- Supply Chain Risk (Vendors)
- Device Security Recommendations
- Physical Security Recommendations
- Social Media Guidance
STUDIO & CORPORATE SECURITY OVERVIEW
Studio & Corporate Security (SCS) works with productions and partners to raise security awareness and provide guidance and solutions to manage risk.
This guidebook is meant to provide production crews with a general understanding of how we approach security. We will provide you the context you need to make good decisions about implementing security best practices. We're available as a resource for you. Please reach out when you have questions regarding content security.
For all inquiries reach out to - SCS@Netflix.com
INTRODUCTION, OVERVIEW, APPROACH
SCS takes a pragmatic approach to managing risk on Netflix Studio productions. SCS approaches security following these guiding principles:
- We use guidance and technology to enhance production while effectively managing risk.
- We provide solutions that integrate security into existing tools, workflows, systems, and constructs.
- We make our decisions transparent.
- We understand that some productions are inherently more confidential than others, and we provide support in keeping with the production's security tier.
We take a thoughtful approach to incidents at Netflix. When a security incident occurs, we want to address the issue, understand the root cause, and learn from it to educate others on how to avoid a recurrence. If you believe there has been an incident, contact - SCS@Netflix.com.
SECURITY CHEAT SHEET
These are the basics of content security. Please take some time to familiarize yourself with these ideas.
- Need to Know - Access to our data is a privilege and should only be granted on a “need to know” basis. People who don’t need to view or handle our data shouldn’t be given this privilege.
- Nondisclosure - Persons with access to content should sign a nondisclosure agreement. Persons with access to content are responsible to protect it.
- Social Media - Social media and public sharing are so ubiquitous that it’s easy to forget that some things are meant to be kept private. It’s important to remember that our projects are to be treated as private and confidential.
- System Access - Access should be granted based on a user’s specific need. Where possible, users should be onboarded using Netflix created accounts.
- Device Security - Devices storing and handling data must be kept secure. At a minimum, the following practices should be in place:
- Software - Software, including the operating system, must be kept up to date. It is best to enable automatic updates. Current operating system versions can be found here for Mac and here for Windows. We understand that some creative software cannot be updated due to stability concerns. Please reach out if you have questions about this.
- Encryption - Devices must be encrypted. Macs should enable FileVault and Windows systems should turn on BitLocker. External hard-drives (e.g. shuttle drives, USB sticks, etc.) should be hardware encrypted.
- Passwords - Lengthy passphrases and/or other Netflix-recommended authentication methods (e.g. two-factor authentication) must be used on all systems and applications. Securely maintain these passwords and other authentication methods and do not share them with others. Consider using a password manager such as 1Password or LastPass.
- Network Security - Networks should be kept secure to prevent unwanted and unauthorized access to data and other sensitive information.
- Physical Security - An appropriate level of physical security must be maintained to minimize the likelihood of theft. This includes not leaving data or sensitive materials in unsecured, using safes or locking cabinets to store assets, locking doors, etc.
- Secure Delivery and Transfer - All movement of data, physical or digital, must be conducted via a secure method.
- Physical Deliveries should travel via trusted employee or a secure courier/freight company.
- Digital Transfers must be done via a secure platform that is Netflix approved (e.g. Content Hub, PIX, Aspera). If you need to have a tool reviewed, please contact SCS@Netflix.com.
- Asset Tracking - Records of persons and organizations with access to data should be maintained.
- Watermarking - All turnover materials should have personally identifiable watermarks/burn-ins.
- Data Deletion - When data is no longer needed, it must be destroyed, securely and permanently. Please be mindful of any contractual obligations before deleting data.
- Third Parties - Before engaging a third party to handle data, please notify SCS, so we can determine if an assessment is needed.
- Incidents - Any incident where data may be exposed must immediately be brought to the attention of Security, contact us at SCS@Netflix.com.
Below is our high-level security guidance. If clarification or specific guidance is needed, please reach out to us at: SCS@Netflix.com.
Protecting the confidentiality of our projects is essential for data security. It's also key to creating memorable experiences for our members. Each of us is responsible for ensuring that the data we handle (content, personal information, financial data, etc.) is protected. We expect all of our partners to maintain the highest level of confidentiality when working on our projects.
