[funkdobiest]

I can confirm this is industry wide when dealing with the big movie companies. I work in the big data industry and we have several of those clients under the MPAA and have had to go through multiple security audits just for their business.

[jrockway]

What kind of security things do they require? Stuff like using two factor authentication? (Not storing passwords in a spreadsheet would also be good, but they clearly don't require that ;)

[KaiserPro]

Oh no, they require that. but thats difficult to enforce.

Strick AD password, account lockouts after n attempts, password rotations every 90 days.

The internet must have an air gap between it and the "production" network. So that means internet in terminal server clients. (we used to be able to get away with VLANs, and just have a clientside VM on a different VLAN)

No automated mechanism to move data between the "production" network and the outside world. Any data that needs transporting must be accounted for (and that's literally terabytes a day.)