The Motion Picture Association of America (MPAA) has established a set of best practices for securely storing, processing and delivering protected media and content (http://www.fightfilmtheft.org/facility-security-program.html). Media companies use these best practices as a way to assess risk and security of their content and infrastructure.
AWS has demonstrated alignment with the MPAA best practices and the AWS infrastructure is compliant with all applicable MPAA infrastructure controls. While the MPAA does not offer a “certification,” media industry customers can use the AWS MPAA guidance to augment their risk assessment and evaluation of MPAA-type content on AWS.
For additional information on digital media solutions please visit:
AWS has provided a flexible means of securely extending our Datacenter to the cloud via their virtual private cloud (VPC) offering. We can leverage existing hardware/policies and procedures for a secure, seamless, and scalable computing environment that requires very little resources to manage.
Theresa Miller Executive Vice President, Information Technology for LIONSGATE
| Best Practice |
| Ensure executive management/owner(s) oversight of the Information Security function by requiring periodic review of the information security program and risk assessment results. |
| AWS Implementation | |||
| The Control environment at Amazon begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company's tone and core values. AWS has established an information security framework and policies based on the Control Objectives for Information and related Technology (COBIT) framework and have effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, American Institute of Certified Public Accountants (AICPA) Trust Services Principles, the PCI DSS v3.1 and the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems). AWS employee’s complete periodic role based training which includes AWS Security training. Compliance audits are performed so that employees understand and follow the established policies. | |||
| Best Practice |
|||
| Develop a formal security risk assessment process focused on content workflows and sensitive assets in order to identify and prioritize risks of content theft and leakage that are relevant to the facility. | |||
| AWS Implementation | |||
| AWS has implemented a formal, documented risk assessment policy that is updated and reviewed at least annually. This policy addresses purpose, scope, roles, responsibilities, and management commitment. In alignment with this policy, an annual risk assessment which covers all AWS regions and businesses is conducted by the AWS Compliance team and reviewed by AWS Senior Management. This is in addition to the Certification, attestation and reports that are conducted by independent auditors. The purpose of the risk assessment is to identify threats and vulnerabilities of AWS, to assign the threats and vulnerabilities a risk rating, to formally document the assessment, and to create a risk treatment plan for addressing issues. Risk assessment results are reviewed by the AWS Senior Management on an annual basis and when a significant change warrants a new risk assessment prior to the annual risk assessment. Customers retain ownership of their data (content) and are responsible for assessing and managing risk associated with the workflows of their data to meet their compliance needs. The AWS Risk Management framework is reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMPsm compliance. |
|||
| Best Practice |
| Identify security key point(s) of contact and formally define roles and responsibilities for content and asset protection. |
| AWS Implementation | |||
| AWS has an established information security organization managed by the AWS Security team and is led by the AWS Chief Information Security Officer (CISO). AWS maintains and provides security awareness training to all information system users supporting AWS. This annual security awareness training includes the following topics; The purpose for security and awareness training, The location of all AWS policies, AWS incident response procedures (including instructions on how to report internal and external security incidents). Systems within AWS are extensively instrumented to monitor key operational and security metrics. Alarms are configured to automatically notify operations and management personnel when early warning thresholds are crossed on key metrics. When a threshold is crossed, the AWS incident response process is initiated. The Amazon Incident Response team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operates 24x7x365 coverage to detect incidents and manage the impact to resolution. AWS roles & Responsibilities are reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMPsm compliance. |
|||
| Best Practice | |||
| Establish policies and procedures regarding asset and content security; policies should address the following topics, at a minimum: • Human resources policies • Acceptable use (e.g., social networking, Internet, phone, etc.) • Asset classification • Asset handling policies • Digital recording devices (e.g., smart phones, digital cameras, camcorders) • Exception policy (e.g., process to document policy deviations) • Password controls (e.g., password minimum length, screensavers) • Prohibition of client asset removal from the facility • System change management • Whistleblower policy • Sanction policy (e.g., disciplinary policy) |
