Refer to end for translated versions
Overview
The Netflix Content Security team has identified the following as security requirements for any partner handling Netflix content. Our requirements map to industry best practices such as TPN, NIST, ISO, etc. For additional context or questions about these requirements, please reach out to the Content Security Team.
Security Requirements
Organizational Security Management
- Establish a security management process which includes conducting internal risk assessments, reviewing policies, documentation, and workflows annually, and designating a dedicated security oversight council.
- Maintain records of any previous assessments, certifications, and external testing (e.g. SOC 2, Pen Tests, Vuln Scans, Code/Application Reviews, TPN Assessments).
- Maintain written policies, standards, guidelines, practices, and procedures for the secure processing and protection of data; to at a minimum include:
- acceptable use policy, social media policy, work from home policy, AI use policy, data retention & destruction policy,
- records of systems, applications, and other utilized software, and
- documented workflows including how content traverses your environment.
- Establish, maintain, and test reasonable business continuity and disaster recovery controls and procedures to assure the availability of Netflix Non-Public Data, including for cyber issues such as ransomware attacks.
- Establish and implement a comprehensive user lifecycle program. Which includes, but not limited to:
- a defined onboarding and offboarding process,
- Limiting access to systems/data that are necessary for their job function,
- ensuring that all relevant documents are signed, including non-disclosure agreements (NDAs),
- ensuring access to all systems, including Netflix systems/accounts, is reviewed regularly and deprovisioned upon completion of their assignment or termination of engagement.
- Provide relevant and ongoing education and training to the workforce regarding security policies, confidentiality obligations, appropriate technology use, and external threats (e.g. phishing). Training should be provided annually or more frequently for highly confidential projects.
- Ensure security personnel are trained in cloud security practices.
- Ensure that any use of third parties/subcontractors for content-based work is cleared by your Netflix business contact. Also ensure that these third parties/subcontractors meet equivalent security measures, such as:
- established shared responsibility model,
- risk assessment and management process,
- policies and procedures,
- data management and disposal procedures,
- confidentiality agreements/NDAs, and
- handling and reporting of incidents.
- Establish, review, and test an Incident Response policy and process, at least annually. The process should include all IT and Content-related incidents/issues and include the following:
- methods for detection and response,
- contacts with law enforcement and cybersecurity incident response specialists established,
- a notification/escalation path internally and externally to clients,
- a process to gather evidence/forensics and conduct analysis,
- a defined incident review and remediation process that includes root cause, lessons learned, preventative measures taken, etc.
- Document a reasonable work from home policy, and establish secure protocols so that working from home is an extension of your organization’s controlled security environment and meets these same requirements.
- Establish a process for highly confidential projects. This may include using code names/aliases, further restricted access to projects, advanced security controls, or unique workflows.
Digital Security Management
- Document and maintain an up-to-date network diagram that identifies all systems and endpoints where Netflix content is stored, defines data segmentation, and calls out all ingress and egress to systems/services where Netflix content is processed or stored.
- Establish a process to conduct security risk and vulnerability assessments (monthly), penetration tests (yearly), and internal security risk assessments (yearly). Ensure adding or adjusting necessary controls and safeguards to address identified risks. This should include:
- reviews of policies and procedures, workflow and network diagrams,
- security audits of all tooling, applications, and systems,
- scans of internal and external IP ranges and hosts, APIs, and all networks,
- penetration tests, application security reviews, and other critical testing should be conducted by an independent third party using full knowledge testing to confirm understanding of the security stance and zero knowledge testing because that’s what adversaries will be doing.
- updated threat model based on results of security assessments.
- Content transfers (data I/O) are only allowed in a secure and confidential manner, using approved networks, tools, or applications. Content transfers must be conducted over dedicated systems that employ industry standard encryption, are separate from internal networks, and follow the data I/O policy. Establish, document, and regularly review a workflow and process for data I/O workflows and systems, including:
- use of dedicated data I/O systems to move content between external networks (Internet) and internal networks (data I/O network, production).
- scanning all content for viruses and malware prior to ingest into the network.
- where feasible, use dedicated personnel for I/O.
- Establish and deploy security baselines and policies to configure endpoints, systems, applications, and infrastructure. This should include documented guidance for device security, application and system hardening, etc. Deploy Mobile Device Management (MDM) and/or Mobile Application Management (MAM) for mobile devices. Security baselines should include:
- using anti-virus/anti-malware,
- disabling guest accounts or removing unnecessary accounts (including default admin accounts),
- encrypting devices (e.g. laptops, mobile devices),
- enabling local firewalls and disabling remote access,
- enabling locked screensavers and account lockouts,
- ensuring operating systems are up to date,
- remote wiping of devices.
- Systems processing or storing content should have endpoint management software installed. This includes: workstations, servers, SAN/NAS, and virtual machines. The policies should map to security baselines and acceptable use policy. Ideally, the software can report on when a system is out of compliance with established baselines (e.g. unpatched or misconfigured).
- Employ an Endpoint Detection and Response (EDR) system, to detect and remediate security issues.
- Mobile devices, including mobile phones, tablets, and laptops, should have some level of MDM or Endpoint Management deployed that allows: deletion of company data from that device and enforcement of company-defined baselines / policies.
