Information Security Blog

Is The Motion Picture Industry A Model For Information Security?

I recently had reason to spend some time looking at the “Content Security Best Practices Common Guidelines” published by the Motion Picture Association of America (MPAA). The guidelines are intended to insure the security of movie content throughout its life-cycle. With the cost of film development rising into the hundreds of millions and the gross receipts for a blockbuster in the billions, the need for security in the industry is self-evident. However, having seen “Swordfish” and “Sneakers” I wasn’t expecting much from a “Hollywood” – developed information security standard – boy was I in for a surprise.

motion-picture-infosec

First, I’ve traditionally not been a big believer in industry specific standards. However, I’m warming to the idea. The key to an industry specific standard is that it provides consistency in information security risk for the organizations in the industry subject to the standard. The Motion Picture Industry seems to fit that bill. Under that scenario there is an advantage to this approach in that when risks are already understood, the controls necessary to manage those risks to an acceptable level, and the extent and rigor of those controls, can be defined by the standard. I refer to these types of standards as being “prescriptive” in nature. The more prescriptive a standard is, the easier it is to implement for the end-user and the less ambiguity there is during the audit process – both of which are good things. (HITRUST takes the same approach in the Healthcare domain.)

What was very interesting to me about the MPAA standard was the fact that it included many non-traditional information security processes. I was tempted to call them non-information security processes – but I think that would be inaccurate. For example, it includes security categories like “Budgeting”, “Shipping”, and “Receiving” – which focus on the risk associated with these key processes that are integral to information security – but not necessarily information security processes. This idea aligns well with the concept of information security risk being a function of information and the processes that act on it. The broader view of the MPAA focuses on risk in its naturally occurring contexts and understands that treating key risks requires more than applying technical controls on information systems.

Several years ago we learned that when you look at processes, rather than assets, the output from risk assessments becomes truly worthwhile. Looks like the MPAA agrees…

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

How to deal with increasing threats
How to manage multiple regulatory requirements
How to handle client requests for attestation
To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.