social responsibility factory guidevincesupplierportal.vince.com/_uploads/ship/shipdocs/vince...

SOCIAL RESPONSIBILITY FACTORY GUIDE | v.3 – 8.6.2020

Social Responsibility Factory Guide

VINCE.

P a g e | i


Table of Contents Code of Conduct ......................................................................................................................................... 1

Factory ........................................................................................................................................................ 3

Acceptance Requirements ...................................................................................................................... 3

Display Code of Conduct ......................................................................................................................... 3

Security Requirements (C-TPAT) ............................................................................................................. 3

Independent Review ............................................................................................................................... 3

WRAP Certified Factories ........................................................................................................................ 4

Acceptance Levels ................................................................................................................................... 4

Request for Feedback ............................................................................................................................. 4

Optional Assistance ................................................................................................................................. 4

Subcontracting ........................................................................................................................................ 5

P a g e | 1


Code of Conduct

It is the desire of Vince, to not only be a good citizen of the United States, but also to conduct business in an ethical and moral manner in all of the countries of the world in which we have the privilege to do business.

As the scope and breadth of Vince’s sourcing and customer base expands to include more diverse cultures, we must ensure that the businesspeople and companies with which we associate have the same values that we expect from our own employees. To achieve this end Vince subscribes, and we endeavor to have our business partners subscribe, to the following principles in conducting business.

All of Vince’s business partners should be familiar with the Vince Code of Conduct, as it may be updated from time to time. At the election of Vince, the Vince Code of Conduct may be available online at [http://VinceSupplierPortal.Vince.com] or through other Vince business portals. Vince may occasionally update the Vince Code of Conduct, and Vince reserves the right to update and make changes to the Vince Code of Conduct at any time, with or without notice. If we do update the Vince Code of Conduct, we will reflect the date of such update at the top of the Code of Conduct. It is the responsibility of each of our business partners to monitor and comply with the Vince Code of Conduct, as it may be updated, and we encourage our business partners to periodically review the Vince Code of Conduct online or by direct request to a Vince representative to stay informed about any updates to the Code of Conduct.

➢ Ethical Standards: We endeavor to respect the ethical and moral standards and beliefs of all peoplesand cultures with whom we deal. We in turn expect our business partners to respect our rules andprocedures.

➢ Legal Requirements: We expect our employees and business partners to abide by the laws of thecountries in which we conduct business. We also expect that international law related to theconduct of business between Nations be followed at all times.

➢ Health and Safety: We strive to have a safe and healthy working environment in all the facilitieswhere we have employees or operations. We also expect that any business partners to whom weprovide work will endeavor to provide a safe/healthy environment for the employees in theworkplace, and also in the living facilities provided to the workers, should such facilities be provided.

➢ Environmental Safekeeping: We understand that the environment in which we live in is ours tomaintain and protect. We subscribe to manufacturing practices that ensure the safekeeping of ournatural resources and ecological surroundings and expect our business partners to also adhere tothese principles.

➢ Wages and Benefits: The wage and benefit structure of our business partners must comply with theapplicable Country or State laws and our Vince minimum standards.

➢ Working Hours: We expect our business partners to operate based on prevailing local work hours.Any time worked over the norm for the area should be compensated at the overtime rate asprescribed by the local labor laws and should be worked voluntarily. Subject to the requirements oflocal law, a regularly scheduled workweek including overtime should not exceed sixty (60) hours(except in extraordinary business circumstances). All employees are entitled to at least one day off

P a g e | 2


in every seven-day period.

➢ Child Labor: The use of child labor is not permissible. For a definition of “child”, we will first look tothe national laws of the country in which business is being conducted. If, however, the laws of thatcountry do not provide such a definition or if the definition includes individuals below the age of 15,we will define “child”, for purposes of determining use of illegal child labor, as anyone who is:

(a) less than 15 (or 14 where the law of that country permits); or

(b) younger than the compulsory age to be in school in the country in which business is beingconducted, if that age is higher than 15.

➢ Prison/Forced Labor: We will not knowingly utilize or purchase materials and/or productmanufactured by prison or forced labor – indentured, bonded or otherwise. We also do not condonethe practice of involuntary employee “deposits,” withholding of identity papers or any otherpractice that would restrict free movement of employees.

➢ Discrimination: We recognize and are aware that cultural differences will exist between variouspeoples. However, we do believe that people should be employed based on their ability to performa needed function; not on the basis of personal beliefs or characteristics.

➢ Freedom of Association: We recognize and respect the right of employees to exercise their lawfulrights of free association, including joining or not joining any association. We expect our businesspartners to also adhere to these principles.

➢ Disciplinary Practices: We will not condone any type of harassment, abuse, corporal, mental orphysical punishment by a business partner or an employee.

VINCE CODE OF CONDUCT 101513.pdf

P a g e | 3


Factory Vince expects clear, open, and honest communication including all documents, payroll records, timecards, etc. Violation and genuine improvement will always be regarded higher than false documents or hidden violations. Vince expects the factories and the factory management to maintain the highest standards. No offers of any kind, including but not limited to, gifts, factory products, gratuities or money shall be made or accepted.

Acceptance Requirements All factories are required to receive approval for social responsibility before purchase orders can be issued. The Social Responsibility Team which includes (Social Compliance Director and manager) controls an electronic block on purchase orders until the factory:

➢ Accepts the on-line terms and conditions ➢ Is designated with an acceptance level based on an independent review of the factory

compliance to the Vince Code of Conduct.

Display Code of Conduct Vince expects all factory locations to display the Code of Conduct where it is easily viewable to all employees. Suggested areas include near time clocks, entrances to production floor or break rooms. The Code of Conduct should be displayed in the native language of any employees. Translations are available upon request.

Security Requirements (C-TPAT) Vince and many of its customers are partners in the US Customs-Trade Partnership Against Terrorism (C-TPAT) program. As such, it may be necessary for the vendor/factory to be familiar with the C-TPAT minimum security criteria and take the necessary steps to ensure their security procedures are in compliance with the C-TPAT program. Factories will be required to meet C-TPAT standards and be reviewed by independent monitors. The C-TPAT Foreign Manufacturers Minimum Security Criteria (MSC), C-TPAT Questionnaire for Factories, 8-Point Container Inspection, Seal Inspection and Vince Social Responsibility Monitoring Report documents are attached below for reference.

CTPAT Foreign

Manufacturers MSC March 2020.pdf

CTPAT

Questionnaire for Factories_updated 8.6.2020.pdf

CTPAT 8-Point

Container Inspection Checklist_(origin).pdf

VINCE Social

Responsibility Monitoring Report 092413.pdf

Seal Inspection.pdf

Independent Review Factories may be accepted independently by undergoing an audit by an independent third-party auditor. The results of the audit will determine what level of acceptance the factory receives and if the factory is required to make improvements or commit to making improvements before acceptance is granted. Vince will designate the audit firm that will be used to conduct the third-party audit. At no time may a factory designate an audit firm.

P a g e | 4


WRAP Certified Factories Vince will accept WRAP certified factories with a one-year certification or the first year of a two year certification. Vince will not accept a six-month certificate. In order to apply for acceptance under WRAP certification the factory must provide a copy of the WRAP certificate and a blanket release for WRAP audits. Vince may request a copy of the WRAP audit directly from WRAP at any time at its discretion. Vince will determine the level of acceptance at its own discretion.

Acceptance Levels Based on the results of an audit or re-audit a factory will be assigned a rating. Vince expects each factory to continuously work toward achieving higher acceptance levels. The acceptance level is reported on the vendor scorecard and factors into the overall vendor rating.

Level Defined Flag Results Plus Vince

Issue PO Factory

Ship KWD Sell Inventory

I Blacklisted Red Zero tolerance violation(s) N/A No No No

II Probationary Yellow

1) No zero tolerance and 2) Single serious violation, or; 3) Accumulation of multiple violations

Approved CAP

Yes No Yes

III Improving Facility

Yellow 1) Non serious violations 2) Committed to improvements

Approved CAP

Yes Yes Yes

IV Regular Approved

Green No Violations Or CAP Completed

N/A Yes Yes Yes

V Preferred Partner Green No violations on annual re-audit N/A Yes Yes Yes

Request for Feedback Vince and the Social Responsibility Team understand that often the customer acts in a way that causes the factory to violate the customer’s own rules. Such instances might include rush orders, delays in design or fabric approvals. The end result is often excessive overtime to meet the necessary ship date. Please communicate such issues to the Vince Social Responsibility Team so the underlying cause can be addressed.

Optional Assistance Frequently social compliance violations are caused by other factors in the factory. Excessive overtime may be caused by late planning and expedited orders from customers or inefficient production planning in the factory. Recordkeeping issues might be caused by inconsistent control of documents. Health and safety violations may be caused by a lack of understanding of requirements or limited safety resources. We encourage factories to find help identifying and eliminating the underlying problems. It is our belief that if the systemic issues are corrected, not only will the social compliance rating improve but the factory operation (delivery, profit, etc.) will also improve. Below is a list of some firms that provide assistance to factories. Please note that:

P a g e | 5


➢ Consulting assistance CANNOT be from the same company as the third-party audit firm (this includes a separate division of the same company). This is to prevent any conflict of interest involving payment of consulting service and the result of an audit.

