Important Updates to MPA Best Practices You Don’t Want To Miss
By Michael Wiley, CISSP, Director of Cybersecurity Services, Richey May Technology Solutions –
While we’re still waiting on the MPA Content Security and MPA Member Companies to formalize the App & Cloud best practices, experienced assessors such as Richey May Technology Solutions can use the updated MPA Content Security Best Practices Common Guidelines to assess cloud native workflows in Microsoft Azure, Google’s Cloud Platform (GCP), and Amazon Web Services (AWS). In future posts, we will discuss how we help cloud native vendors handle their TPN Assessments with ease.
One of the most noticeable updates to the MPA Content Security Best Practices Common Guidelines is the re-branding from MPAA to MPA. The re-branding change has little impact on the actual assessment, however all documents have been updated with the new logo and name.
A noticeable theme change in the MPA Content Security Best Practices Common Guidelines relates to adoption of IP based security cameras. References to “CCTV systems” (e.g. MS-6.0) has been changed to “surveillance camera systems.” Again in PS-9.0, we see language change in the guidelines referencing analog CCTV or IP cameras as acceptable compared to the older wording around just analog CCTV systems.
In PS-9.2, additional restrictions around access to NVRs/DVRs was added to require:
- Restricting administrative access to the NVR/DVR from LAN only
- Enabling Multi-Factor Authentication (MFA) for access to the NVR/DVR when possible
- Camera footage to be stored locally unless client approves of cloud storage
- Disallowing access to the NVR/DVR from the content network
Two requirements were added/moved to MS-11.1 (Confidentiality Agreements):
- Mandating documenting/storing a history of terminated personnel for five (5) years at a minimum
- A formal reminder department personnel of their ongoing confidential and non-disclosure responsibilities.
The most substantial change MPA Content Security Best Practices Common Guidelines is one those of us in the M&E cybersecurity field have all been waiting for. The password policy requirements in DS-8.1 have finally been updated to align closer to NIST 800-63 and provide options for vendors to select.
An important point to keep in mind is that the new password requirements also impact password policies for any client portals. In DS-15.1, password requirements for client portals was removed and it now references best practices in DS-8.1. This means that not just local systems, but all applications, portals, etc. need to be updated to comply with the most recent password policies in DS-8.1.
Finally, the MPA Content Security Best Practices Common Guidelines made updates to the definition of Penetration Tests.
“Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability (source: NIST SP800-115). Note: A vulnerability scan alone does not always suffice as a penetration test.”
If you have any questions about these changes, contact us!
(For a side-by-side comparison of what’s new in the Content Security Best Practices Common Guidelines, click here).
Michael Wylie, prior to joining Richey May co-founded Corporate Blue, an information systems and security consulting firm that served clients in their pursuit of mitigating cyber threats. In his role, Wylie delivered information assurance by means of vulnerability assessments, risk management, project management, secure network design and training. He has developed and taught numerous courses for the Department of Defense, Moorpark College, California State Universities, and clients around the world. [email protected], @RicheyMayTech