- Maintain and review appropriate logs. Conduct continuous monitoring to identify anomalies and risks to your environment and Netflix content. Where feasible, implement a Security Information and Event Management (SIEM) system that will collect all system and application activity as well as user logs to automatically identify identity-based attacks or anomalous behavior, including the context of authentication attempts.
- Retain logs for all authentication and access to Netflix materials for the duration of any ongoing projects plus one year.
- Employ multi-factor authentication (MFA) and/or other industry-standard authentication measures for access to systems where content is accessed, stored, or processed. Any Internet-facing tools, applications, or systems must use MFA.
- Establish and regularly review an authentication & authorization policy.
- Everything must be authenticated: users, services, applications, and systems which validates that a participant is authorized to conduct an activity.
- User credentials must be unique to each individual and must never be shared. Group or shared accounts are not acceptable.
- SMS is not a recommended form of MFA.
- Establish an Identity Access Management (IAM) process to appropriately manage access to all information systems. It should include the following:
- a defined access control model, allowing for project, asset, and/or role segmentation,
- a “least-privilege” approach to only allow access to data that is required for an individual’s job duties,
- strict logical and/or physical separation between Netflix data, other customer data, and vendor’s own data,
- where feasible, integrate with Netflix SSO, and
- an identity lifecycle procedure to review users, roles, and permissions and to remove access when it is no longer necessary (including to Netflix tools and systems).
- Establish and implement a process to detect and correct cloud and system misconfigurations or vulnerabilities. Where feasible utilize scanning tools or other automated processes. When misconfigurations or vulnerabilities are discovered, investigate and remedy promptly.
- Understand what security you are relying on in the cloud platform you are using. Ensure that you will be notified in the event of a security vulnerability in those components.
- Always follow the cloud provider’s recommended practices for security.
- Use tools provided by your cloud provider or third-party tools to configure cloud security and avoid manual configuration.
- Establish policies and procedures for testing the security of the use of IaaS and PaaS systems.
- Implement mechanisms to monitor all SaaS activity to detect suspicious activity. This must include monitoring designed to detect the misuse of credentials.
- In a multi-cloud situation, use a unified security management solution. At minimum, a multi-cloud environment requires one single sign on (SSO) identity and access management (IAM) across all cloud components.
- Employ industry-standard safe coding practices (Secure Software Development Life Cycle - SSDLC) to avoid application security vulnerabilities. This should include secure code review for each build and update, ongoing scanning, and third party validation.
- Maintain application configuration guidelines for any in-house developed tools, applications, and systems. There should be policies for secure configurations, change management, testing procedures, etc. Annual third party assessments should be conducted of any Internet-facing applications.
- Maintain industry-standard perimeter protection and/or zero trust architecture for your network. Externally accessible servers should be placed in a DMZ, VLAN, or public subnet DMZ within a Virtual Private Cloud and not on the internal network. Essentially, the network topology should be layered security and not a single flat network.
- Isolate the content/production network and systems from non-production networks using physical or logical segmentation.
- Where possible, limit east-west traffic between devices.
- Limit all inbound and outbound internet connections from systems that store content. Networks and systems should be set to ‘deny all’ by default with explicit permission granted to services, applications, or sites that are required for business purposes.
- Internet access should be restricted and only allowed temporarily for specific business purposes.
- Deploy a stateful inspection firewall to separate external networks. Establish a change management process to review access control lists, logs, and configuration changes.
- Deploy a web application firewall in front of Internet-facing applications and APIs.
- Management of the firewall should not be directly accessible via the Internet.
- Employ a process to implement network-based intrusion detection/prevention systems (IDS/IPS). System should alert and block suspicious activity, provide gateway anti-virus and URL filtering, maintain up-to-date attack signatures and definitions, and should log all relevant activity and configuration changes.
- A policy and process for remote access must be defined and should include: MFA, hardened VPN configurations, encrypted connections, timebound remote sessions, etc. Remote access should only be allowed for approved individuals for project and business specific purposes.
- Establish a policy and protocol for the use of WiFi and ensure the latest WiFi security protocols are being used. Corporate and guest networks should not have access to networks where content is stored.
- Ensure all content and business data is stored on encrypted storage devices (including but not limited to PCs, Laptops, Mobile devices, and removable media). Decryption keys should be kept and sent separate from the device (e.g. no Post-it Notes).
- Implement a process and protocol for identifying and applying, as soon as practicable, patches or other controls to systems and applications to address actual or potential security vulnerabilities.
- Implement a change management program to ensure data, applications, network, and system changes have been reviewed and approved. As part of this program ensure that:
- there is an inventory of systems, endpoints, components, software, and other relevant assets,
- changes are documented including the systems and associated data are identified, and
- appropriate back-up procedures are in place.
Physical Security Management
- Ensure there is a reasonable approach to securing your physical location and areas where non-public data is stored (e.g. machine rooms, playback rooms, etc.). This should include implementing electronic access controls, CCTV, alarm systems, environmental controls, etc. There should be logs and evidence retained and reviewed, and these systems and the facilities should be reviewed regularly and updates should be made to address any vulnerabilities or irregularities.
- Limit access to your facilities to individuals with a business purpose and revoke access privileges when they are no longer required.
- Establish a visitor management process which should include: signing in visitors and providing them identification, having visitors sign an NDA, and restricting visitors from areas where non-public data is.
Translations