In my 30 years working in IT I’ve seen MANY policies. In fact, it seems like we see a different policy for everything these days. In my previous corporate life, I’ve been through rigorous audits requiring an actual book of policies (more like a thick folder). Many of you might wonder why we need so many policies (I know I was like that)? Why does a small studio with less than 10 employees need this? Is someone actually reading them? Where do I start? In this article I will attempt to answer these questions and go over some options/ideas you can apply to your organization. The obvious focus is on TPN, but similar policies (If not exact) is a requirement from any major studios.
When it comes to compliance, policies are a critical component of any audit. If you look at it from the perspective of the audit, they are there to make sure you set the right tone in the right areas for your company. That is, auditors want to make sure your company is following a standard of some kind. From the company perspective, you want to build some guidelines to help you steer the ship in the right direction.
For a small studio with 10 to 15 computers this task seems daunting and unnecessary. However, if you think about putting your daily routines on paper and turn them into guidelines, you’ll experience the birth of what are called “policies”. Having said that, major studios want to ensure their content is safe which means there are some rules to follow. If your daily routine includes a task that may be a risk to the content, you may want to reconsider the task and revise how it is done. Once you do that and it is now part of your new routine, it will become the new guideline and a policy can be created around it.
If you’ve ever been through any kind of an audit (TPN, Disney, Apple, etc…), you will most likely be asked to provide specific policies for your business. There are literally dozens of them. However, there is no hard rule to say that one policy cannot cover several topics required by the audit. In other words, you could potentially have one policy to cover 3 or 4 topics normally presented as 3 to 4 policies. Having said that, it is a lot simpler and organized to separate them into 3 to 4 policies.
When auditors sift through these policies, they look for certain keywords to ensure the correct standards are being followed. For example, if a major studio wants to see specific encryption being used on a disk, the auditor may look for that specific encryption in the policy. Therefore it is critical to know what the industry requirements are and to design your policies based upon that. Keep in mind that these new rules require changing the way you work. So if you now need to use a different type of encryption (or start using encryption entirely), it is time to do so.
Creating these policies can be a long and tedious task. The good news is that there are many policies already out there but you’ll need to spend time looking for them. Another option that may work is using the power of AI to generate them. Keep in mind that even if you find, or generate, policies you are still responsible to modify them according to industry guidelines. MPA has published their latest guidelines (Version 5.2) that includes very specific requirements/best practices for the media & entertainment industry. This is a very detailed spreadsheet with everything you need to know. In some areas they are calling for specific policies but for most they simply provide you with the “needs”, which in turn will need to be converted into a policy.
If you feel lost, you’re not alone. At Zalcore we have already gone through many audits and understand how it all works. If interested, we have prepared a list of policies you’ll most likely need that corresponds with specific audit controls. Contact us now for more details.