➢ The companies listed are not in a specific order. We do not give any priority to one firm over the other.

➢ The factory is responsible for any and all charges incurred for consulting services. ➢ This is not a complete list of service providers. Other firms may be used. This list is provided in

the case that the factory does not know where to find assistance.

Firm Contact Phone e-mail

ICG Tony Klabnik 1.256.454.1081 [email protected] Intertek Toni

Bellacosa 1.973.346.5515 x514 [email protected]

Bureau Veritas

Pearline Gordon

1.716.505.3336 [email protected]

Subcontracting Suppliers are not allowed to subcontract Vince production without written permission from the Vince Social Responsibility Team. Any subcontractor must go through the normal enrollment and approval process and meet the acceptance standards before production can begin. Upon discovery of unauthorized subcontracting, the subcontractor and the primary factory will be subject to review of Vince standards. Depending on the result of the review, penalties will be assessed, including but not limited to, charge backs and destruction of the goods. I hereby certify that has received a copy of Vince Social Responsibility Factory Guide and will comply with the Vince Code of Conduct and C-TPAT requirements. Signature: Date: Print Name: Title:

mailto:[email protected]

mailto:[email protected]

Minimum Security

Criteria Requirement

(Must/Should)

► Factory has a written security plan. *If yes, please provide a copy of the Factory Security Manual and/or written procedures. MUST

► Factory has a designated security officer. *If yes, please provide name and contact information: MUST

► Factory maintains copies of the third party audits/inspections of plant factory. SHOULD

1.1 Factory demonstrates its commitment to supply chain security and the security program through a statement of support, which is signed by a senior

company official and displayed in appropriate company locations. SHOULD

1.2 Factory incorporates representatives from all of the relevant departments into a cross-functional Supply Chain Security team. SHOULD

1.3 The supply chain security program are designed with, supported by, and implemented by an appropriate written security policies and procedures. These

policies and procedures are updated as needed based on pertinent changes in an organization’s operations and level of risk. MUST

1.4 Factory’s Point(s) of Contact (POC) to security must be knowledgeable about security program requirements. MUST

2.1 Factory conducts an overall risk assessment to identify where security vulnerabilities may exist in their supply chains annually or more frequently as risk

factors dictate. MUST

2.2 The international portion of the risk assessment documents or maps the movement of the factory’s cargo throughout its supply chain from the point of

origin to the importer’s distribution center. SHOULD

2.3 Factory performs periodic security assessments. MUST

2.4 Factory has written procedures in place that address crisis management, business continuity, security recovery plans and business resumption. SHOULD

3.1 Factory has a written, risk-based process for screening new business partners and for monitoring current partners. Factory should also include in this

process checks on activity related to money laundering and terrorist funding. MUST

3.2 Factory's business partner screening process should take into account whether a partner is a CTPAT member or a member in an approved Authorized

Economic Operator (AEO) program with a Mutual Recognition Arrangement (MRA) with the United States (or an approved MRA). Factory obtains

evidence of the certification from the business partner(s) and are continuously monitored to ensure they maintain their certification. MUST

3.3 Factory exercises due diligence (via visits, questionnaires, etc.) to ensure their business partners have security measures in place that meet or exceed

CTPAT’s Minimum Security Criteria (MSC). MUST

3.4 Weaknesses identified during business partners' security assessments are addressed and corrections are implemented in a timely manner. Factory

requires documentary evidence be provided to confirm deficiencies have been corrected. MUST

3.5 Factory performs security assessments of business partners at least annually or more frequently as circumstances/risks dictate. SHOULD

3.6 For inbound shipments to the United States, if a factory subcontracts transportation services to another highway carrier, the factory must use a CTPAT

certified highway carrier or a highway carrier that works directly for the factory as delineated through a written contract. The contract must stipulate

adherence to all minimum security requirements. ***Only applicable for inbound shipments from Canada and Mexico MUST

3.7 Factory has a documented social compliance program in place that, at minimum addresses how the company ensures goods imported into United States

were not mined, produced or manufactured, wholly or in part, with prohibited forms of labor, e.g. forced, imprisoned, indentured or indentured child SHOULD

4.1 Factory has comprehensive written cybersecurity policies and/or procedures to protect information technology (IT) systems. The written IT policy, at a

minimum, must cover all of the individual Cybersecurity criteria. MUST

4.2 To defend Information Technology (IT) systems against common cybersecurity threats, factory must install sufficient software/hardware protection from

malware (viruses, spyware, worms, Trojans, etc.) and internal/external intrusion (firewalls) in their computer systems. Factory must ensure their security

software is current and receives regular security updates. MUST

4.3 Factory must also have policies and procedures in place to prevent attacks via social engineering. If a data breach occurs or another unseen event results

in the loss of data and/or equipment, procedures must include the recovery (or replacement) of IT systems and/or data. MUST

4.4 Factory must regularly test the security of their IT infrastructure. If vulnerabilities are found, corrective actions must be implemented as soon as feasible. MUST

4.5 Factory's cybersecurity policies or procedures address how factory shares information on cybersecurity threats with the government and other

business partners. SHOULD

4.6 Factory must have a system in place to identify unauthorized access of IT systems/data, or abuse of policies and procedures, including improper access

of internal systems or external websites, and tampering with or altering of business data by employees or contractors. All violators must be subject to

appropriate disciplinary actions. MUST

4.7 Cybersecurity policies and procedures must be reviewed annually, or more frequently, as risk or circumstances dictate. Following the review, corrective

actions are implemented in a timely manner if vulnerabilities are found. MUST

4.8 Factory has policies in place to restrict user access based on job description or assigned duties. Authorized access must be reviewed on a regular basis to

ensure access to sensitive systems is based on job requirements. Computer and network access must be removed upon employee separation. MUST

4.9 Factory requires individuals with access to Information Technology (IT) systems to use individually assigned accounts. MUST

4.10 Factory uses strong passwords, passphrases, or other forms of authentication, to protect IT systems from infiltration. User access to IT systems must be

safeguarded at all times. MUST

4.11 Factory requires passwords and/or passphrases be changed as soon as possible if there is evidence of compromise or reasonable suspicion of a MUST

4.12 Factory must employ secure technologies, such as virtual private networks (VPNs) to allow employees who must connect remotely to access the

company’s intranet securely when located outside of the office. Factory must also have procedures designed to prevent remote access from MUST

4.13 If factory allows their employees to use personal devices to conduct company work, all such devices must adhere to the company’s cybersecurity

policies and procedures to include regular security updates and a method to securely access the company’s network. MUST

4.14 Cybersecurity policies and procedures include measures to prevent the use of counterfeit or improperly licensed technological

products. SHOULD

4.15 Factory's data should be backed up once a week or as appropriate. All sensitive and confidential data should be stored in an encrypted format. SHOULD

4.16 All media, hardware, or other IT equipment that contains sensitive information regarding the factory's import/export process are accounted for through

regular inventories. When disposed, they must be properly sanitized and/or destroyed in accordance with the National Institute of Standards and

Technology (NIST) Guidelines for Media Sanitization or other appropriate industry guidelines. MUST

5.1 Factory has written procedures in place detailing the storage of containers and trucks -- both empty and full -- in a secured area to prevent unauthorized MUST

5.2 Factory has written procedures for both security and agricultural inspections of containers, trucks, or other conveyances and Instruments of

International Traffic (IIT). MUST

VINCE C-TPAT QUESTIONNAIRE FOR FACTORIES

Company: ______________________________________________________________________

Address: ________________________________________________________________________

General Security (YES OR NO)

(YES OR NO)

2. Risk Assessment (only applicable to C-TPAT members in Canada and Mexico) (YES OR NO)

3. Business Partners

1. Security, Vision, and Responsibility (only applicable to C-TPAT members in Canada and Mexico)

(YES OR NO)

4. Cybersecurity including Information Technology (YES OR NO)

5. Conveyance and Instruments of International Traffic Security (Container Security) (YES OR NO)

5.3Prior to loading/stuffing/packing, factory requires all conveyances and empty IIT undergo CTPAT approved security and agricultural inspections to ensure

their structures have not been modified to conceal contraband, or have not been contaminated with visible agricultural pests.

