Netflix Minimum Content Security Recommendations
These are our least minimum recommendations for a basic security program. It’s likely that your organization needs a more comprehensive program which includes the below, but also includes other controls to fully address reasonable risks to your specific organization.
- Details of where the facility is located, the size and type of building and the local area.
- Maintain and provide a list of active clients.
- All employees (full time, contractors and freelance workers) have signed an NDA.
- A list of how many employees and contractors are engaged by the vendor and indicate how many will handle Netflix content.
- Documented policies or guidance around employee responsibilities, secure content handling, personal device usage, social media, business resiliency, breach notification/incident response, etc.
- Contact details of the person responsible for content security at the vendor.
- Details of any ongoing security vulnerability management program.
- Copies of previous audits (MPAA, CDSA, or any content creators/ studios etc) and include the date of evaluation and a copy of the report.
- Copies of reports from penetration tests carried out at the facility (including who performed the tests).
- Secure all external entry and exit points to your facility.
- All visitors must be logged, identified, and be escorted while in the facility.
- CCTV has been installed covering all entrances and exits plus secure areas (e.g., server room) and that the footage is usable and stored for a minimum of 60 days or the period provided by local law.
- Electronic access control installed in sensitive areas, details of the number of employees with access and confirm that the logs are stored for 12 months.
- A facility alarm is installed and unique codes are used for each code holder.
- A secure storage area is available for any designated sensitive physical material.
- Provide details of the network configuration and the number of systems and users that can access pre-release material. Provide diagrams as supporting evidence.
- Conduct vulnerability scans and address any identified vulnerabilities regularly.
- Host-based firewalls are enabled, and a stateful inspection firewalls are used on the network.
- Wireless networks that have access to the content-handling network must use strong encryption and authentication
- Every computer user has their own unique account with strong passphrases and multi-factor authentication, where possible.
- Systems should run one of the last two available versions of the commercial operating system and should be configured to auto-update for security patches. Further, they should check quarterly to verify security patches are being applied.
- A screen saver is set up to appear after 15 mins and needs re-authentication to unlock.
- Multifactor authentication is used on all systems that handle content.
- External hard drives, thumb drives and laptops have full disk encryption.
- Remote access to content-handling networks is restricted and tightly controlled. To the extent that remote access is allowed, it must be done over encrypted VPN and use multi-factor authentication.
- Restrict internet access on workstations or servers (systems) holding Netflix content.
- Mass media read/write access is restricted on all ports of systems with access to pre-release materials.
- Only use Netflix approved methods of encrypted storage for physically storing and transmitting content.
- Any transfers of Netflix content may only occur over approved encrypted file transfer platforms, such as Aspera. Netflix must approve any other methods of file transfer.
- No files are to be shared or stored on cloud based or open/public networks or platforms w/out prior approval.
- Securely delete content upon project/task completion or at the request of Netflix.
What to do in the event of an incident?
- Notify Netflix’s vendor security team at - firstname.lastname@example.org - immediately on discovery of any breach of security, suspected content theft or other security incident which might impact Netflix’s content.
- Permit Netflix, or their designated third-party, to audit on receipt of reasonable written notice or in the event of an incident.