If you work in media and entertainment (post-production, VFX, animation, or content distribution), you've probably encountered TPN. It's become a baseline expectation from major studios and streaming platforms when they're selecting production partners.
But the assessment process isn't always well understood, especially by the IT teams responsible for getting companies across the line. This guide covers what TPN actually involves, what the common failure points are, and how to approach preparation systematically.
What Is TPN?
The Trusted Partner Network (TPN) is an industry-wide content security programme managed by the Motion Picture Association (MPA). Its goal is to standardise how production companies, post-production facilities, and vendors protect content (particularly digital assets) from piracy, leaks, and unauthorised access.
TPN assessments measure compliance against the MPA Content Security Best Practices guidelines, which cover physical security, logical security, and operational practices.
There are two levels of TPN status:
- Gold Shield: the highest level. Requires an on-site assessment by an approved third-party assessor, plus satisfactory scores across all questionnaire categories
- Silver Shield: a self-assessed questionnaire with no on-site visit. Appropriate for lower-risk workflows
Most major studios and streamers now require Gold Shield for facilities handling unaired or unreleased content.
What Does the Assessment Cover?
The MPA guidelines are structured around several domains. At a high level, assessors will evaluate:
Physical security
- Access control to server rooms, edit suites, and screening rooms
- CCTV coverage and retention policies
- Visitor management procedures
- Clean desk policies and physical document handling
Logical security
- Network architecture: segmentation, firewall rules, access controls
- User account management and least-privilege principles
- Multi-factor authentication
- Endpoint protection and patch management
- Encryption at rest and in transit
- Logging, monitoring, and alerting
Operational security
- Incident response procedures
- Change management processes
- Third-party vendor risk management
- Staff security awareness training
- Watermarking and content tracking for deliverables
Data handling
- How content is received, stored, transferred, and deleted
- Cloud storage security configuration
- Secure file transfer tools and policies
Common Failure Points
Based on our experience supporting TPN assessments, the issues that most frequently require remediation before an assessment are:
- Insufficient network segmentation: production networks, internet-facing systems, and administrative systems sharing the same flat network
- No MFA on critical systems: particularly for remote access, cloud storage, and email
- Unmanaged endpoints: personal devices used for work without MDM enrolment or endpoint security
- Incomplete logging: no centralised log collection, or logs not retained for a sufficient period (MPA recommends 90 days minimum)
- Weak access control: shared accounts, excessive admin rights, no formal joiner/leaver process
- Undocumented procedures: assessors require written evidence of policies, not just verbal descriptions
- Outdated software: unpatched operating systems or end-of-life applications still in production use
- Unclear incident response: no documented procedure for what to do when a security event occurs
How to Approach Preparation
A TPN assessment is manageable with the right preparation. Here's the approach we recommend:
Step 1: Gap analysis
Start with an honest review of your current state against the MPA guidelines. Work through each domain and document what controls are in place, what's partially implemented, and what's missing. The MPA publishes the full Best Practices document publicly. Use it as your checklist.
Step 2: Prioritise remediation
Not everything can be fixed at once. Prioritise issues that are likely to result in a fail or a major finding. Network architecture changes and MFA deployments typically take the most time; tackle these first.
Step 3: Write your policies
Documentation is often the most underestimated part of TPN preparation. You need written policies for:
- Acceptable use
- Access control and user provisioning
- Incident response
- Patch management
- Data classification and handling
- Physical security
These don't need to be lengthy, but they do need to exist, be current, and be understood by staff.
Step 4: Train your team
Assessors will sometimes speak to staff directly. Security awareness training (even a short annual session) demonstrates that security is treated as an operational priority, not just an IT concern.
Step 5: Engage an assessor early
Approved TPN assessors can conduct a pre-assessment review before the formal assessment. This is strongly recommended. It surfaces issues you may have missed and gives you time to remediate before the scored assessment.
What Happens After Certification?
TPN Gold certification is valid for one year. You'll need to complete a renewal assessment annually to maintain your status. The MPA may update its guidelines between cycles, so monitoring for changes is important.
Your TPN listing will appear publicly in the MPA's vendor database, which clients use to verify your status before awarding work.
How We Can Help
We've supported multiple TPN assessments across post-production and media facilities. Our involvement typically covers:
- Gap analysis against the full MPA guidelines
- Network architecture review and remediation
- MFA deployment and access control hardening
- MDM rollout for endpoint management
- Log collection and SIEM configuration
- Policy documentation
- Staff security awareness training
- Coordination with the assessor throughout the process
If you're starting a TPN journey, or approaching a renewal, book a call with our team. We'll walk you through where you stand and what needs to happen before the assessment.