Our content security expectations provide fundamental guidance for our production partners to safeguard content they are working on. This guidance is meant to be straightforward and practical so as to not over-complicate or burden the creative process. For additional context or if there are questions, contact Bryan Esparza.
- Need to Know - Early access to our creative content is a privilege and may be granted on a “Need to Know” basis. People who do not need to view or handle our content should not be given this privilege.
- Non-Disclosure - Persons with access to content should sign a non-disclosure agreement. Persons with access to content are responsible to protect it.
- Social Media - Social media and public sharing is so ubiquitous that we may forget some things are meant to be kept private. We need to be mindful that our projects are to be treated as private and confidential.
- Device Security - Devices storing and handling content must be kept secure. Where feasible, users should consider using hardened devices, like Chromebooks. Device security guidance can be found here. The following items should be in place, at a minimum:
- Up-to-date software - Software, including the operating system, must be kept up to date. It is best to enable automatic updates. A list of acceptable operating system versions can be found here.
- Encryption - Devices must be encrypted. Macs should enable FileVault and Windows systems should turn on BitLocker. External hard-drives (e.g. shuttle drives, USB sticks, etc.) should be hardware encrypted.
- Strong Authentication - Complex, lengthy passwords/passphrases and/or other Netflix-recommended authentication methods (e.g. two factor authentication) must be used on all systems and applications. Securely maintain these passwords and other authentication methods and do not share them with others. Consider a password manager.
- Secure Network - Production networks should be kept secure to prevent unwanted and unauthorized access to content and other sensitive information. The most effective method is to disable Internet access where and when it is not needed.
- Physical Security - An appropriate level of physical security must be maintained to minimize the likelihood of theft. This includes not leaving content or sensitive materials in unsecure places, using safes or locking cabinets to store assets, locking doors, using alarms and CCTV, etc.
- Secure Delivery & Transfer - All movement of content, physical or digital, must be conducted via a secure method.
- Physical Deliveries, should travel via trusted employee or a secure courier/freight company.
- Digital Transfers, must be done via a secure platform that is Content Security approved (e.g. PIX, Aspera, Content Hub). Tools that are not approved include: DropBox, WeTransfer, etc. If you need to have a tool reviewed, contact Studio Content Security (SCS).
- Asset Management - Records of persons and organizations with access to content should be maintained.
- Watermarking - All turnover materials should have personally identifiable watermarks/burn-ins.
- Content Deletion - When content is no longer needed it must be securely destroyed.
- Third Parties - When engaging a third party to handle pre-release content, SCS should be contacted to determine if an assessment needs to be conducted. We expect our third parties to adhere to a minimum set of requirements.
- Incidents - Any incident where content may be exposed must be brought to the attention of Studio Security and Content Protection. Email us at Content-Leak@Netflix.com
Remember: when in doubt - give us a shout - SCS@Netflix.com