Welcome to the Netflix Partner Help Center. Have a question or need help with an issue? Send us a ticket and we'll help you to a resolution.

Content Security - Introduction & Cheat Sheet

Studio & Corporate Security (SCS) works with productions and partners to raise security awareness and provide guidance and solutions to manage risk. 

 

These guidelines are meant to provide production crews with a general understanding of how we approach security. We will provide you the context you need to make good decisions about implementing security best practices. We're available as a resource for you. Please reach out when you have questions regarding content security.

 

Contact Information

For all inquiries reach out to - SCS@netflix.com

 

Introduction, Overview, Approach

SCS takes a pragmatic approach to managing risk and follows these guiding principles:

  • We use guidance and technology to enhance production while effectively managing risk.
  • We provide solutions that integrate security into existing tools, workflows, systems, and constructs.
  • We make our decisions transparent.
  • We understand that some productions are inherently more confidential than others, and we provide support in keeping with the production's security tier.

 

Incident Reporting

We take a thoughtful approach to incidents at Netflix. When a security incident occurs, we want to address the issue, understand the root cause, and learn from it to educate others on how to avoid a recurrence. If you believe there has been an incident, contact your Netflix Production lead and also copy the SCS team (SCS@netflix.com)

 

Security Cheat Sheet

These are the basics of content security. Please take some time to familiarize yourself with these ideas.

  • Need to Know - Access to our data is a privilege and should only be granted on a “need to know” basis. People who don’t need to view or handle our data shouldn’t be given this privilege. 
    • Nondisclosure - Persons with access to content should sign a nondisclosure agreement. Persons with access to content are responsible to protect it. 
    • Social Media - Social media and public sharing are so ubiquitous that it’s easy to forget that some things are meant to be kept private. It’s important to remember that our projects are to be treated as private and confidential.
  • System Access - Access should be granted based on a user’s specific need. Where possible, users should be onboarded using Netflix created accounts. 
  • Device Security - Devices storing and handling data must be kept secure. At a minimum, the following practices should be in place: 
    • Software - Software, including the operating system, must be kept up to date. It’s best to enable automatic updates. Current operating system versions can be found here for Mac and here for Windows. We understand that some creative software can't be updated due to stability concerns. Please reach out if you have questions about this.
    • Encryption - Devices must be encrypted. Macs should enable FileVault, and Windows systems should turn on BitLocker. External hard drives (shuttle drives, USB sticks, etc.) should be hardware encrypted.
    • Passwords - Lengthy passwords/passphrases and/or other Netflix-recommended authentication methods (e.g., two-factor authentication) must be used on all systems and applications. Securely maintain these passwords and other authentication methods and do not share them with others. Consider using a password manager such as 1Password or LastPass.
  • Network Security - Networks should be kept secure to prevent unwanted and unauthorized access to data and other sensitive information.
  • Physical Security - An appropriate level of physical security must be maintained to minimize the likelihood of theft. This includes not leaving data or sensitive materials unsecured, using safes or locking cabinets to store assets, locking doors, etc.
  • Secure Delivery and Transfer - All movement of data, physical or digital, must be conducted via a secure method.
    • Physical Deliveries should travel via a trusted employee or a secure courier/freight company. 
    • Digital Transfers must be done via a secure platform that is Netflix approved (e.g., Content Hub, PIX, Aspera). If you need to have a tool reviewed, please contact us.
  • Asset Tracking - Records of persons and organizations with access to data should be maintained. 
    • Watermarking - All turnover materials should have personally identifiable watermarks or burn-ins.
    • Data Deletion - When data is no longer needed, it must be destroyed, securely and permanently. Please be mindful of any contractual obligations before deleting data.
  • Third Parties - Before engaging a third party to handle data, please notify SCS, so we can determine if an assessment is needed.
  • Incidents - Any incident where data may be exposed must immediately be brought to the attention of Security. Please contact us

 

Content Security - General Guidance

Article last updated Mar 22, 2022

Below is our high-level security guidance. If you have questions, please reach out to us at: SCS@netflix.com

 

Confidentiality

Protecting the confidentiality of our projects is essential for data security. It's also key to creating memorable experiences for our members. Each of us is responsible for ensuring that the data we handle (content, personal information, financial data, etc.) is protected. We expect all of our partners to maintain the highest level of confidentiality when working on our projects.

 

Documents

Ensure all production documents, including but not limited to, call sheets, scripts, employment forms and crew lists, are handled via Google Drive. Avoid printing hard copies of production documents. If hard copies are necessary, they should go only to individuals with a demonstrated business need. Make sure that hard copies are individually watermarked, collected, and securely destroyed.

 

Watermarking

We recommend watermarking any materials shared outside of production. Watermarking primarily serves as a deterrent from unauthorized sharing, but it also helps us track the origin of a leak. 

 

Follow these best practices:

  • Identify the end recipient(s) and/or company.
  • Place the watermark in a location where it is not easily cropped or/removed. Ideally, the watermark should extend across the center of the page. 
  • The text should be transparent; we recommend opacity levels between 20-40%.

