How do I get "MPAA certified"?
The MPAA Site Security Program is not a certification or accreditation program. The program is a "survey" or "inspection" of the facility. Site Security Reports are viewed as a basis for individual discussions between an MPAA Member and its vendors about security at their facility.
How do I get a facility surveyed?
There are two ways to be surveyed: (1) through an MPAA Member request; or (2) a facility request directly to the MPAA. The cost of the survey for a facility request, the second option, is the responsibility of the vendor. A separate contract is signed for this option and pre-payment is required. Inquiries for this process are explained here.
Is the report valid for a specific time?
The Site Security Report is a snapshot of security as of the specific date of the survey. As such, it is not valid over a period of time.
Who gets a copy of the report?
The Site Security Report is distributed only to the MPAA and to authorized individuals at each of its Members and their subsidiaries and affiliates. The vendor receives a copy of the final Site Security Report for their records.
What types of facilities are inspected? Are there limitations on who can be surveyed?
Facilities that currently handle or will handle content on behalf of MPAA Members are candidates to participate. Generally, facilities should be operational and not in pre-production or planning because the survey is designed to validate controls in place. Facilities surveyed to date include visual effects houses, digital cinema, replication/distribution, video-on-demand and various post-production specialists.
What is the typical timeline for this process?
It may take up to two months to complete the process. Typically, the greatest delays happen during the initial pre-site coordination and scheduling. Once the on-site visit occurs, there is a one-month performance standard to disseminate the final Site Security Report to the MPAA and its Members.
Is my facility required to implement all of the best practices presented?
Compliance with best practices is strictly voluntary. They are suggested guidelines to consider when planning, implementing and modifying security procedures.
If my facility offers multiple services (e.g., film lab and post-production), what set of supplemental best practices should I apply?
Facilities should always apply the more restrictive set of supplemental best practices unless the work processes are separated from each other, in which case, you should only apply the supplemental best practices to the environment for that service.
Is my facility required to apply all items included in the "Implementation Guidance" section of the best practices?
No. Information contained in this section of the guidelines is intended to assist you in determining the best way to structure a particular security control. If your facility has a site survey conducted by the MPAA, our assessment will only compare your facility's practices against the respective best practice section of the guidelines at a given point in time.
What if my current system does not allow for the implementation of best practices?
Please contact the respective systems vendor in order to identify possible solutions to enable systems to follow best practices. Solutions can include patching, updating the version or even changing to a more secure system. Alternative security measures can also be used if technical limitations prevent the implementation of best practices; however, these are normally not considered to cover the associated risks. Exceptions to the implementation of security guidelines due to system limitations should be formally documented and approved by your clients.
When applying best practices in this guideline, will my facility still need to comply with security requirements set individually by an MPAA Member?
The implementation of best practices is a guideline and does not supersede specific contractual provisions with an individual MPAA Member. Decisions regarding the use of vendor(s) by any particular Member are made by each Member solely on a unilateral basis. The MPAA encourages you to use the best practices as a guideline for future discussions around security with your clients.