Inspection requirements for CTPAT shipments via ocean, air, and land borders (as applicable) by rail or intermodal freight include an eight-point

inspection on all containers and ULDs prior to loading/stuffing. The follow items should be checked:

1. Front wall

2. Left side

3. Right side

4. Floor

5. Ceiling/Roof

6. Inside/outside doors, including the reliability of the locking mechanisms of the doors;

7. Outside/Undercarriage

8. Check for pests MUST

5.4For land border crossings via highway carriers, additional inspection requirements include inspections of containers and trucks at conveyance/IIT storage

yards. When possible, inspections are conducted upon entering/departing the storage yard and at the point of loading/stuffing. These systematic

inspections must include 17-point inspections:

Tractors

1. Bumper/tires/rims

2. Doors, tool compartments and locking mechanisms

3. Battery box

4. Air breather

5. Fuel tanks

6. Interior cab compartments/sleeper

7. Faring/roof

Trailers

1. Fifth wheel area - check natural compartment/skid plate

2. Exterior - front/sides

3. Rear - bumper/doors

4. Front wall

5. Left side

6. Right side

7. Floor

8. Ceiling/roof

9. Inside/outside doors and locking mechanism

10. Outside/Undercarriage MUST

5.5 Factory must utilize containers and trucks equipped with external hardware that can reasonably withstand attempts to remove it or tamper with. The

door, handles, rods, hasps, rivets, brackets, and all other parts of a container’s locking mechanism must be fully inspected to detect tampering and any

hardware inconsistencies prior to the attachment of any sealing device MUST

5.6Factory records all inspections of containers and trucks on a checklist. The following elements should be documented on the checklist:

• Container/Trailer/Instruments of International Traffic number;

• Date of inspection;

• Time of inspection;

• Name of employee conducting the inspection; and

• Specific areas of the Instruments of International Traffic that were inspected.

If the inspections are supervised, the supervisor should also sign the checklist.

The completed container/Instruments of International Traffic inspection sheet should be part of the shipping documentation packet. The consignee

should receive the complete shipping documentation packet prior to receiving the merchandise.

5.7 Factory performs all security inspections in an area of controlled access and, if available, monitored via a CCTV system. SHOULD

5.8 If visible pest contamination is found during the containers and trucks inspection, washing/vacuuming must be carried out to remove such

contamination. Factory must retain documentation for one year to demonstrate compliance with these inspection requirements. MUST

5.9 Factory management personnel should conduct random searches on containers and trucks once every 2-3 months after transportation staff have

conducted conveyance/IIT inspection checks. The searches should be conducted at random without warning, so they will not become predictable. The

inspections should be conducted at various locations where the conveyance is susceptible: the carrier yard, after the truck has been loaded, and en

route to the United States border. SHOULD

5.10 Factory should work with their transportation providers to track conveyances from origin to final destination point. Specific requirements for tracking,

reporting, and sharing of data should be incorporated within terms of service agreements with service providers. SHOULD

5.11 Factory should have access to their carrier's GPS fleet monitoring system so they may track the movement of their shipments. SHOULD

5.12 For land border shipments that are in proximity to the United States border, a “no-stop” policy should be implemented with regard to

unscheduled stops. ***Only applicable for inbound shipments from Canada and Mexico SHOULD

5.13 In areas of high risk, and immediately prior to arrival at the border crossing, factory should incorporate a “last chance” verification process for U.S.

bound shipments for checking of containers or trucks for signs of tampering to include visual inspections of conveyances and the VVTT seal verification

process. Properly trained individuals should conduct the inspections. SHOULD

5.14 Factory has procedures in place for notifying business partners in the supply chain that may be affected and law enforcement agencies, as appropriate, if

a credible (or detected) threat to the security of a shipment or conveyance is discovered. MUST

6.1 Factory has detailed, written high security seal procedures that describe how seals are issued and controlled at the factory and during transit.

Procedures must provide the steps to take if a seal is altered, tampered with, or has the incorrect seal number, including documentation of the event,

communication protocols to partners, and investigation of the incident. The findings from the investigation must be documented, and any corrective

actions must be implemented as quickly as possible. MUST

6.2 Written procedures must be maintained at the local operating level so that they are easily accessible. Procedures must be reviewed at least once a year

and updated as necessary. MUST

6. Seal Security (YES OR NO)

6.3Written seal controls must include the following elements:

Controlling Access to Seals

• Management of seals is restricted to authorized personnel.

• Secure storage.

Inventory, Distribution, & Tracking (Seal Log)

• Recording the receipt of new seals.

• Issuance of seals recorded in log.

• Track seals via the log.

• Only trained, authorized personnel may affix seals to containers.

Controlling Seals in Transit

• When picking up sealed IIT (or after stopping) verify the seal is intact with no signs of tampering.

• Confirm the seal number matches what is noted on the shipping documents.

Seals Broken in Transit

• If a load is examined, record the replacement seal number.

• The driver must immediately notify dispatch when a seal is broken, indicate who broke the seal, and provide the new seal number.

• The carrier must immediately notify the shipper, broker, and importer of the seal change and the replacement seal number.

• The shipper must note the replacement seal number in the seal log.

Seal Discrepancies

• Retain altered or tampered seals to aid in investigations.

• Investigate the discrepancy; follow-up with corrective measures (if warranted).

• As applicable, report compromised seals to CBP and the appropriate foreign government to aid in the investigation. MUST

6.4 All international shipments are secured immediately after loading/stuffing/packing by the responsible party (ie. factory or authorized packer acting on

factory's behalf) with a high security seal that meets or exceeds the most current ISO 17712 standard for high-security seals. Factory must ensure that all

seals used must be securely and properly affixed to containers. MUST

6.5 Factory must document and maintain all seal audit logs. Annual seal audits, conducted by either a factory manager or a security supervisor, must include

periodic inventory of stored seals and reconciliation against seal inventory logs and shipping documents. As part of the overall seal audit process, dock

supervisors and/or warehouse managers must periodically verify seal numbers used on containers. MUST

6.6 Factory seal verification process ensures all high-security seals such as bolts and cables are affixed properly to all containers and are operating as

designed. Factory follows below VVTT process:

V – View seal and container locking mechanisms; ensure they are OK;

V – Verify seal number against shipment documents for accuracy;

T – Tug on seal to make sure it is affixed properly;

T – Twist and turn the bolt seal to make sure its components do not unscrew, separate from one another, or any part of the seal becomes loose. MUST

7.1 Factory must ensure cargo is secure from unauthorized access when cargo is staged overnight or for an extended period of time. MUST

7.2 Factory must ensure cargo staging areas, and the immediate surrounding areas, be inspected at least monthly to makre sure these areas remain free

of visible pest contamination. MUST

7.3 The loading/stuffing of cargo into containers should be supervised by a security officer/manager or other designated personnel of the factory. SHOULD

7.4 Factory should document evidence of the properly installed seal with digital photographs taken at the point of stuffing. To the extent feasible, these

images should be electronically forwarded to the destination for verification purposes. SHOULD

7.5 Factory has procedures in place to ensure that all information used in the clearing of merchandise/cargo is legible, complete, accurate, protected against

the exchange, loss, or introduction of erroneous information, and reported on time. MUST

7.6 Unused paper documents, forms, and other import/export related documentation should be secured to prevent unauthorized use. SHOULD

7.7 Factory must ensure that bill of ladings (BOLs) and/or manifests accurately reflect the information provided to the carrier, such as weight and piece MUST

7.8 Factory must have written procedures for reporting an incident, which includes a description of the factory's internal escalation process. Factory has a

notification protocol in place to report any suspicious activities or security incidents that may affect the security of the factory’s supply chain.

Notification procedures include accurate contact information that lists the name(s) and phone number(s) of factory personnel requiring notification, as

well as for law enforcement agencies. Procedures must be annually reviewed to ensure contact information is accurate. MUST

7.9 Factory has procedures in place to identify, challenge, and address unauthorized/unidentified persons. Employees must know the protocol to challenge

an unknown/unauthorized person, how to respond to the situation, and be familiar with the procedure for removing an unauthorized individual from MUST

7.10 Factory should have a protocol in place to report security related issues anonymously. When an allegation is received, it should be investigated, and if

applicable, corrective actions should be taken. SHOULD

7.11 All shortages, overages, and other significant discrepancies or anomalies are investigated and resolved in a timely manner, as appropriate. MUST

7.12 Arriving cargo should be reconciled against information on the cargo manifest. Departing cargo should be verified against purchase

or delivery orders. SHOULD

7.13 Seal numbers assigned to specific shipments should be transmitted to the consignee prior to departure. SHOULD

7.14 Seal numbers should be electronically printed on the bill of lading or other shipping documents. SHOULD

7.15 Following a significant security incident, factory must initiate a post-incident analysis immediately after becoming aware of the incident. The results of

the factory's post-incident analysis must be documented, completed as soon as possible, and made available to CTPAT Supply Chain Security Specialists

(SCSS), if allowed by law enforcement authorities. MUST

8.1 Factory has written procedures designed to prevent visible pest contamination to include compliance with Wood Packing Materials (WPM) regulations. MUST

8.2 Visible pest prevention measures are adhered to throughout the supply chain. MUST

8.3 If Wood Packaging Materials (WPM) are used in the shipping process, they must be debarked and heat treated or fumigated with methyl bromide,

stamped or branded with the IPPC (International Plant Protection Convention) mark of compliance. MUST

9.1 Factory's cargo handling and storage facilities, including trailer yards and offices, have physical barriers and/or deterrents that prevent unauthorized MUST

9.2 Perimeter fencing should enclose the areas around cargo handling and storage facilities. If a factory handles cargo, interior fencing should

be used to secure cargo and cargo handling areas. Additional interior fencing should segregate various types of cargo such as domestic, international,

high value, and/or hazardous materials. Factory should regularly inspect the fencing for signs of tamper or damage by designated factory personnel. Any

damage found should be repaired as soon as possible. SHOULD

9.3 Factory must have manned security or monitoring at gates where vehicles and/or personnel enter or exit (as well as other access points). Individuals and

vehicles may be subject to search in accordance with local and labor laws. MUST

9.4 Factory prohibits private passenger vehicles from parking in or adjacent to cargo handling and storage areas, and conveyances. MUST

9.5 Factory must have adequate lighting inside and outside of the factory including, as appropriate, the following areas: entrances and exits, cargo handling

and storage areas, fence lines and parking areas. MUST

9.6 Security technology such as CCTV, burglary alarm system, and access control devices, should be utilized to monitor premises and prevent unauthorized

access to sensitive areas. SHOULD

9. Physical Security (YES OR NO)

7. Procedural Security (YES OR NO)

8. Agricultural Security (if wood packing materials are used during transportation) (YES OR NO)

9.7Factory must have written policies and procedures governing the use, maintenance, and protection of their security technology.

