The Cybersecurity for Broadcasters Retreat advisory board has identified 10 security priorities for the providers of technology specialized to the media industry.
The board arrived at the list of 10 by surveying the nearly 100 people who attended TVNewsCheck’s 2022 Cybersecurity for Broadcasters Retreat, convened Oct. 17-18 at NAB Show New York.
Respondents had access to a ranked-choice voting process enabling them to identify their priorities.
Vendor security has been a priority for the Cybersecurity Retreat since it was first convened in 2018. The issue has gained in importance in the past 12 months, as insurance companies have pressed media companies to audit their vendors regularly for cybersecurity hygiene and as the Securities and Exchange Commission has prepared new rules requiring publicly traded companies to include security experts on their boards of directors.
The 10 priorities identified by the survey builds on a comprehensive list of security recommendations for broadcast technology vendors that has been published and then updated by the World Broadcasting Union. Vendors needed media companies to prioritize the items on that comprehensive list so they could begin tackling the list in the most efficient manner.
Here are the priorities:
- Monitor for vulnerabilities that affect your products. Provide updates that include patches for these vulnerabilities on a cadence aligned with severity. Collaborate with partners and customers to integrate upgrades safely.
- Integrate security testing and review into the product release cycle and remedy Critical and High severity vulnerabilities prior to release. Provide timely product updates for Critical and High vulnerabilities identified after a release.
- Create products that allow customers to install Endpoint Protection and Response capabilities on the host. Minimize and document any necessary exclusions.
- Provide secure options for remote support services. Allow customers to control remote access with customer SSO solutions and preferred access tools.
- Use secure, encrypted, protocols for all administrative access
- Support Single Sign-On and Multi-Factor Authentication. All passwords must be changeable, and align to industry length standards (for example NIST 800-63b)
- Use an Endpoint Detection and Response solution on corporate assets, and especially on user endpoints of anyone involved in research, development, deployment, or maintenance of the products.
- Enforce Multi-Factor Authentication. All passwords must be changeable and align to industry length standards (for example NIST 800-63b) for all environments associated with research, development, and deployment of products, as well as all core corporate systems (email, instant messaging, etc.).
- Document a set of controls mapped to industry standards and audit annually against controls. Fox example: Soc 2 Type 2
- Maintain network controls to prevent unauthorized access to company environments.
- Specifically segregate all environments used for research, development, deployment, or maintenance of the products. Restrict access only to those users who must have access to each environment.
For more information about this list, the Cybersecurity for Broadcasters Retreat and monthly zoom meetings convened by TVNewsCheck for the security community, please email [email protected]. We are happy to tell you more. The CBR advisory board thanks Marina Khainson, head of security architecture at Fox Corp., for her initiative and tireless work in identifying a ranked-choice voting mechanism and then compiling the results of this survey.
Comments (0)