteria. The blank self-assessment questionnaires are provided
to the public for free (see links below) and are helpful for a facilitys internal use.

Additionally, the MPAA offers the opportunity to submit one or both

questionnaires to our offices for inclusion in our Member Registry. The Registry
is accessible by our Member Studios and is also the repository for actual audited
vendor assessment surveys (formal audits reports).

By offering your questionnaire(s) for inclusion in the Registry, you facilitys

submission(s) will be searchable by our Member Studios wishing to review
information regarding your operations. Self-assessment questionnaires are not a
substitute for a formal MPAA site security assessment, but do offer you an
opportunity to present your information and internal appraisal of your security
systems to our Members. This allows users to review providers they currently use
or are considering using against general areas of compliance.

Our processing cost for including completed questionnaires in the Registry is

$200 USD payable by check or wire transfer upon our acceptance of your
submission. If a facility decides to pursue a formal MPAA assessment in the
future, the $200 will be credited to the quoted auditing fees for such an
assessment.

The Common Guidelines Questionnaire (/wp-

content/uploads/2016/06/Vendor-CG-Questionnaire-
Version-1.11.xlsx) is available by clicking this link.
 The Application and Cloud Questionnaire (/wp-
content/uploads/2016/06/Vendor-AC-Questionnaire-
Version-0.992.xlsx) is available by clicking this link.
(https://www.mpaa.org)
Completed Questionnaires may be sent directly to Self_Assess@mpaa.org
(mailto:Self_Assess@mpaa.org) if you wish them to be included in our
Member Facility Registry. Upon receipt you will be instructed on how to remit
your payment.

FAQ

PROGRAM

How do I get MPAA certified?

The MPAA Content Security Program is not a certification or accreditation

program. The program is an assessment or inspection of the facility.
Content Security Reports are viewed as a basis for individual discussions
between an MPAA Member and its vendors about security at their facility.

How do I get a facility assessed?

A facility may make a request for an assessment directly to MPAA. The cost of
the assessment is the responsibility of the vendor. A separate agreement is
signed for this option and pre-payment is required. Inquiries for this process
are explained here.

Is the report valid for a specific time?

The Content Security Report is a snapshot of security as of the specific date of

the assessment. As such, it is not valid over a period of time.

Who gets a copy of the report?

The Content Security Report is distributed to the MPAA and to authorized

individuals at each of its Members and their subsidiaries and affiliates.
Reports may also be distributed at MPAAs discretion, to other similarly
situated producers or distributors of audiovisual content. The vendor receives
a copy of the final Content Security Report for their records.

What types of facilities are inspected? Are there limitations on who can be
assessed?
 Facilities that currently handle or will handle content on behalf of MPAA
Members are candidates to participate. Generally, facilities should be
operational and not in pre-production or planning because the assessment is
designed to validate controls in place. Facilities assessed to date include visual
(https://www.mpaa.org)
effects houses, digital cinema, replication/distribution, video-on-demand,
various post-production specialists, and application and cloud providers.

What is the typical timeline for this process?

It may take up to two months to complete the process. Typically, the greatest
delays happen during the initial pre-site coordination and scheduling. Once
the on-site visit occurs, there is a one-month performance standard to
disseminate the final Content Security Report to the MPAA and its Members.

BEST PRACTICES

Is my facility required to implement all of the best practices presented?

Compliance with best practices is strictly voluntary. They are suggested

guidelines to consider when planning, implementing and modifying security
procedures.

If my facility offers multiple services (e.g., film lab and post-production),

what set of supplemental best practices should I apply?

Facilities should always apply the more restrictive set of best practices unless
the work processes are separated from each other, in which case, you should
reference Appendix C of the Best Practices Common Guidelines for the
security controls applicable for each facility type.

Is my facility required to apply all items included in the Implementation

Guidance section of the best practices?

No. Information contained in this section of the guidelines is intended to assist

you in determining the best way to structure a particular security control. If
your facility has a site assessment conducted by the MPAA, our assessment
will only compare your facilitys practices against the respective best practice
section of the guidelines at a given point in time.

What if my current system does not allow for the implementation of best
practices?

Please contact the respective systems vendor in order to identify possible

solutions to enable systems to follow best practices. Solutions can include
patching, updating the version or even changing to a more secure system.
Alternative security measures can also be used if technical limitations prevent
 the implementation of best practices; however, these are normally not
considered to cover the associated risks. Exceptions to the implementation of
security guidelines due to system limitations should be formally documented
and approved by your clients.
(https://www.mpaa.org)

When applying best practices in this guideline, will my facility still need to
comply with security requirements set individually by an MPAA Member?

The implementation of best practices is a guideline and does not supersede

specific contractual provisions with an individual MPAA Member. Decisions
regarding the use of vendor(s) by any particular Member are made by each
Member solely on a unilateral basis. The MPAA encourages you to use the best
practices as a guideline for future discussions around security with your
clients.

REPORT PIRACY

MPAA REPORT PIRACY ONLINE

You can report piracy directly to the MPAA: /contact-us/ (/contact-us/)

MPAA and MPA 24-Hour Piracy Tip Lines

The following list presents the 24-hour tip line contact information for each
country where the MPAA works with a local content protection office:

North America and Latin America Region

Canada (800) 363-9166
United States (800) 371-9884
Europe, Middle East, Africa (EMEA) Region
Belgium +32 2 778 2711
Asia Pacific (APAC) Region
Australia +61 29997 8011
Hong Kong +65 6253-1033
Malaysia +65 6253-1033
New Zealand +65 6253-1033
Philippines +65 6253-1033
Singapore +65 6253-1033
Taiwan +65 6253-1033

A complete listing of general contact information for all content protection

regional and country offices is located at: www.mpaa.org/about/around-
the-world (/about/around-the-world)
 MPAA Online Resources

Additional information about the MPAA can also be found on this website located
at: www.mpaa.org (https://www.mpaa.org)
(https://www.mpaa.org)

You can also learn about programs worldwide to protect content during the
exhibition at: www.fightfilmtheft.org (http://www.fightfilmtheft.org)

CONTACT

If you have any questions, please submit an email to

contentsecurity@mpaa.org (mailto:contentsecurity@mpaa.org).

The Motion Picture Association of America, Inc. (MPAA) along with the
Motion Picture Association (MPA) and other subsidiaries and affiliates serve as
the voice and advocate of the American motion picture, home entertainment and
television industries.

2017 Motion Picture Association of America, Inc. All rights reserved. | Privacy Policy
(https://www.mpaa.org/privacy-policy/) | Terms of Use
(https://www.mpaa.org/terms-of-use/)