At a minimum, these policies and procedures must stipulate:

• That access to the locations where the technology is controlled or managed is limited to authorized personnel;

• The procedures that have been implemented to test/inspect the technology on a regular basis;

• That the inspections include verifications that all of the equipment is working properly, and if applicable, that the equipment is positioned correctly;

• That the results of the inspections and performance testing is documented;

• That if corrective actions are necessary, they are to be implemented as soon as possible and the corrective actions are documented;

• That the documented results of these inspections be maintained for a sufficient time for audit purposes. MUST

9.8 If a third party central monitoring station (off-site) is used, factory has written procedures stipulating critical systems functionality and authentication

protocols such as (but not limited to) security code changes, adding or subtracting authorized personnel, password revision(s), and systems access or MUST

9.9 Factory reviews and updates security technology policies and procedures annually, or more frequently, as risk or circumstances dictate. MUST

9.10 Factory should use licensed/certified resources when considering the design and installation of security technology. SHOULD

9.11 All security technology infrastructure must be physically secured from unauthorized access. MUST

9.12 Factory configures security technology systems with an alternative power source that will allow the systems to continue to operate in the event of an

unexpected loss of direct power. SHOULD

9.13 If camera systems are deployed, cameras should monitor a factory’s premises and sensitive areas to deter unauthorized access. Alarms should be used

to alert factory personnel to unauthorized access into sensitive areas. SHOULD

9.14 Cameras must be positioned to cover key areas of factory's facilities that pertain to the import/export process. Cameras should be programmed to

record at the highest picture quality setting available, and be set to record on a 24/7 basis. MUST

9.15 Cameras should have an alarm/notification feature, which would signal a “failure to operate/record” condition. SHOULD

9.16 Factory's management, security team, or other designated personnel, must conduct random periodic reviews of the camera footage at least once every

3 months to verify that cargo security procedures are being properly follow. Results of the reviews must be summarized in writing to include any

corrective actions taken. Factory must maintain the results for a sufficient time for audit purposes. MUST

9.17 Factory should maintain recordings of footage covering key import/export processes for at least 90 days to allow sufficient time for an investigation to SHOULD

10.1 Factory must have written procedures governing how identification badges and access devices are granted, changed, and removed. A personnel

identification system must be in place for positive identification and access control purposes. Access to sensitive areas must be restricted based on job

description or assigned duties. Removal of access devices must take place when the employees separate from the company. MUST

10.2 Factory must require all visitors, vendors, and service providers to present photo identification upon arrival, and a log be maintained to record the

details of the visit. All visitors are to be escorted throughout the facility. Temporary identification such as ID badges are issued to all visitors and are

visibly displayed at all times during the visit.

The registration log must include the following:

• Date of the visit

• Visitor's name

• Verification of photo identification (type verified such as license or national ID card). Frequent, well known visitors such as regular vendors may forego

the photo identification, but must still be logged in and out of the facility.

• Time of arrival

• Company point of contact

• Time of departure MUST

10.3 Factory's registration log must include the following:

• Date of the visit

• Visitor's name

• Verification of photo identification (type verified such as license or national ID card). Frequent, well known visitors such as regular vendors may forego

the photo identification, but must still be logged in and out of the facility.

• Time of arrival

• Company point of contact

• Time of departure MUST

10.4 Factory requires all drivers delivering or receiving cargo present government-issued photo identification to factory security personnel before cargo is

received or released. MUST

10.5 Factory must maintain a cargo pickup log to register drivers and record the details of their conveyances when picking up cargo. The cargo log must be

kept secured, and drivers must not be allowed access to it. MUST

10.6 The cargo pickup log must have the following items recorded:

• Driver's name

• Date and time of arrival

• Employer

• Truck number

• Trailer number

• Time of departure

• The seal number affixed to the shipment at the time of departure MUST

10.7 Prior to arrival, the carrier are required to notify the factory of the estimated time of arrival for the scheduled pick up, the name of the driver and truck SHOULD

10.8 Factory should periodically screen arriving packages and mail for contraband before being admitted. SHOULD

10.9 If security guards are used, work instructions for security guards are contained in the factory's written policies and procedures. Management must

periodically verify compliance and appropriateness with these procedures through audits and policy reviews. MUST

11.1 Factory has written processes in place to screen prospective employees and to periodically check current employees. Application information, such as

employment history and references, must be verified prior to employment. MUST

11.2 Factory performs background checks on all prospective employees in a sensitive position, as well as annually on current employees in sensitive positions.

Results of background checks, as permitted by local statutes, should be considered in making hiring decisions. SHOULD

11.3 Factory has an Employee Code of Conduct that includes expectations and defines acceptable behaviors. Penalties and disciplinary procedures are

included in the Code of Conduct. Employees/contractors acknowledge in writing that they have read and understood the Code of Conduct, and this

acknowledgement is kept in the employee’s file for documentation. MUST

12.1 Factory must establish and maintain a security training and awareness program to recognize and foster awareness of the security vulnerabilities to

facilities, conveyances, and cargo at each point in the supply chain, which could be exploited by terrorists or contraband smugglers. The training

program must be comprehensive and cover all of CTPAT’s security requirements. Employees in sensitive positions must receive additional specialized

training geared toward the responsibilities that the position holds. Factory requires newly hired employees receive security training as part of their

orientation/job skills training. MUST

12.2 Factory retains evidence of training such as training logs, sign in sheets, or electronic training records. Training records includes the date of the training,

names of attendees, and the topics of the training. MUST

12. Education, Training, and Awareness (YES OR NO)

10. Physical Access Controls (YES OR NO)

11. Personnel Security (YES OR NO)

12.3 Drivers and other employees that conduct security and agricultural inspections of empty containers are properly trained to inspect their containers for

both security and agricultural purposes. Security refresher training are conducted periodically, as needed after an incident or security breach, or when

there are changes to company procedures. MUST

12.4 Factory's inspection training must include the following topics:

• Signs of hidden compartments

• Concealed contraband in naturally occurring compartments

• Signs of pest contamination MUST

12.5 Factory should have measures in place to verify that the training provided met all training objectives. SHOULD

12.6 Employees are trained on the factory's cybersecurity policies and procedures, which include the need for employees to protect passwords/passphrases

and computer access. MUST

12.7 Employees operating and managing security technology systems must receive operations and maintenance training in their specific areas. MUST

12.8 Employees are trained on how to report security incidents and suspicious activities. MUST

Supporting Documentation

Please provide the following documentation to support your responses in each section above:

••••••••••••

CERTIFICATIONI hereby certify that all information provided in connection with this questionnaire is complete, true and accurate in all respects.

Name (Print) ______________________________________________________ Signature ______________________________________________________

Title/Position ______________________________________________________ Date __________________________________________________________

Security Manual - Copy of factory's security manual addressing how factory maintains each minimum security criterias aboveRisk Assessment (Canada/Mexico only) - Copy of latest risk assessmentBusiness Parters - Example of standards and written agreements with carriers, tracking systems, and awareness of CTPAT criteria.Cybersecurity - Copy of IT training, standards, and disciplinary policyConveyance and Container Security - Copy of container inspection procedure and 8-point container checklist

Personnel Security - Copy of employment screening/application, copy of signed employee agreement acknowledging adherance to factory's code of conductEducation, Training and Awareness - Copy of security awareness training program and training records

Seal Security - Copy of seal security procedures, copy of seal audit log, photo example of seals usedProcedural Security - Copy of written procedure for incident reportingAgricultural Procedures - Copy of fumigation certificatePhysical Security - Digital images of key physical structures such as fencing, gates, building structure, electronic surveillance, alarms, etc.Access Controls - Digital images of employee badges, visitor records/logs, visitor badge, appointments for drivers, etc.

VINCE.

Private and Confidential Page 1 of 12 Version 08/07/13

VINCE. Social Responsibility Monitoring Report

Report #: Date:

Factory Name

Audit Type:

Agent Company (if applicable):

Vendor Company (if applicable):

Name of Audited Facility:

Physical Location Address:

Mailing Address:

Contact Name:

Title:

Telephone #:

Fax #:

Email:

MONITORED BY

Name of Company:

Name of Monitor:

Audit Date:

Overall Rating Social Responsibility

Overall Rating CTPAT

VINCE.


