Studio & Corporate Security (SCS) works with productions and partners to raise security awareness and provide guidance and solutions to manage risk.
These guidelines are meant to provide production crews with a general understanding of how we approach security. We will provide you the context you need to make good decisions about implementing security best practices. We're available as a resource for you. Please reach out when you have questions regarding content security.
For all inquiries reach out to - SCS@netflix.com
Introduction, Overview, Approach
SCS takes a pragmatic approach to managing risk and follows these guiding principles:
- We use guidance and technology to enhance production while effectively managing risk.
- We provide solutions that integrate security into existing tools, workflows, systems, and constructs.
- We make our decisions transparent.
- We understand that some productions are inherently more confidential than others, and we provide support in keeping with the production's security tier.
We take a thoughtful approach to incidents at Netflix. When a security incident occurs, we want to address the issue, understand the root cause, and learn from it to educate others on how to avoid a recurrence. If you believe there has been an incident, contact your Netflix Production lead and also copy the SCS team (SCS@netflix.com).
Security Cheat Sheet
These are the basics of content security. Please take some time to familiarize yourself with these ideas.
- Need to Know - Access to our data is a privilege and should only be granted on a “need to know” basis. People who don’t need to view or handle our data shouldn’t be given this privilege.
- Nondisclosure - Persons with access to content should sign a nondisclosure agreement. Persons with access to content are responsible to protect it.
- Social Media - Social media and public sharing are so ubiquitous that it’s easy to forget that some things are meant to be kept private. It’s important to remember that our projects are to be treated as private and confidential.
- System Access - Access should be granted based on a user’s specific need. Where possible, users should be onboarded using Netflix created accounts.
- Device Security - Devices storing and handling data must be kept secure. At a minimum, the following practices should be in place:
- Software - Software, including the operating system, must be kept up to date. It’s best to enable automatic updates. Current operating system versions can be found here for Mac and here for Windows. We understand that some creative software can't be updated due to stability concerns. Please reach out if you have questions about this.
- Encryption - Devices must be encrypted. Macs should enable FileVault, and Windows systems should turn on BitLocker. External hard drives (shuttle drives, USB sticks, etc.) should be hardware encrypted.
- Passwords - Lengthy passwords/passphrases and/or other Netflix-recommended authentication methods (e.g., two-factor authentication) must be used on all systems and applications. Securely maintain these passwords and other authentication methods and do not share them with others. Consider using a password manager such as 1Password or LastPass.
- Network Security - Networks should be kept secure to prevent unwanted and unauthorized access to data and other sensitive information.
- Physical Security - An appropriate level of physical security must be maintained to minimize the likelihood of theft. This includes not leaving data or sensitive materials unsecured, using safes or locking cabinets to store assets, locking doors, etc.
- Secure Delivery and Transfer - All movement of data, physical or digital, must be conducted via a secure method.
- Physical Deliveries should travel via a trusted employee or a secure courier/freight company.
- Digital Transfers must be done via a secure platform that is Netflix approved (e.g., Content Hub, PIX, Aspera). If you need to have a tool reviewed, please contact us.
- Asset Tracking - Records of persons and organizations with access to data should be maintained.
- Watermarking - All turnover materials should have personally identifiable watermarks or burn-ins.
- Data Deletion - When data is no longer needed, it must be destroyed, securely and permanently. Please be mindful of any contractual obligations before deleting data.
- Third Parties - Before engaging a third party to handle data, please notify SCS, so we can determine if an assessment is needed.
- Incidents - Any incident where data may be exposed must immediately be brought to the attention of Security. Please contact us.