Whether you distribute media locally or internationally, your rights management vendor’s organizational security matters. The software your company uses to manage rights or track royalties is only as secure as the company building or managing it.

In this post, we’ll discuss the benefits of organizational security controls and how they impact your rights management vendor. FilmTrack has a track record of implementing robust security processes—read on to learn how it all works.

Security Oversight: FilmTrack’s Internal Systems and Processes

Rights management applications typically collect and store confidential data from various clients, ranging from the small, local media distributor operating in a single state to larger global enterprise companies operating multi-site studios across Europe and North America. 

Vendors of these applications must keep them secure and eliminate as much cybersecurity risk as possible to rights and royalties data. At FilmTrack, we implement various internal systems and processes to protect our customers’ data from short- and long-term security risks.

So, what does this look like in practice?

Oversight From City National Bank (CNB)

FilmTrack’s parent company, City National Bank (CNB), oversees all aspects of organizational security to ensure FilmTrack continuously meets high industry standards and expectations.

Compliance with specific security standards is considered the gold standard, not just in the entertainment and media industry—but across enterprise digital companies. For instance, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is widely recognized for its robust security guidelines around processes like penetration testing. 

A penetration test helps a company evaluate the effectiveness of its cybersecurity systems. Think of it like an audit of security controls. If a rights management application has a messy security configuration, a penetration test can find this vulnerability (and many more) before it’s too late—and a cyberattack happens.

FilmTrack works with external partners to implement routine penetration testing of our rights management application, ensuring we meet internal and external security expectations.  

Mature Data Security Processes

Organizational security also depends on the maturity of a vendor’s data security posture throughout the year. In other words, your preferred rights management vendor should be capable of effectively managing cybersecurity risks. 

What does data security maturity look like?

Say a developer uses a company laptop to optimize the code for a rights management software application currently available for customer use, where customers can actively access and manage royalties and rights data. If this laptop is stolen, lost, or hacked, the customers' data could potentially be exposed to security risks. 

Here’s how FilmTrack circumvents such risks:

• Separation of environments

We separate the development environment (where software developers build or optimize code) from the production one (where the application goes live for customer use). As such, our developers do not work on code directly in the production environments. 

• Secure workspaces 

Our developers develop code within secured Amazon Web Services (AWS) WorkSpaces environments running on cloud servers—keeping their work virtual and secure the entire time they are building or fine-tuning rights management software. 

• Multi-factor authentication (MFA)

We implement MFA and virtual private networking (VPN) to secure access to AWS WorkSpaces as developers build software. These controls are also helpful when promptly revoking access to sensitive AWS environments after a colleague changes roles or leaves FilmTrack.

FilmTrack’s Organizational Security Features

At the organizational level, FilmTrack also implements the following security features:

SOC Reporting 

SOC reports—overseen by the American Institute of Certified Public Accountants (AICPA)—are crucial assessments that help service organizations like FilmTrack to assure customers and other key stakeholders that data security controls are actively implemented within the organization. 

SOC reporting isn’t a formal or legal requirement. However, SOC certification differentiates a service organization as more ethical, compliant, and secure. As a subsidiary of City National Bank, FilmTrack undergoes annual audits during which third-party auditors evaluate the effectiveness of our controls in protecting customers’ sensitive data. 

Although there are four types of SOC reports, FilmTrack participates in two, namely:

• SOC 1 Type 2 

A report that shows a service organization’s internal control over financial reporting.

• SOC 2 Type 2

An independent attestation provided by a Certified Public Accounting (CPA) firm that indicates a service organization implements the AICPA’s Trust Service Criteria (TSC) controls.

Information Security Awareness

Ongoing training for colleagues in all roles at FilmTrack includes information security awareness topics about fraud, ransomware, theft, and prevention. But there are other exercises as well, such as phishing campaigns, newsletters, periodic informal reminders of best practices, and specific computer-based training (CBT) relevant to their individual job titles. The reason we do these things is to keep security on top of mind each day throughout the organization.

Secured Cloud Infrastructure

Cloud security risks are rampant in today’s digital landscape. A 2021 cloud security survey showed that over 80% of companies experienced a data breach related to vulnerabilities in cloud security.

FilmTrack mitigates these risks by securing our cloud infrastructure via security solutions from AWS, which provides hundreds of security, regulatory, and governance features that keep customer data encrypted year-round.

Compliance with Global Standards

As global standards and requirements for securing entertainment rights data evolve, our team at FilmTrack works with CNB’s audit team to ensure we remain up-to-date and compliant. 

Whether it’s keeping track of updates to privacy regulations like the EU GDPR or identifying new web application security risks, FilmTrack stays on top of all these requirements to protect customer data.

Software, Organizational, and Application Security

Product security and application security are both important aspects of ensuring software is secure, however, they focus on different aspects of security. Product security refers to the holistic security of a software product, whereas application security concentrates explicitly on the security of an app's code and associated data. And organizational security is yet another essential aspect of software security that encompasses the policies, procedures, and processes in place to protect an organization's assets, including its people, facilities, and information.

Our new ebook, The Critical Role of Security in Entertainment Rights Management, uncovers these elements and helps you understand the standards you require from your rights management system. 

Download our ebook to learn more!

This article is for general information and education only. FilmTrack does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of FilmTrack. Please cite sources when quoting.

FilmTrack, as a matter of policy, does not give tax, accounting, regulatory or legal advice, and any information provided should not be construed as such. Rules in the areas of law, tax, and accounting are subject to change and open to varying interpretations. You should consult with your other advisors on the tax, accounting and legal implications of actions you may take based on any strategies presented, taking into account your own particular circumstances.