We're in the process of rolling out our first "MPAA-equivelant" secure content processing workflow, repleet with physically secure rooms and registered personel.

We've done a pretty good job in locking down the workstations, separating the servers that will do the processing, creating an independant workflow for command and control, complete with it's own authentication system and it's own credential storage restricted to only the registered engineers for the projects. However, there are still holes.

I'm wondering how others deal with things like root access to storage backend. I'm finding that there's often a disconnect between the security requirements of the project and the SLA requirements for the platforms supporting them. At some point, I'm likely to need to give the keys to a vendor engineer who, technically at least, then has (provisional) access to the secure data. This is regardless of if the storage is physically in the secure rooms or not.

We haven't been asked to yet, but is it common place among you guys for your engineers, or your whole department, to sign NDAs as well as the front office staff? Specifically, in operations where NDAs are a provisional, or project by project basis. We dont have facility wide contracts.

And how do you deal with vendor engineers in this regard?