MPA & Studio Security

Best Practice

Establish a formal incident response plan that describes actions to be taken when a security incident is detected and reported.

AWS Implementation

AWS has implemented a formal, documented incident response policy and program. The policy addresses purpose, scope, roles, responsibilities, and management commitment.

AWS utilizes a three-phased approach to manage incidents:

1. Activation and Notification Phase: Incidents for AWS begin with the detection of an event. This can come from several sources, such as:

• Metrics and alarms - AWS maintains an exceptional situational awareness capability, most issues are rapidly detected from 24x7x365 monitoring and alarming of real time metrics and service dashboards. The majority of incidents are detected in this manner. AWS utilizes early indicator alarms to proactively identify issues that may ultimately impact Customers.

• Trouble ticket entered by an AWS employee.

• Calls to the 24x7x365 technical support hotline.

If the event meets incident criteria, then the relevant on-call support engineer will start an engagement using AWS' event management tools to start the engagement and page relevant program resolvers. The resolvers will perform an analysis of the incident to determine if additional resolvers should be engaged and to determine the approximate root cause.

2. Recovery Phase - the relevant resolvers will perform break fix to address the incident. Once troubleshooting, break fix and affected components are addressed, the call leader will assign next steps in terms of follow-up documentation and follow-up actions and end the call engagement.

3. Reconstitution Phase - Once the relevant fix activities are complete the call leader will declare that the recovery phase is complete. Post mortem and deep root cause analysis of the incident will be assigned to the relevant team. The results of the post mortem will be reviewed by relevant senior management and relevant actions such as design changes etc. will be captured in a Correction of Errors (COE) document and tracked to completion.

In addition to the internal communication mechanisms detailed above, AWS has also implemented various methods of external communication to support its customer base and community. Mechanisms are in place to allow the customer support team to be notified of operational issues that impact the customer experience. A "Service Health Dashboard" is available and maintained by the customer support team to alert customers to any issues that may be of broad impact.

AWS incident management program reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance.

Workflow documentation of Content (data) is the responsibility of AWS Customers as Customers retain ownership and control of their own guest operating systems, software, applications and data.

Best Practice

Develop a formal security risk assessment process focused on content workflows and sensitive assets in order to identify and prioritize risks of content theft and leakage that are relevant to the facility.

AWS Implementation

AWS has implemented a formal, documented risk assessment policy that is updated and reviewed at least annually. This policy addresses purpose, scope, roles, responsibilities, and management commitment.

In alignment with this policy, an annual risk assessment which covers all AWS regions and businesses is conducted by the AWS Compliance team and reviewed by AWS Senior Management. This is in addition to the Certification, attestation and reports that are conducted by independent auditors. The purpose of the risk assessment is to identify threats and vulnerabilities of AWS, to assign the threats and vulnerabilities a risk rating, to formally document the assessment, and to create a risk treatment plan for addressing issues. Risk assessment results are reviewed by the AWS Senior Management on a regular basis, including when a significant change warrants a new risk assessment prior to the annual risk assessment.

Customers retain ownership of their data (content) and are responsible for assessing and managing risk associated with the workflows of their data to meet their compliance needs.

The AWS Risk Management framework is reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance.

Best Practice

Ensure executive management/owner(s) oversight of the Information Security function by requiring periodic review of the information security program and risk assessment results.

AWS Implementation

The Control environment at Amazon begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company's tone and core values. AWS has established an information security framework and policies based on the System & Organization Control (SOC) framework and have effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, the PCI DSS v3.2 and the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems). AWS employee’s complete periodic role based training which includes AWS Security training. Compliance audits are performed so that employees understand and follow the established policies.

Best Practice

Prohibit Internet access on systems (desktops/ servers) that process or store digital content.

AWS Implementation

Boundary protection devices that employ rule sets, access control lists (ACL), and configurations enforce the flow of information between network fabrics. These devices are configured in deny-all mode, requiring an approved firewall set to allow for connectivity. Refer to DS-2.0 for additional information on Management of AWS Network Firewalls.

There is no inherent e-mail capability on AWS Assets and port 25 is not utilized. A Customer (e.g. studio, processing facility etc.) can utilize a system to host e-mail capabilities, however in that case it is the Customer's responsibility to employ the appropriate levels of spam and malware protection at e-mail entry and exit points and update spam and malware definitions when new releases are made available.

Amazon assets (e.g. laptops) are configured with anti-virus software that includes e-mail filtering and malware detection.

AWS Network Firewall management and Amazon's anti-virus program are reviewed by independent third-party auditors as a part of AWS ongoing compliance with SOC, PCI DSS, ISO 27001 and FedRAMP.

Best Practice

Identify security key point(s) of contact and formally define roles and responsibilities for content and asset protection.