|||
| AWS Implementation | |||
| AWS has established an information security framework and policies based on the Control Objectives for Information and related Technology (COBIT) framework and have effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, American Institute of Certified Public Accountants (AICPA) Trust Services Principles, the PCI DSS v3.0 and the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems). AWS maintains and provides security awareness training to all information system users supporting AWS. This annual security awareness training includes the following topics; The purpose for security and awareness training, The location of all AWS policies, AWS incident response procedures (including instructions on how to report internal and external security incidents). AWS policies, procedures and relevant training programs are reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMPsm compliance. |
| Best Practice | |||
| Establish a formal incident response plan that describes actions to be taken when a security incident is detected and reported. |
| AWS Implementation |
AWS has implemented a formal, documented incident response policy and program. The policy addresses purpose, scope, roles, responsibilities, and management commitment. |
Workflow documentation of Content (data) is the responsibility of AWS Customers as Customers retain ownership and control of their own guest operating systems, software, applications and data. |
| Best Practice | |||
Perform background screening checks on all company personnel and third-party workers. |
|||
| AWS Implementation | |||
| AWS conducts criminal background checks, as permitted by applicable law, as part of pre-employment screening practices for employees commensurate with the employee’s position and level of access to AWS facilities. AWS background check program is reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMPsm compliance. |
|||
| Best Practice | |||
| Require all company personnel and third-party workers to sign a confidentiality agreement (e.g., non-disclosure) upon hire and annually thereafter, that includes requirements for handling and protecting content. | |||
| AWS Implementation | |||
| Amazon Legal Counsel manages and periodically revises the Amazon Non-Disclosure Agreement (NDA) to reflect AWS business needs. AWS usage of Non-Disclosure Agreements (NDA) is reviewed by independent external auditors during audits for our ISO 27001 and FedRAMPsm compliance. |
|||
| Best Practice | |||
| Log and review electronic access to restricted areas for suspicious events. | |||
| AWS Implementation | |||
Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. |
|||
| Best Practice | |||
Implement a content asset management system to provide detailed tracking of physical assets (i.e., client and newly created). |
|||
| AWS Implementation | |||
| Content Asset Management is owned, implemented and operated by AWS Customers. It is the responsibility of Customers to implement inventory tracking of their physical assets. For AWS Data Center Environments, all new information system components, which include, but are not limited to, servers, racks, network devices, hard drives, system hardware components, and building materials that are shipped to and received by data centers require prior authorization by and notification to the Data Center Manager. Items are delivered to the loading dock of each AWS Data Center and are inspected for any damages or tampering with the packaging and signed for by a full-time employee of AWS. Upon shipment arrival, items are scanned and captured within the AWS Asset management system and device inventory tracking system. Once items are received, they are placed in an equipment storage room within the data center that requires the swipe badge and PIN combination for access until they are installed on the data center floor. Prior to exiting the data center, items are scanned, tracked, and sanitized before authorization to leave the data center. AWS Asset Management processes and procedures are reviewed by independent external auditors during audits for our PCI DSS, ISO 27001 and FedRAMPsm compliance. |
|||
| Best Practice | |||
| Prohibit Internet access on systems (desktops/ servers) that process or store digital content. | |||
| AWS Implementation | |||
| Boundary protection devices that employ rule sets, access control lists (ACL), and configurations enforce the flow of information between network fabrics. These devices are configured in deny-all mode, requiring an approved firewall set to allow for connectivity. Refer to DS-2.0 for additional information on Management of AWS Network Firewalls. There is no inherent e-mail capability on AWS Assets and port 25 is not utilized. A Customer (e.g. studio, processing facility etc.) can utilize a system to host e-mail capabilities, however in that case it is the Customer's responsibility to employ the appropriate levels of spam and malware protection at e-mail entry and exit points and update spam and malware definitions when new releases are made available. Amazon assets (e.g. laptops) are configured with anti-virus software that includes e-mail filtering and malware detection. AWS Network Firewall management and Amazon's anti-virus program are reviewed by independent third-party auditors as a part of AWS ongoing compliance with SOC, PCI DSS, ISO 27001 and FedRAMPsm. |
|||




