Who are the CDSA App & Cloud Qualified Assessors?
Qualified Assessors undergo a strict review and approval process as to their expertise in evaluating against the CDSA A&C Security Framework. Anyone needing a qualifying assessment will use the CDSA A&C online platform to fill out some initial information, chose an assessor, and engage on the assessment.
How are Qualified Assessors accredited?
Qualified Assessors of the CDSA App & Cloud Assessment Program go through a careful screening of their credentials and experience in the industry auditing information security and entertainment assets. There is also a technical test and vetting process for the assessor to gain the accreditation.
How do I become a TPN Qualified Assessor?
The CDSA reviews the need to add Qualified Assessors every quarter. For more details about the qualifications and process to become a Qualified Assessor, submit your information via the CDSA App & Cloud website.
What is the CDSA App & Cloud?
CDSA App & Cloud Assessment Program is a comprehensive security program that includes the Digital Tools and Infrastructure to the ability to manage risk against best practices and a Security Framework. It recognizes that content workflows have now become increasingly virtualized, application and cloud based, that security aspects and associated threats are increasing and dynamic, and is impacting the entire Media & Entertainment industry (not just the major film studios).
How does the CDSA App & Cloud Assessment Program address escalating content security threats?
One of the principles of CDSA App & Cloud is that the threats to the M&E Industry are constantly evolving, and is designed to reflect that dynamic nature. We are integrated with the M&E ISAC (the US Government/Private link for dissemination of real-time threat data), and will be linking that threat information with the key systems, tools, and workflows of our industry so that we can have immediate understanding of the changing risk profile, and associated mitigation responses.
Are there any precedents for such a program?
Yes, although this is the second such integrated threat/risk system for the Media and Entertainment, other industries (Finance, Healthcare, IT) have similar such initiatives that have raised the levels of effectiveness and efficiency of their overall industry security.
What is the relationship to the TPN content protection program?
Although CDSA App and Cloud and TPN are both working to improve content security throughout the industry, the two initiatives are independent and not related.
Will content owners still be conducting their own assessments?
One of the primary objectives of the CDSA App & Cloud Assessment Program is to establish a clear and broad set of security elements that would satisfy all or the vast majority of content owner requirements…and why these content owners have been so involved in its creation. Content owners would like to dramatically reduce the level of independent assessments they are doing, as would the partners being assessed…and get to a single assessment approach that satisfies most if not all of the key risk areas.
What are the benefits for vendors in the CDSA App & Cloud Assessment Program?
The CDSA App & Cloud program provides a number of benefits to vendors, including:
- Promote their high security/low risk to the industry and their customers
- One assessment that should satisfy the majority of content owner requirements
- Understanding of the risks and real-time threats against operations they have
What are the benefits for content owners in the CDSA App & Cloud Assessment Program?
The CDSA App & Cloud program provides a number of benefits to content owners, including:
- Clear understanding of static and dynamic risks across their entire end-2-end supply chains
- Comprehensive and clear set of security rules and guidelines – and associated assessments – for the entire industry. Promote their high security/low risk to the industry and their customers
- Reduced need for that content owner to maintain independent assessment programs.
- Make it easy for their internal stakeholders to understand the risks in their workflow and vendor choices
Who pays for the CDSA App & Cloud assessments?
Assessment fees are underwritten by the vendor, app developer, or cloud provider in order to determine their level of security risk mitigation against the CDSA A&C security framework. This single industry-wide assessment will provide a foundation for their M&E customers to understand their risk profile, their status in any remediation work, and configuration guidelines in how to implement and use their product or services securely.
How much does a CDSA A&C assessment cost?
The cost of an assessment is negotiated, on a case-by-case basis, between the CDSA A&C Qualified Assessor Company and the vendor/provider making the assessment request. The CDSA has no control of the pricing models of individual assessors and/or their firms but is open for feedback as to what would help make the program better, including any concerns with their Qualified Assessor Companies.
How frequent are the CDSA A&C assessments?
Due to the dynamic nature of the security landscape and the ongoing development and refinement of security controls, CDSA A&C assessments renew annually. We also have dynamic risk/threat data that can help us understand if there are new threats against an existing and assessed facility/app/cloud solution.
Does the CDSA App & Cloud Assessment Program substitute for ISO or other standards bodies?
The CDSA A&C assessment and credential is designed to be the benchmark for the Media & Entertainment industry’s handling of content across all phases of the supply chain, including all of the application, cloud, and other infrastructure and tools that are a core part of creation and distribution. In developing our Security Framework, we leverage other standards such as ISO. If you have completed an ISO or other standard industry audit, the CDSA A&C will accept those audits and focus on the specific areas areas not covered by those other assessments.
How does a vendor get their information published in the CDSA App & Cloud Assessment Program directory?
Once enrolled in the CDSA A&C Program, the vendor/app/cloud provider will have their company information, along with any authorized supporting assessment materials, published in the vendor roster. In the future, CDSA A&C will also provide a top-level sense of risk on its Risk Dashboard.
When does this all happen?
The CDSA App & Cloud Assessment Program initially launched on July 1st, 2021 and will be adding capabilities each quarter. In addition, there is a beta program where new features are fine-tuned before formal production release. If interested, click here https://appsec.cdsaonline.org/vendor-assessment-request-form/ to request an assessment.
Where can I find out more?
Contact CDSA for more information at [email protected]