FACTORY PROFILE

General Profile The following factory profile is for the factory named physical address listed on page 1. The total land area occupied by the facility is about . The factory has operated at this location since under the current owner. The main products manufactured by the factory are . Buildings Enter number of buildings in factory complex by type

Total buildings:

Production: Storage/Warehouse:

Canteen: Dormitories:

Other: Specify other type:

Production The main production processes are listed as follows: .

Total number of employees:

# of Production Workers

# of Non- Production workers

# of local employees

# of Migrant employees

Wages of worker are calculated based on what type of rate?

The peak season is from to .

Working hours in the factory are from {time} to {time}. Include multiple shifts below if necessary.

Breaks are {list}.

Type of articles produced:

Is there Vince Production in this factory? Yes If yes what % No

List other brands produced in this factory and percentage dedicated to each brand:

Processes the factory is capable of: (Select from Following List):

Assembly Finishing Molding Sewing

Cutting Injection Packing Trimming

Dying Inspection Painting / Spraying Washing

Embroidery Laundry Pressing Other (specify)

Total Number of Machines:

Cutters: Spreaders: Single: Double:

VINCE.


Multi: Over lock: Bar tack: Buttonhole: Button sew:

Pressers: Blind stitch: Other: Other: Other:

Production Capacity per week (estimate):

Required Lead Time (from placing order to Shipment)

VINCE.


AUDIT PROCESS

General Factory’s operation was assessed / verified against the Vince Code of Conduct and local legislations on a sampling basis.

Total Number of Workers interviewed: # of Women # of Men

Number of records reviewed From the month of: Current

Number of records reviewed From the month of: Peak or Non Peak

Number of records reviewed From the month of: Peak or Non Peak

Communicated Findings with:

Name: Title:

Name: Title:

Name: Title:

Name: Title:

VINCE.


SPECIFIC FINDINGS

1. Legal Requirements Customs / Transshipment

Acceptable Needs Improvement Unacceptable

Exceptions:

Please state legal or Vince requirement, non-compliant finding, evidence of non-compliance and factory response.

2. Child Labor Acceptable Needs Improvement Unacceptable

The legal working age is this country:

Legal working age for authorized minors in this country:

Until what age, if any, are children legally required to attend school in this country:

What is the youngest age of anyone working in this facility:

Exceptions:


3. Forced Labor Acceptable Needs Improvement Unacceptable

Exceptions:


Vince prohibits force, prison, indentured or bonded labor. (Does the country allow movement to another factory or must one return to their native country?)

VINCE.


4. Wages and Benefits Acceptable Needs Improvement Unacceptable

Local Currency

Specify:

US Dollar Exchange rate

Minimum legal wage applicable to the industry

Hourly USD 1 =

Weekly USD 1 =

Monthly USD 1 =

Actual minimum wage paid by the factory

Hourly USD 1 =

Weekly USD 1 =

Monthly USD 1 =

Prevailing Industry wage, if available Hourly USD 1 =

Weekly USD 1 =

Monthly USD 1 =

Average wage paid in this factory Hourly USD 1 =

Weekly USD 1 =

Monthly USD 1 =

Exceptions:


VINCE.


5. Working Hours Acceptable Needs Improvement Unacceptable

(Actual) Factory By Law

Normal work hours per week

Maximum hours worked per day

Maximum hours worked per week

Maximum overtime hours per day

Maximum overtime hours per week

Average overtime hours per day

Average overtime hours per week

Maximum number of continuous workdays

Average Total Hours Per Week Peak

Average Total Hours Per Week Non Peak

Exceptions:


Payroll/Time Record Cross Check

1. Production or other factory records that were crossed checked against attendance and payroll records:

2. Production or other records were consistent with attendance and payroll records: Yes No

3. Which records were not consistent with attendance and payroll records?

4. What inconsistencies were found?

5. Did interviewed employees confirm they are compensated for all hours worked? Yes No

6. Did interviewed employees confirm work hours and compensation as reported on factory attendance and payroll records?

Yes No

7. If inconsistencies found and questioned, did factory present an explanation for such inconsistencies? Yes No

8. Was any evidence found that factory records overstate the wages paid to employees or that employees are working hours for which they are not compensated?

Yes No

9. If answer to 8 is yes, describe finding.

VINCE.


6. Discrimination and Womens Rights


Exceptions:


7. Disciplinary Practices Acceptable Needs Improvement Unacceptable

Exceptions:


8. Free Association Acceptable Needs Improvement Unacceptable

Exceptions:


9A. Health and Safety Acceptable Needs Improvement Unacceptable

Exceptions:


9B. Health and Safety – Dormitories (if applicable)

Acceptable / Not Applicable

Needs Improvement Unacceptable

Exceptions:


VINCE.


10. Environmental Safekeeping


Exceptions:


11. Monitoring Standards Acceptable Needs Improvement Unacceptable

Exceptions:


VINCE.


FOR INITIAL/ANNIVERSARY AUDITS ONLY – Complete the following

VINCE C-TPAT QUESTIONNAIRE FOR FACTORIES

Company: _______________________________________

Address: _________________________________________

General Security

YES NO 1. Factory has a written security plan.

If yes, please attached a copy of the Factory Security manual and/or written procedures.

2. Factory has a designated security officer.

If yes, please provide name and contact information.

Physical Security 3. Factory is constructed of materials which resist unlawful entry and

protect against outside intrusion.

4. Factory has security personnel present to prevent unauthorized entry.

5. Factory has locking devices for external and internal doors, windows,

gates and fences, while maintaining safety rules for employee egress in an emergency.

6. Factory prevents unauthorized access to raw materials and finished

cargo within warehouse.

7. Factory has adequate lighting inside and outside facility, including

parking areas.

8. Private vehicles cannot access shipping, loading dock and cargo areas.

9. Factory has a communication plan with internal/external communication

systems in place to contact factory security personnel or local law enforcement agencies, should need arise.

10. Factory has alarm system and video surveillance cameras to monitor

the premises and prevent unauthorized access to cargo handling and storage areas.

Access Controls 11. Factory has defined physical separation of packing/shipping area from

rest of facility.

12. Factory prohibits unauthorized access to packing, shipping, loading

dock or cargo areas.

13. Factory requires positive identification of all employees and visitors and

escorts visitors while in facility.

14. Factory collects ID document from visitors upon their exit from facility.

15. Factory has procedures for challenging and managing unauthorized or

unidentified persons.

16. Factory controls access to keys, key cards, IT systems, etc.

VINCE.


Procedural Security 17. Factory has procedures for handling incoming and outgoing goods to

protect against introduction, exchange or loss of any legal or illegal material.

18. Factory has security officer to supervise the introduction or removal

of cargo.

19. Factory has procedures to properly mark, weigh, count and document

products.

20. Factory has procedures for affixing, replacing, recording, tracking and

verifying seals on containers, trailers and rail cars

21. Factory uses high security seals to meet PAS ISO 17712 standards.

22. Factory has procedures for detecting and reporting shortages/overages

23. Factory has procedures for tracking the timely local movement of

incoming and outgoing goods. 24. Factory properly stores empty/full containers to prevent unauthorized

access. 25. Factory conducts 7-point inspection prior to loading container.

26. Factory has procedures to notify Customs and other law enforcement

agencies in cases where abnormal or illegal activities are detected or suspected.

27. Factory has procedures for recognizing and reporting compromised seals and or containers to authorities.

Personnel Security

28. Factory conducts employment screening and interviewing of prospective warehouse/shipping and security personnel that includes periodic background checks and application verifications. 29. Factory has procedures in place to remove identification and system access for terminated employees.

Education & Awareness 30. Factory provides security reporting mechanism for employees, including confidential reporting. 31. Factory conducts security awareness training for management, supervisor and employees to include recognition of internal conspiracies, maintenance of product integrity, determination of unauthorized access and procedures to address unauthorized access.

Information Technology Security: 32. Factory has Information Technology (IT) security policies and procedures. This includes individually assigned passwords with periodic changes, training for employees in appropriate use of facility IT systems and immediate removal of access to system for terminated employees. 33. Factory has a system in place to identify the abuse of information technology (IT) including improper access, tampering or altering of business data and take the appropriate disciplinary actions for all violators of system abuse.

Standard Photos

VINCE.


