MPAA Content Security Program Content Security Best Practices Common Guidelines for Physical Security

Camio simplifies compliance with MPAA Content Security Program Content Security Best Practices (see more) by providing smart video monitoring and tamper-proof video history. In particular, Camio provides:

  1. encrypted, off-site, tamper-proof, redundantly-stored, 90-day video surveillance history;
  2. automated alerts and warnings for disconnected cameras;
  3. real-time video search for easy review;
  4. always-reliable timestamps;
  5. unlimited storage and logging;
  6. closed inbound network ports;
  7. static IP assignment (without reliance on DHCP);
  8. automatic annotation of video history with access control events.

The Physical Security guidelines simplified by Camio are highlighted in orange in the excerpts below.


PS-9.2 highlights:

Restrict physical and logical access to the CCTV console and to CCTV equipment (e.g., DVRs) to personnel responsible for administering/monitoring the system.

Place CCTV equipment in a secure access-controlled location (e.g., computer room, locked closet, cage) 


PS-9.3 highlights:

Ensure that camera footage includes an accurate date and time-stamp and retain CCTV surveillance footage and electronic access logs for at least 90 days, or the maximum time allowed by law, in a secure location.

• Ensure that accurate time-stamps are maintained on the recording equipment for digital camera footage

Review date and time stamp for accuracy at least weekly

• Consider storing logs in an access-controlled telecom closet or computer room

• Determine the typical amount of space required for one day of logging and ensure that the log size is large enough to hold records for at least 90 days, or the maximum retention period allowed by law

Consider retaining CCTV surveillance footage until the first production release date 


PS-9.4 highlights:

Designate an employee or group of employees to monitor surveillance footage during operating hours and immediately investigate detected security incidents.

Incorporate the incident response process for handling security incidents

Consider adding a surveillance monitor at the reception desk or in the IT office 

PS-10.0 highlights:

Log and review electronic access to restricted areas for suspicious events, at least weekly.

• Identify and document a set of events that are considered suspicious

• Consider the implementation of an automated reporting process that sends real-time alerts to the appropriate security personnel when suspicious electronic access activity is detected

• Retain logs for one year, at a minimum

• Log and review the following events:

  • Repeated failed access attempts
  • Unusual time-of-day access
  • Successive door access across multiple zones 


PS-15.4 highlights:

Implement a dedicated, secure area (e.g., security cage, secure room) for the storage of undelivered screeners that is locked, access-controlled, and monitored with surveillance cameras and/or security guards.

• Ensure that the screener storage area is completely enclosed, locked and monitored at all times

• Implement a process to review surveillance footage on a regular basis 


PS-17.5 highlights:

Document and retain a separate log for truck driver information.

• Maintain a log of all truck drivers and include the following information:

  • Name
  • License tags for the tractor and trailer
  • Affiliated company
  • Time and date of pick up
  • Content handled 

DS-1.0 highlights:

Separate external network(s)/WAN(s) from the internal network(s) by using inspection firewall(s) with Access Control Lists that prevent unauthorized access to any internal network and with the ability to keep up with upload and download traffic.

• Configure the WAN network to prohibit direct network access to the internal content/production network

• Configure the WAN network to prohibit direct network access to the internal content/production network

DS-1.2 highlights:

Deny all protocols by default and enable only specific permitted secure protocols to access the WAN and firewall.

 • Restrict all unencrypted communication protocols such as Telnet and FTP

Replace unencrypted protocols with encrypted versions

DS-1.11 highlights:

Implement a synchronized time service protocol (e.g., Network Time Protocol) to ensure all systems have a common time reference.

• Ensure systems have the correct and consistent time

• Ensure time data is protected

• Ensure time settings are received from industry-accepted time sources 

DS-3.0 highlights:

Isolate the content/production network from nonproduction networks (e.g., office network, DMZ, the internet etc.) by means of physical or logical network segmentation.

• Implement firewall rules to deny all inbound traffic by default and explicitly allow specific systems and ports that require inbound transmission from designated content delivery servers.

Assign static IP addresses by MAC address on switches

Disable DHCP on the content/production network 

Have more questions? Submit a request