Netflix Minimum Content Security Recommendations
These are our minimum recommendations for managing your content security program. This is only a baseline set of recommendations, and it’s likely that your organization follows supplemental best practices and institute additional controls. We encourage you to take a risk-based approach to content security ensuring that your specific risks are addressed by your security framework. We will work with you to ensure that any additional Netflix security asks are based on project-specific needs.
- Appoint an individual or group responsible for managing content security at your facility.
- Maintain details (e.g. floor plans, number of project spaces, vault/secure storage, etc.) of your facility. Include whether it is co-located and how spaces are kept private and separate.
- Maintain details of previous assessments (TPN or any content creators/ studios etc) including the date of evaluation and any reports. Additionally, track any ongoing remediation items and security upgrades.
- Establish documented policies or guidance around employee responsibilities, social media use, secure content handling, personal device usage, restricting photos/videos in sensitive areas, business resiliency, etc.
- Train employees around security policies and guidance.
- Ensure all employees (full time, contractors, and freelance workers) who handle content or are aware of client projects have signed an NDA.
- Keep a list of employees, contractors, and freelance workers who work on client projects, and identify those handling Netflix content.
- Document a breach/incident response plan that clearly outlines how to notify Netflix’s vendor security team (firstname.lastname@example.org) immediately upon discovery of any breach of security, suspected content theft or other security incident that might impact Netflix’s content.
- Secure all external entry and exit points to your facility.
- Install a facility alarm (fire, burglar, etc.) and issue unique codes for each user.
- Identify, log, and escort all visitors in the facility.
- Implement a CCTV system that covers all entries, exits, and secure areas (e.g., project rooms, machine/server rooms).
- Ensure CCTV footage is usable and securely stored for a minimum of 30 days or the period provided by local law
- Secure sensitive areas (e.g., project rooms, machine/server room, vault/secure storage, etc.) with access controls (electronic system preferred); and maintain records of employee access and access logs for at least 12 months.
- Store sensitive physical assets (e.g. external hard drives, scripts) securely in a lockable container (e.g. safe, cage, vault)
- Maintain details of the network configuration and the number of systems that can access pre-release material. Diagram this info for supporting evidence.
- Conduct quarterly network vulnerability scans and address any identified vulnerabilities promptly.
- Conduct annual penetration tests to evaluate the security of your digital environment; maintain copies and details of reports (e.g. who performed the test, remediation items, etc).
- Segment, either logically or physically, the production (content-handling) network from all other networks (e.g., corporate).
- Use strong encryption and authentication on wireless networks that have access to the content-handling network.
- Enable host-based firewalls on all end-points, and ensure stateful inspection firewalls are used on the network.
- Control and limit remote access to content-handling network. To the extent that remote access is allowed, it should be done over encrypted VPN and use multi-factor authentication.
- Provide every user a unique user account, which authenticates onto the production tools using a strong passphrase and/or multi-factor authentication. Default accounts and credentials must be changed,( e.g. Admin/Admin or Admin1/Password1234).
- Implement or develop a strategy for multi-factor authentication on all systems that handle content.
- Enable account lock-outs and screen savers on systems that handle content.
- Ensure systems are running one of the last two available versions of the commercial operating system and are configured to auto-update for security patches. Further, they should check quarterly to verify security patches are being applied.
- Enable full disk encryption on all production workstations.
- Control mass media read/write access on all ports of systems with access to pre-release materials.
- Restrict internet access on workstations or servers (systems) holding Netflix content; whitelist only those public sites needed to conduct work.
- Establish a dedicated machine for the ingest and output of content.
- Conduct transfers of Netflix content over approved encrypted file transfer platforms, such as Aspera, Backlot, ContentHub. Netflix must approve any other methods of file transfer.
- Use hardware-encrypted drives for physically delivering content or storing outside of a secure production network.
- Prohibit file sharing and storage on cloud based or open/public networks or platforms w/out prior approval.
- Securely delete content upon project/task completion or at the request of Netflix.