1. Exterior of factory 12. Fire extinguishers/hoses 2. Factory security (fences, guard house, etc.) 13. Aisles and walkways 3. Cutting room 14. Time clocks 4. Sewing floor 15. Time cards 5. Finishing area 16. Emergency exit signs 6. Packing/shipping area 17. Post Code of Conduct 7. Shipping/receiving docks 18. First aid boxes 8. Restrooms 19. Emergency lights 9. Canteen area 20. Dormitory (if applicable) 10. Main door and exit doors 21. Alarm system, video surveillance cameras 11. Posted evacuation plan 22. Employee badges, visitor records/logs,

Non Compliance Photos (Social Compliance) Examples

Blocked aisles/exits Unclean restrooms Missing safety guards Faulty wiring Unmarked emergency exits Other violations that can be photographed

Non Compliance Photos (CTPAT) Examples

Uncontrolled loading dock area Lack of defined physical separation of packing/shipping area Other CTPAT violations that can be photographed

1

VINCE CODE OF CONDUCT

Updated October 15, 2013 It is the desire of Vince, to not only be a good citizen of the United States, but also to conduct business in an ethical and moral manner in all of the countries of the world in which we have the privilege to do business. As the scope and breadth of Vince’s sourcing and customer base expands to include more diverse cultures, we must ensure that the business people and companies with which we associate have the same values that we expect from our own employees. To achieve this end Vince subscribes, and we endeavor to have our business partners subscribe, to the following principles in conducting business. All of Vince’s business partners should be familiar with the Vince Code of Conduct, as it may be updated from time to time. At the election of Vince, the Vince Code of Conduct may be available online at [http://VinceSupplierPortal.Vince.com] or through other Vince business portals. Vince may occasionally update the Vince Code of Conduct, and Vince reserves the right to update and make changes to the Vince Code of Conduct at any time, with or without notice. If we do update the Vince Code of Conduct, we will reflect the date of such update at the top of the Code of Conduct. It is the responsibility of each of our business partners to monitor and comply with the Vince Code of Conduct, as may be updated, and we encourage our business partners to periodically review the Vince Code of Conduct online or by direct request to a Vince representative to stay informed about any updates to the Code of Conduct. Ethical Standards: We endeavor to respect the ethical and moral standards and beliefs of all peoples

and cultures with whom we deal. We in turn expect our business partners to respect our rules and procedures.

Legal Requirements: We expect our employees and business partners to abide by the laws of the countries in which we conduct business. We also expect that international law related to the conduct of business between Nations be followed at all times.

Health and Safety: We strive to have a safe and healthy working environment in all the facilities where we have employees or operations. We also expect that any business partners to whom we provide work will endeavor to provide a safe/healthy environment for the employees in the workplace, and also in the living facilities provided to the workers, should such facilities be provided.

Environmental Safekeeping: We understand that the environment in which we live in is ours to maintain and protect. We subscribe to manufacturing practices that ensure the safekeeping of our natural resources and ecological surroundings, and expect our business partners to also adhere to these principles.

2

Wages and Benefits: The wage and benefit structure of our business partners must comply with the applicable Country or State laws and our Vince minimum standards.

Working Hours: We expect our business partners to operate based on prevailing local work hours. Any time worked over the norm for the area should be compensated at the overtime rate as prescribed by the local labor laws and should be worked voluntarily. Subject to the requirements of local law, a regularly scheduled workweek including overtime should not exceed sixty (60) hours (except in extraordinary business circumstances). All employees are entitled to at least one day off in every seven-day period.

Child Labor: The use of child labor is not permissible. For a definition of “child”, we will first look to the national laws of the country in which business is being conducted. If, however, the laws of that country do not provide such a definition or if the definition includes individuals below the age of 15, we will define “child”, for purposes of determining use of illegal child labor, as anyone who is:

(a) less than 15 (or 14 where the law of that country permits); or

(b) younger than the compulsory age to be in school in the country in which business is being

conducted, if that age is higher than 15.

Prison/Forced Labor: We will not knowingly utilize or purchase materials and/or product manufactured by prison or forced labor – indentured, bonded or otherwise. We also do not condone the practice of involuntary employee “deposits,” withholding of identity papers or any other practice that would restrict free movement of employees.

Discrimination: We recognize and are aware that cultural differences will exist between various peoples. However, we believe that people should be employed based on their ability to perform a needed function; not on the basis of personal beliefs or characteristics.

Freedom of Association: We recognize and respect the right of employees to exercise their lawful rights of free association, including joining or not joining any association. We expect our business partners to also adhere to these principles.

Disciplinary Practices: We will not condone any type of harassment, abuse, corporal, mental or physical punishment by a business partner or an employee.

CTPAT Minimum Security Criteria – Foreign Manufacturers | March 2020

Page 1

Minimum Security Criteria – Foreign ManufacturersMarch 2020

Note: Criteria ID numbers may not be sequential. ID numbers not listed are not applicable to Foreign Manufacturers.

First Focus Area: Corporate Security

1. Security Vision & Responsibility – For a CTPAT Member’s supply chain security program to become and remain effective, it must havethe support of a company’s upper management. Instilling security as an integral part of a company’s culture and ensuring that it is acompanywide priority is in large part the responsibility of the company’s leadership.

ID Criteria Implementation Guidance Must / Should

1.1 In promoting a culture of security, CTPAT Members should demonstrate their commitment to supply chain security and the CTPAT Program through a statement of support. The statement should be signed by a senior company official and displayed in appropriate company locations.

Statement of support should highlight the importance of protecting the supply chain from criminal activities such as drug trafficking, terrorism, human smuggling, and illegal contraband. Senior company officials who should support and sign the statement may include the president, CEO, general manager, or security director. Areas to display the statement of support include the company's website, on posters in key areas of the company (reception; packaging; warehouse; etc.), and/or be part of company security seminars, etc.

Should

1.2 To build a robust Supply Chain Security Program, a company should incorporate representatives from all of the relevant departments into a cross-functional team.

These new security measures should be included in existing company procedures, which creates a more sustainable structure and emphasizes that supply chain security is everyone's responsibility.

Supply Chain Security has a much broader scope than traditional security programs. It is intertwined with Security, in many departments such as Human Resources, Information Technology, and Import/Export offices. Supply Chain Security programs built on a more traditional, security department-based model may be less viable over the long run because the responsibility to carry out the security measures are concentrated among fewer employees, and, as a result, may be susceptible to the loss of key personnel.

Should


Page 2


1.3 The supply chain security program must be designed with, supported by, and implemented by an appropriate written review component. The purpose of this review component is to document that a system is in place whereby personnel are held accountable for their responsibilities and all security procedures outlined by the security program are being carried out as designed. The review plan must be updated as needed based on pertinent changes in an organization’s operations and level of risk.

The goal of a review for CTPAT purposes is to ensure that its employees are following the company’s security procedures. The review process does not have to be complex. The Member decides the scope of reviews and how in-depth they will be - based on its role in the supply chain, business model, level of risk, and variations between specific locations/sites.

Smaller companies may create a very simple review methodology; whereas, a large multi-national conglomerate may need a more extensive process, and may need to consider various factors such as local legal requirements, etc. Some large companies may already have a staff of auditors that could be leveraged to help with security reviews.

A Member may choose to use smaller targeted reviews directed at specific procedures. Specialized areas that are key to supply chain security such as inspections and seal controls may undergo reviews specific to those areas. However, it is useful to conduct an overall general review periodically to ensure that all areas of the security program are working as designed. If a member is already conducting reviews as part of its annual review, that process could suffice to meet this criterion.

For members with high-risk supply chains (determined by their risk assessment), simulation or tabletop exercises may be included in the review program to ensure personnel will know how to react in the event of a real security incident.

Must

1.4 The company’s point(s) of contact (POC) to CTPAT must be knowledgeable about CTPAT program requirements. These individuals need to provide regular updates to upper management on issues related to the program, including the progress or outcomes of any audits, security related exercises, and CTPAT validations.

CTPAT expects the designated POC to be a proactive individual who engages and is responsive to his or her Supply Chain Security Specialist. Members may identify additional individuals who may help support this function by listing them as contacts in the CTPAT Portal.

Must


Page 3

2. Risk Assessment – The continuing threat of terrorist groups and criminal organizations targeting supply chains underscores the needfor Members to assess existing and potential exposure to these evolving threats. CTPAT recognizes that when a company has multiplesupply chains with numerous business partners, it faces greater complexity in securing those supply chains. When a company hasnumerous supply chains, it should focus on geographical areas/supply chains that have higher risk.

When determining risk within their supply chains, Members must consider various factors such as the business model, geographiclocation of suppliers, and other aspects that may be unique to a specific supply chain.

Key Definition: Risk – A measure of potential harm from an undesirable event that encompasses threat, vulnerability, andconsequence. What determines the level of risk is how likely it is that a threat will happen. A high probability of an occurrence willusually equate to a high level of risk. Risk may not be eliminated, but it can be mitigated by managing it – lowering the vulnerability orthe overall impact on the business.


2.1 CTPAT Members must conduct and document the amount of risk in their supply chains. CTPAT Members must conduct an overall risk assessment (RA) to identify where security vulnerabilities may exist. The RA must identify threats, assess risks, and incorporate sustainable measures to mitigate vulnerabilities. The member must take into account CTPAT requirements specific to the member’s role in the supply chain.

The overall risk assessment (RA) is made up of two key parts. The first part is a self-assessment of the Member’s supply chain security practices, procedures, and policies within the facilities that it controls to verify its adherence to CTPAT’s minimum-security criteria, and an overall management review of how it is managing risk.

The second part of the RA is the international risk assessment. This portion of the RA includes the identification of geographical threat(s) based on the Member's business model and role in the supply chain. When looking at the possible impact of each threat on the security of the member’s supply chain, the member needs a method to assess or differentiate between levels of risk. A simple method is assigning the level of risk between low, medium, and high.