Ensure all production documents, including but not limited to, call sheets, scripts, employment forms, and crew lists, are handled via the Google Drive. Avoid printing hard copies of production documents. If hard copies are necessary, they should go only to individuals with a demonstrated business need. Make sure that hard copies are individually watermarked, collected, and securely destroyed.
We recommend watermarking any materials shared outside of production. Watermarking primarily serves as a deterrent from unauthorized sharing, but it also helps us track the origin of a leak.
Follow these best practices:
- Identify the end recipient(s) and/or company.
- Place the watermark in a location where it is not easily cropped or/removed. Ideally, the watermark should extend across the center of the page.
- The text should be transparent; we recommend opacity levels between 20-40%.
Social Media Security Guidance
In order to orchestrate effective marketing campaigns, Netflix Studio limits what information can be shared about projects in production. We ask the crew to refrain from taking photos on or near the set, and to hold off on posting production details (including locations and plot points) on social media. Please don't use any #hashtag that refers to the production and/or its cast, crew, or locations. Netflix fans search social media (such as Twitter, Facebook, Instagram and Reddit), piecing together clues about our shows, to try to uncover spoilers, secrets and surprises (and often to show up on set/location). Let's do our best to keep this from happening. For more details, see Social Media Security.
Supply Chain Risk (Vendors)
It’s important that we know what systems and vendors are being used on our productions. SCS will conduct a security review of any vendor or system that is used to process, store or share sensitive data. Your Netflix Production Coordinators can tell you whether a system or a vendor has been reviewed. If the system or vendor you want to use hasn’t been reviewed, please contact us.
Device Security Recommendations
We all store sensitive data on our devices (computers, phones, tablets, etc.) and we’re all responsible for ensuring we’ve taken the right steps to protect this data. A few essential security best practices provide a very good level of protection, without slowing down the user. Consider implementing the following on your devices:
Use unique usernames and passwords
- Disable guest accounts on Mac
- Keep up to date via automatic updates (Mac instructions, Windows is on by default), this goes for any applications that are being used as well
- Encryption (FileVault for Mac, BitLocker for Windows)
- Disable remote connections, if there is a need for this contact SCS@Netflix.com
- Enable the device firewall (Mac, Windows is on by default)
- Disable automatic logins and enable screen lock (Mac, Windows)
When using hard drives to store or shuttle data, we recommend the use of hardware-encrypted drives such as: Rocstor, Apricorn Aegis, or Lacie Rugged Secure. These drives generally work cross platform and do not require any additional software installed by the end user. Software encryption, such as FileVault or BitLocker is also acceptable, however there will be overhead in setting up the drives. We prefer using encryption because it provides confidence knowing that if the drive is lost or stolen, the data will be inaccessible.
Mobile Device Management
The use of Google Apps on a mobile device requires the installation of a Netflix Mobile Device Management (MDM) profile. This profile ensures your device is in a secure state by applying certain settings, such as requiring a passcode, and verifies the operating system is unmodified. It also provides us the ability to remove the Google Apps and related data. If you request it, we also have the capability to remotely wipe the device in case of loss or theft. Neither the profile nor the applied settings permit us to access any personal information (photos, contacts, call logs, text messages, social media, internet activity, etc.) or other data on the device. Any questions should be directed to SCS@Netflix.com.
Any lost or stolen device containing production data should be reported immediately to Netflix by submitting a ticket in Partner Help Center or emailing Support. This includes personally owned devices, as well as those issued by Netflix or our Production partners.
We prefer that our productions leverage our systems (G-Suite, Content Hub, Origin Story) where possible. This allows us to provide a secure workspace where you can work, store, and share the sensitive data that is created during production. While we do not restrict the use of third party tools, we cannot always ensure the security of these tools or provide technical support.
When sharing data, we encourage the use of our tools. To that end, we also recommend sharing via a link and not an attachment (meaning the recipient will have to interact with the file in the system rather than a downloaded version on their device). All large media file transfers should be done through an approved secure transfer platform (Aspera, Content Hub) or if done physically on encrypted hard drives.