 

Social Media Security Guidance

In order to orchestrate effective marketing campaigns, Netflix limits what information can be shared about projects in production. We ask the crew to refrain from taking photos on or near the set, and to hold off on posting production details (including locations and plot points) on social media. Please don't use any #hashtag that refers to the production or its cast, crew, and locations. Netflix fans search social media (such as Twitter, Facebook, Instagram and Reddit), piecing together clues about our shows, to try to uncover spoilers, secrets and surprises (and often to show up on set/location). Let's do our best to keep this from happening. For more details, see Social Media Security Guidance article in the Marketing & Publicity section of this manual.

 

Supply Chain Risk (Vendors)

It’s important that we know what systems and vendors are being used on our productions. Studio & Corporate Security (SCS) will conduct a security review of any vendor or system that is used to process, store or share sensitive data. Your Netflix Production Coordinators can tell you whether a system or a vendor has been reviewed. If the system or vendor you want to use hasn’t been reviewed, please contact us.

 

Device Security Recommendations

We all store sensitive data on our devices (computers, phones, tablets, etc.) and we’re all responsible for ensuring we’ve taken the right steps to protect this data. A few essential security best practices provide a very good level of protection, without slowing down the user. Consider implementing the following on your devices:

  • Use unique usernames and passwords.
    • Disable guest accounts on Mac.
  • Keep up to date via automatic system updates (Mac instructionsWindows is on by default). This goes for applications as well.
  • Use encryption (FileVault for Mac, BitLocker for Windows).
  • Disable remote connections. If you need remote connections, contact SCS@netflix.com
  • Enable the device firewall (Mac, Windows is on by default).
  • Disable automatic logins and enable screen lock (MacWindows).

 

When using hard drives to store or shuttle data, we recommend hardware-encrypted drives such as:

 

These drives work cross-platform and don't require any additional software installed by the end-user. Software encryption, such as FileVault or BitLocker is also acceptable; however, there will be overhead in setting up the drives. We prefer using encryption because if the drive is lost or stolen, the data will be inaccessible.

 

Mobile Device Management

The use of Google Apps on a mobile device with your prodicle.com email account requires the installation of a Mobile Device Management (MDM) profile. This profile ensures your device is in a secure state by applying certain settings, such as requiring a passcode, and verifies the operating system is unmodified. It also provides us the ability to remove Google Apps and related data. If you request it, we also have the capability to remotely wipe the device in case of loss or theft. Neither the profile nor the applied settings permit us to access any personal information (photos, contacts, call logs, text messages, social media, internet activity, etc.) or other data on the device.

 

Lost / Stolen Devices

Any lost or stolen device containing production data should be reported immediately to Netflix by submitting a ticket in the Partner Help Center or emailing support@netflixstudios.com. This includes personally owned devices, as well as those issued by Netflix or our production partners. 

 

Technologies

We prefer that our productions leverage our applications (i.e., Production Center or Content Hub) where possible. This allows us to provide a secure space where you can work on, store, and share the sensitive data that is created during production. While we don't restrict the use of third-party tools, we can't always ensure the security of these tools or provide technical support.

 

Asset Transfers

When sharing data, we encourage the use of our tools. We also recommend sharing data via a link and not an attachment (meaning the recipient will have to interact with the file in the system, rather than a downloaded version on their device). All large media file transfers should be done through an approved secure transfer platform (Aspera, Content Hub) or, if done physically, on encrypted hard drives.

 

System Security Recommendations

Access to systems should be based on a business need rather than granting broad access. We recommend using Netflix-provided solutions where possible. For new or unknown systems not provided by Netflix, we recommend reaching out to us for security recommendations or to perform a security review.

 

Account Security Guidance

Accounts are everywhere and are a key to productivity, whether it's an email account or a login to a production content application. Protecting accounts and the credentials used to access them is crucial. The following are our recommendations on how to protect both your work accounts and personal logins:

  • Use longer passphrases (4 lowercase words) or randomly generated passcodes. Chrome and other browsers offer this as a feature.
  • Use a unique passphrase/password for each site. Password reuse allows an attacker that has one credential to try it again on other sites.
  • Use a password manager. Apps like 1Password or LastPass can save hundreds of passphrases, all in one secure spot.
  • Use two-factor authentication (2FA) wherever possible. With 2FA, your account will be protected even if the password is compromised, unless the attacker also has your mobile device.
  • Don't share credentials with anyone else, including tech support. If you do have a need to share an account, please reach out to SCS@netflix.com first.
  • Be mindful of suspicious-looking emails. If you are unsure about the sender, don’t click on links in the email. To verify the authenticity of the email, reach out to the sender directly, rather than replying to the email you received. If you’d like additional help, reach out to us.

 

Physical Security Recommendations

We partner closely with the Risk and Intelligence and the Production Security teams to limit risk to productions. The guidance we provide is aimed to minimize the loss of sensitive data that could be lost or stolen. Ensure basic security precautions are taken, so that sensitive data in physical form (documents, hard drives, etc.) is not easily accessible, whether you are on location, in an office, in your personal vehicle, or anywhere else. Some basic guidance:

  • Lock up spaces that can be locked.
  • Don’t leave anything sensitive or valuable unattended.
  • Allow only authorized persons access to work areas (including sets and locations).
  • Where viable, consider security cameras or alarm systems.

 

For additional support or guidance, please contact our Production Security team at  studiosecurity@netflix.com.

Was this article helpful?
1 out of 1 found this helpful
Powered by Zendesk