CTPAT developed the Five Step Risk Assessment guide as an aid to conducting the international risk assessment portion of a member’s overall risk assessment, and it can be found on U.S. Customs and Border Protection’s website at https://www.cbp.gov/sites/default/files/documents/C-TPAT%27s%20Five%20Step%20Risk%20Assessment%20Process.pdf.

For Members with extensive supply chains, the primary focus is expected to be on areas of higher risk.

Must

https://www.cbp.gov/sites/default/files/documents/C-TPAT%27s%20Five%20Step%20Risk%20Assessment%20Process.pdf

https://www.cbp.gov/sites/default/files/documents/C-TPAT%27s%20Five%20Step%20Risk%20Assessment%20Process.pdf


Page 4


2.2 The international portion of the risk assessment should document or map the movement of the Member’s cargo throughout its supply chain from the point of origin to the importer’s distribution center. The mapping should include all business partners involved both directly and indirectly in the exportation/movement of the goods.

As applicable, mapping should include documenting how cargo moves in and out of transport facilities/cargo hubs and noting if the cargo is “at rest” at one of these locations for an extended period of time. Cargo is more vulnerable when “at rest,” waiting to move to the next leg of its journey.

When developing a process to map supply chains, high risk areas are the first to be considered.

When documenting the movement of all cargo, the Member is to consider all applicable involved parties - including those who will only be handling the import/export documents such as customs brokers and others that may not directly handle the cargo, but may have operational control such as Non Vessel Operated Common Carriers (NVOCCs) or Third Party Logistics Providers (3PLs). If any portion of the transport is subcontracted, this may also be considered because the more layers of indirect parties, the greater risk involved.

The mapping exercise involves looking more in-depth at how your supply chain works. Besides identifying risks, it may also serve to find areas where a supply chain is inefficient, which may result in finding ways to decrease costs or lead times for receiving products.

Should

2.3 Risk assessments must be reviewed annually, or more frequently as risk factors dictate.

Circumstances that may require a risk assessment to be reviewed more frequently than once a year include an increased threat level from a specific country, periods of heightened alert, following a security breach or incident, changes in business partners, and/or changes in corporate structure/ownership such as mergers and acquisitions etc.

Must

2.4 CTPAT Members should have written procedures in place that address crisis management, business continuity, security recovery plans, and business resumption.

A crisis may include the disruption of the movement of trade data due to a cyberattack, a fire, or a carrier driver being hijacked by armed individuals. Based on risk and where the Member operates or sources from, contingency plans may include additional security notifications or support; and how to recover what was destroyed or stolen and return to normal operating conditions.

Should


Page 5

3. Business Partners – CTPAT Members engage with a variety of business partners, both domestically and internationally. For thosebusiness partners who directly handle cargo and/or import/export documentation, it is crucial for the Member to ensure that thesebusiness partners have appropriate security measures in place to secure the goods throughout the international supply chain. Whenbusiness partners subcontract certain functions, an additional layer of complexity is added to the equation, which must beconsidered when conducting a risk analysis of a supply chain.

Key Definition: Business Partner – A business partner is any individual or company whose actions may affect the chain of custodysecurity of goods being imported to or exported from the United States via a CTPAT Member’s supply chain. A business partner maybe any party that provides a service to fulfill a need within a company’s international supply chain. These roles include all parties(both directly and indirectly) involved in the purchase, document preparation, facilitation, handling, storage, and/or movement ofcargo for, or on behalf, of a CTPAT Importer or Exporter Member. Two examples of indirect partners are subcontracted carriers andoverseas consolidation warehouses – arranged for by an agent/logistics provider.


3.1 CTPAT Members must have a written, risk based process for screening new business partners and for monitoring current partners. A factor that Members should include in this process is checks on activity related to money laundering and terrorist funding. To assist with this process, please consult CTPAT’s Warning Indicators for Trade-Based Money Laundering and Terrorism Financing Activities.

The following are examples of some of the vetting elements that can help determine if a company is legitimate: • Verifying the company’s business address and how long they have beenat that address;• Conducting research on the internet on both the company and itsprincipals;• Checking business references; and• Requesting a credit report.

Examples of business partners that need to be screened are direct business partners such as manufacturers, product suppliers, pertinent vendors/service providers, and transportation/logistics providers. Any vendors/service providers that are directly related to the company’s supply chain and/or handle sensitive information/equipment are also included on the list to be screened; this includes brokers or contracted IT providers. How in-depth to make the screening depends on the level of risk in the supply chain.

Must


Page 6


3.4 The business partner screening process must take into account whether a partner is a CTPAT Member or a member in an approved Authorized Economic Operator (AEO) program with a Mutual Recognition Arrangement (MRA) with the United States (or an approved MRA). Certification in either CTPAT or an approved AEO is acceptable proof for meeting program requirements for business partners, and Members must obtain evidence of the certification and continue to monitor these business partners to ensure they maintain their certification.

Business partners’ CTPAT certification may be ascertained via the CTPAT Portal’s Status Verification Interface system.

If the business partner certification is from a foreign AEO program under an MRA with the United States, the foreign AEO certification will include the security component. Members may visit the foreign Customs administration’s website where the names of the AEOs of that Customs administration are listed, or request the certification directly from their business partners.

Current United States MRAs include: New Zealand, Canada, Jordan, Japan, South Korea, the European Union (28 member states), Taiwan, Israel, Mexico, Singapore, the Dominican Republic, and Peru.

Must

3.5 When a CTPAT Member outsources or contracts elements of its supply chain, the Member must exercise due diligence (via visits, questionnaires, etc.) to ensure these business partners have security measures in place that meet or exceed CTPAT’s Minimum Security Criteria (MSC).

Importers and exporters tend to outsource a large portion of their supply chain activities. Importers (and some exporters) are the parties in these transactions that usually have leverage over their business partners and can require that security measures are implemented throughout their supply chains, as warranted. For those business partners that are not CTPAT or accepted MRA members, the CTPAT Member will exercise due diligence to ensure (when it has the leverage to do so) that these business partners meet the program’s applicable security criteria.

To verify adherence to security requirements, importers conduct security assessments of their business partners. The process to determine how much information is to be gathered regarding a business partner’s security program is based on the Member’s risk assessment, and if numerous supply chains, high-risk areas are the priority.

Determining if a business partner is compliant with the MSC can be accomplished in several ways. Based on risk, the company may conduct an onsite audit at the facility, hire a contractor/service provider to conduct an onsite audit, or use a security questionnaire. If security questionnaires are used, the level of risk will determine the amount of

Must


Page 7


detail or evidence required to be collected. More details may be required from companies located in high-risk areas. If a Member is sending a security questionnaire to its business partners, consider requiring the following items:

•Name and title of the person(s) completing it;•Date completed;•Signature of the individual(s) who completed the document;•*Signature of a senior company official, security supervisor, orauthorized company representative to attest to the accuracy of thequestionnaire;•Provide enough detail in responses to determine compliance; and•Based on risk, and if allowed by local security protocols, includephotographic evidence, copies of policies/procedures, and copies ofcompleted forms like Instruments of International Traffic inspectionchecklists and/or guard logs.

*Signatures may be electronic. If a signature is difficult to obtain/verify,the respondent may attest to the questionnaire’s validity via email, andthat the responses and any supporting evidence was approved by asupervisor/manager (name and title are required).


Page 8


3.6 If weaknesses are identified during business partners’ security assessments, they must be addressed as soon as possible, and corrections must be implemented in a timely manner. Members must confirm that deficiencies have been mitigated via documentary evidence.

CTPAT recognizes that there will be different timelines for making corrections based on what is needed for the correction. Installing physical equipment usually takes longer than a procedural change, but the security gap must be addressed upon discovery. For example, If the issue is replacing a damaged fence, the process to purchase a new fence needs to start immediately (addressing the deficiency) and the installation of the new fence (the corrective action) needs to take place as soon as it is feasible.

Based on the level of risk involved and the importance of the weakness found, some issues may require immediate attention. If it is a deficiency that may jeopardize the security of a container, for instance, it should be addressed as soon as possible.

Some examples of documentary evidence may include copies of contracts for additional security guards, photographs taken of a newly installed security camera or intrusion alarm, or copies of inspection checklists, etc.

Must


Page 9


3.7 To ensure their business partners continue to comply with CTPAT’s security criteria, Members should update their security assessments of their business partners on a regular basis, or as circumstances/risks dictate.

Periodically reviewing business partners’ security assessments is important to ensure that a strong security program is still in place and operating properly. If a member never required updates to its assessment of a business partner’s security program, the Member would not know that a once viable program was no longer effective, thus putting the member’s supply chain at risk.

Deciding on how often to review a partner’s security assessment is based on the Member’s risk assessment process. Higher risk supply chains would be expected to have more frequent reviews than low risk ones. If a Member is evaluating its business partner’s security by in person visits, it may want to consider leveraging other types of required visits. For example, cross-train personnel that test for quality control to also conduct security verifications.