System Security Recommendations
Access to systems should be based on a business need rather than granting broad access. We recommend using Netflix provided solutions where possible. For new or unknown systems not provided by Netflix we recommend reaching out to SCS@Netflix.com for security recommendations or to perform a security review.
Account Security Guidance
Accounts are everywhere and are a key to productivity; whether it's an email account or a login to a production content application. Protecting accounts and the credentials used to access them is crucial. The following are our recommendations on how to protect both your work accounts as well as personal logins.
- For passwords, we recommend using longer passphrases (4 lower case words) or randomly generated passcodes. Chrome and other browsers offer this as a feature.
- Use a unique passphrase/password for each site. Password reuse allows an attacker that has one credential to try it again on other sites.
- Use a password manager. Rather than trying to remember dozens or hundreds of passphrases. Apps like 1Password or LastPass can save them all in one secure spot.
- Use two-factor authentication (2FA) wherever possible. 2FA greatly reduces the likelihood of an account compromise. See here for additional information.
- Do not share credentials with anyone else, including tech support. If you do have a need to share an account, please reach out to SCS@Netflix.com first.
- Be mindful of suspicious looking emails. If you are unsure about the sender, do not click on links in the email. In order to verify the authenticity of the email, you should reach out to the sender directly rather than reply to the email you received. If you’d like additional help, reach out to SCS@Netflix.com.
Physical Security Recommendations
We partner closely with the Risk and Intelligence and the Production Security teams to limit risk to productions. From the Information Security perspective the guidance we provide is aimed to minimize the loss of sensitive data that could be lost or stolen. Ensure basic security precautions are taken so that sensitive data in physical form (documents, hard drives, etc.) is not easily accessible. This includes on location, in an office, in personal vehicles, and anywhere else. Some basic guidance is as follows:
- Lock up spaces that can be locked
- Do not leave anything sensitive or valuable anywhere unattended
- Only allow authorized persons access to work areas (including sets and locations)
- Where viable, consider security cameras or alarm systems
Additional guidance can be found here.
Social Media Guidance
In order for the Studio to orchestrate an effective marketing campaign and show launch, we ask our crew that no photos are taken on or near-set, and that there are no social media postings regarding the production, locations, or plot points. Please do not use any #hashtag that refers to the production, and/or its cast, crew, or locations. Netflix fans troll social media (Twitter, Facebook, Instagram, Reddit, etc.) piecing together clues about our shows to try to uncover spoilers, secrets, and surprises (and in many cases to show up to set/location) - let's do our best to prevent this from happening while creating amazing shows.
With an increasing amount of very sensitive information being available on your social media accounts, and attackers targeting social media users, you should take steps to secure your online presence. The following items are our recommendations on how to protect yourself on the most common social media platforms.
- Two Factor Authentication - The best way to protect your social media accounts from takeover is to add two-factor authentication (sometimes called ‘login verification’ or 2FA). www.turnon2fa.com has instructions on how to enable this for the most popular sites.
- Limit Sharing - Consider limiting the audience of your posts and the information you share. Facebook, Instagram, and Twitter have privacy options that should be enabled. Also, the apps that you’ve linked to your accounts can scrape your private data; consider removing any apps you don’t need or want. The Mozilla Foundation offers some detailed privacy settings for Instagram, Twitter, and Facebook.
- Separate Your Personas - If you want to maintain a public presence, consider having separate accounts for your public and personal lives. This allows you to curate what’s available publicly while keeping your ability to engage with friends and family in a less guarded manner.
- Know Your Followers - If you’ve locked down your private account, ensure that you know everyone approved to follow you. Remove and/or block anyone you don’t know.
- Social Engineering - Not everyone is who they claim to be online; apply healthy skepticism when adding people to your social media. Impersonating accounts, using the same names and pictures as existing friends are common; if you think you’re already friends with someone, think before you add them again.
- Social Media Guidelines - The marketing lead will circulate a set of social media guidelines outlining what should and should not be posted while in production or about the project. If there are any questions about that policy, please reach out.