I recently had reason to spend some time looking at the “Content Security Best Practices Common Guidelines” published by the Motion Picture Association of America (MPAA). The guidelines are intended to insure the security of movie content throughout its life-cycle. With the cost of film development rising into the hundreds of millions and the gross receipts for a blockbuster in the billions, the need for security in the industry is self-evident. However, having seen “Swordfish” and “Sneakers” I wasn’t expecting much from a “Hollywood” – developed information security standard – boy was I in for a surprise.
First, I’ve traditionally not been a big believer in industry specific standards. However, I’m warming to the idea. The key to an industry specific standard is that it provides consistency in information security risk for the organizations in the industry subject to the standard. The Motion Picture Industry seems to fit that bill. Under that scenario there is an advantage to this approach in that when risks are already understood, the controls necessary to manage those risks to an acceptable level, and the extent and rigor of those controls, can be defined by the standard. I refer to these types of standards as being “prescriptive” in nature. The more prescriptive a standard is, the easier it is to implement for the end-user and the less ambiguity there is during the audit process – both of which are good things. (HITRUST takes the same approach in the Healthcare domain.)
What was very interesting to me about the MPAA standard was the fact that it included many non-traditional information security processes. I was tempted to call them non-information security processes – but I think that would be inaccurate. For example, it includes security categories like “Budgeting”, “Shipping”, and “Receiving” – which focus on the risk associated with these key processes that are integral to information security – but not necessarily information security processes. This idea aligns well with the concept of information security risk being a function of information and the processes that act on it. The broader view of the MPAA focuses on risk in its naturally occurring contexts and understands that treating key risks requires more than applying technical controls on information systems.
Several years ago we learned that when you look at processes, rather than assets, the output from risk assessments becomes truly worthwhile. Looks like the MPAA agrees…