AWS Implementation

AWS has an established information security organization managed by the AWS Security team and is led by the AWS Chief Information Security Officer (CISO). AWS maintains and provides security awareness training to all information system users supporting AWS. This annual security awareness training includes the following topics; The purpose for security and awareness training, The location of all AWS policies, AWS incident response procedures (including instructions on how to report internal and external security incidents).

Systems within AWS are extensively instrumented to monitor key operational and security metrics. Alarms are configured to automatically notify operations and management personnel when early warning thresholds are crossed on key metrics. When a threshold is crossed, the AWS incident response process is initiated. The Amazon Incident Response team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operates 24x7x365 coverage to detect incidents and manage the impact to resolution.

AWS roles and responsibilities are reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance.

Best Practice

Establish policies and procedures regarding asset and content security; policies should address the following topics, at a minimum:

• Human resources policies
• Acceptable use (e.g., social networking, Internet, phone, etc.)
• Asset classification
• Asset handling policies
• Digital recording devices (e.g., smart phones, digital cameras, camcorders)
• Exception policy (e.g., process to document policy deviations)
• Password controls (e.g., password minimum length, screensavers)
• Prohibition of client asset removal from the facility
• System change management
• Whistleblower policy
• Sanction policy (e.g., disciplinary policy)

AWS Implementation

AWS has established an information security framework and policies based on the System & Organization Control (SOC) framework and have effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, the PCI DSS v3.2 and the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems).

AWS maintains and provides security awareness training to all information system users supporting AWS. This annual security awareness training includes the following topics; The purpose for security and awareness training, The location of all AWS policies, AWS incident response procedures (including instructions on how to report internal and external security incidents).

AWS policies, procedures and relevant training programs are reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance.

Best Practice

Perform background screening checks on all company personnel and third-party workers.

AWS Implementation

AWS conducts criminal background checks, as permitted by applicable law, as part of pre-employment screening practices for employees commensurate with the employee’s position and level of access to AWS facilities.

AWS background check program is reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance.

Best Practice

Log and review electronic access to restricted areas for suspicious events.

AWS Implementation

Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means.

All entrances to AWS data centers, including the main entrance, the loading dock, and any roof doors/hatches, are secured with intrusion detection devices that sound alarms and create an alarm in AWS centralized physical security monitoring too if a door is forced open or held open.

In addition to electronic mechanisms, AWS data centers utilize trained security guards 24x7, who are stationed in and around the building. All alarms are investigated by a security guard with root cause documented for all incidents. All alarms are set to auto-escalate if response does not occur within SLA time.

Physical access points to server locations are recorded by closed circuit television camera (CCTV) as defined in the AWS Data Center Physical Security Policy. Images are retained for 90 days, unless limited to 30 days by legal or contractual obligations.

AWS Physical Security Mechanisms are reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMP compliance.

Best Practice

Implement a content asset management system to provide detailed tracking of physical assets (i.e., client and newly created).

AWS Implementation

Content Asset Management is owned, implemented and operated by AWS Customers. It is the responsibility of Customers to implement inventory tracking of their physical assets.

For AWS Data Center Environments, all new information system components, which include, but are not limited to, servers, racks, network devices, hard drives, system hardware components, and building materials that are shipped to and received by data centers require prior authorization by and notification to the Data Center Manager. Items are delivered to the loading dock of each AWS Data Center and are inspected for any damages or tampering with the packaging and signed for by a full-time employee of AWS. Upon shipment arrival, items are scanned and captured within the AWS Asset management system and device inventory tracking system.

Once items are received, they are placed in an equipment storage room within the data center that requires the swipe badge and PIN combination for access until they are installed on the data center floor. Prior to exiting the data center, items are scanned, tracked, and sanitized before authorization to leave the data center.

AWS Asset Management processes and procedures are reviewed by independent external auditors during audits for our PCI DSS, ISO 27001 and FedRAMP compliance.

Aside from the MPA, most Content Studios (such as Disney/Marvel) have their own set of security requirements and require service providers and value-added services to have their cloud-based or on-premises environment audited by third-party auditor(s). A good example is Cloud-based burst rendering of VFX/Animation content for pre-released titles.

AWS has worked with a third-party auditor to have the AWS platform assessed for VFX/Animation rendering environment. The third-party auditor has also composed a template document of security best practices involving AWS security controls based on major Studio requirements. This document can be leveraged for creating a Studio approved VFX/Animation rendering environment on AWS.

Pre-Released Studios Media/Asset Management Hardening Guide and Studio Security Controls for VFX/Rendering are available on AWS Artifact.

Best Practice

Require all company personnel and third-party workers to sign a confidentiality agreement (e.g., non-disclosure) upon hire and annually thereafter, that includes requirements for handling and protecting content.

AWS Implementation

Amazon Legal Counsel manages and periodically revises the Amazon Non-Disclosure Agreement (NDA) to reflect AWS business needs.

AWS usage of Non-Disclosure Agreements (NDA) is reviewed by independent external auditors during audits for our ISO 27001 and FedRAMP compliance.