Circumstances that may require the self-assessment to be updated more frequently include an increased threat level from a source country, changes in source location, new critical business partners (those that actually handle the cargo, provide security to a facility, etc.).

Should

3.8 For inbound shipments to the United States, if a Member subcontracts transportation services to another highway carrier, the Member must use a CTPAT certified highway carrier or a highway carrier that works directly for the Member as delineated through a written contract. The contract must stipulate adherence to all minimum security criteria (MSC) requirements.

The carrier should provide a list of subcontracted carriers and drivers to the facilities where it picks up and delivers cargo. Any changes to the subcontractor list should be immediately conveyed to relevant partners.

When reviewing service providers for compliance, the Member should verify that the company subcontracted is actually the company transporting the loads—and has not further subcontracted loads without approval.

Members should limit subcontracting transportation services to one level only. If exceptions are allowed for further subcontracting, the CTPAT Member and the shipper should be notified that the load was further subcontracted.

Must


Page 10


3.9 CTPAT Members should have a documented social compliance program in place that, at a minimum, addresses how the company ensures goods imported into the United States were not mined, produced or manufactured, wholly or in part, with prohibited forms of labor, i.e., forced, imprisoned, indentured, or indentured child labor.

The private sector’s efforts to protect workers’ rights in their operations and supply chains can promote greater understanding of labor laws and standards and mitigate poor labor practices. These efforts also create an environment for better worker-employer relations and improve a company’s bottom line.

Section 307 of the Tariff Act of 1930 (19 U.S.C. § 1307) prohibits the importation of merchandise mined, produced or manufactured, wholly or in part, in any foreign country by forced or indentured child labor – including forced child labor.

Forced Labor is defined by the International Labor Organization’s Convention No. 29 as all work or service exacted from any person under the menace of any penalty and for which the said person has not offered himself voluntarily.

A social compliance program is a set of policies and practices through which a company seeks to ensure maximum adherence to the elements of its code of conduct that cover social and labor issues. Social compliance refers to how a business addresses its responsibilities in protecting the environment, as well as the health, safety, and rights of its employees, the communities in which they operate, and the lives and communities of workers along their supply chains.

Should


Page 11

4. Cybersecurity – In today’s digital world, cybersecurity is the key to safeguarding a company’s most precious assets – intellectualproperty, customer information, financial and trade data, and employee records, among others. With increased connectivity to theinternet comes the risk of a breach of a company’s information systems. This threat pertains to businesses of all types and sizes.Measures to secure a company’s information technology (IT) and data are of paramount importance, and the listed criteria provide afoundation for an overall cybersecurity program for Members.

Key Definitions: Cybersecurity – Cybersecurity is the activity or process that focuses on protecting computers, networks, programs,and data from unintended or unauthorized access, change or destruction. It is the process of identifying, analyzing, assessing, andcommunicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, considering costsand benefits taken.

Information Technology (IT) – IT includes computers, storage, networking and other physical devices, infrastructure and processesto create, process, store, secure, and exchange all forms of electronic data.


4.1 CTPAT Members must have comprehensive written cybersecurity policies and/or procedures to protect information technology (IT) systems. The written IT policy, at a minimum, must cover all of the individual Cybersecurity criteria.

Members are encouraged to follow cybersecurity protocols that are based on recognized industry frameworks/standards. The *National Institute of Standards and Technology (NIST) is one such organization that provides a Cybersecurity Framework (https://www.nist.gov/cyberframework) that offers voluntary guidance based upon existing standards, guidelines, and practices to help manage and reduce cybersecurity risks both internally and externally. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. The Framework complements an organization’s risk management process and cybersecurity program. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference to establish one.

*NIST is a non-regulatory federal agency under the Department of Commercethat promotes and maintains measurement standards, and it is thetechnology standards developer for the federal government.

Must

https://www.nist.gov/cyberframework


Page 12


4.2 To defend Information Technology (IT) systems against common cybersecurity threats, a company must install sufficient software/hardware protection from malware (viruses, spyware, worms, Trojans, etc.) and internal/external intrusion (firewalls) in Members' computer systems. Members must ensure that their security software is current and receives regular security updates. Members must have policies and procedures to prevent attacks via social engineering. If a data breach occurs or another unseen event results in the loss of data and/or equipment, procedures must include the recovery (or replacement) of IT systems and/or data.

Must

4.3 CTPAT Members using network systems must regularly test the security of their IT infrastructure. If vulnerabilities are found, corrective actions must be implemented as soon as feasible.

A secure computer network is of paramount importance to a business, and ensuring that it is protected requires testing on a regular basis. This can be done by scheduling vulnerability scans. Just like a security guard checks for open doors and windows at a business, a vulnerability scan (VS) identifies openings on your computers (open ports and IP addresses), their operating systems, and software through which a hacker could gain access to the company’s IT system. The VS does this by comparing the results of its scan against a database of known vulnerabilities and produces a correction report for the business to act upon. There are many free and commercial versions of vulnerability scanners available.

The frequency of the testing will depend on various factors including the company’s business model and level of risk. For example, companies should run these tests whenever there are changes to a business’s network infrastructure. However, cyber-attacks are increasing among all sizes of businesses, and this needs to be considered when designing a testing plan.

Must


Page 13


4.4 Cybersecurity policies should address how a Member shares information on cybersecurity threats with the government and other business partners.

Members are encouraged to share information on cybersecurity threats with the government and business partners within their supply chain. Information sharing is a key part of the Department of Homeland Security's mission to create shared situational awareness of malicious cyber activity. CTPAT Members may want to join the National Cybersecurity and Communications Integration Center (NCCIC - https://www.us-cert.gov/nccic). The NCCIC shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Cyber and industrial control systems users can subscribe to information products, feeds, and services at no cost.

Should

4.5 A system must be in place to identify unauthorized access of IT systems/data or abuse of policies and procedures including improper access of internal systems or external websites and tampering or altering of business data by employees or contractors. All violators must be subject to appropriate disciplinary actions.

Must

4.6 Cybersecurity policies and procedures must be reviewed annually, or more frequently, as risk or circumstances dictate. Following the review, policies and procedures must be updated if necessary.

An example of a circumstance that would dictate a policy update sooner than annually is a cyber attack. Using the lessons learned from the attack would help strengthen a Member's cybersecurity policy.

Must

4.7 User access must be restricted based on job description or assigned duties. Authorized access must be reviewed on a regular basis to ensure access to sensitive systems is based on job requirements. Computer and network access must be removed upon employee separation.

Must

https://www.us-cert.gov/nccic


Page 14


4.8 Individuals with access to Information Technology (IT) systems must use individually assigned accounts.

Access to IT systems must be protected from infiltration via the use of strong passwords, passphrases, or other forms of authentication, and user access to IT systems must be safeguarded.

Passwords and/or passphrases must be changed as soon as possible if there is evidence of compromise or reasonable suspicion of a compromise exists.

To guard IT systems against infiltration, user access must be safeguarded by going through an authentication process. Complex login passwords or passphrases, biometric technologies, and electronic ID cards are three different types of authentication processes. Processes that use more than one measure are preferred. These are referred to as two-factor authentication (2FA) or multi-factor authentication (MFA). MFA is the most secure because it requires a user to present two or more pieces of evidence (credentials) to authenticate the person’s identity during the log-on process.

MFAs can assist in closing network intrusions exploited by weak passwords or stolen credentials. MFAs can assist in closing these attack vectors by requiring individuals to augment passwords or passphrases (something you know) with something you have, like a token, or one of your physical features - a biometric.

If using passwords, they need to be complex. The National Institute of Standards and Technology's (NIST) NIST Special Publication 800-63B: Digital Identity Guidelines, includes password guidelines (https://pages.nist.gov/800-63-3/sp800-63b.html). It recommends the use of long, easy to remember passphrases instead of words with special characters. These longer passphrases (NIST recommends allowing up to 64 characters in length) are considered much harder to crack because they are made up of an easily memorized sentence or phrase.

Must

4.9 Members that allow their users to remotely connect to a network must employ secure technologies, such as virtual private networks (VPNs), to allow employees to access the company’s intranet securely when located outside of the office. Members must also have procedures designed to prevent remote access from unauthorized users.

VPNs are not the only choice to protect remote access to a network. Multi-factor authentication (MFA) is another method. An example of a multi-factor authentication would be a token with a dynamic security code that the employee must type in to access the network.

Must

https://pages.nist.gov/800-63-3/sp800-63b.html


Page 15


4.10 If Members allow employees to use personal devices to conduct company work, all such devices must adhere to the company’s cybersecurity policies and procedures to include regular security updates and a method to securely access the company’s network.

Personal devices include storage media like CDs, DVDs, and USB flash drives. Care must be taken if employees are allowed to connect their personal media to individual systems since these data storage devices may be infected with malware that could propagate using the company’s network.

Must

4.11 Cybersecurity policies and procedures should include measures to prevent the use of counterfeit or improperly licensed technological products.

Computer software is intellectual property (IP) owned by the entity that created it. Without the express permission of the manufacturer or publisher, it is illegal to install software, no matter how it is acquired. That permission almost always takes the form of a license from the publisher, which accompanies authorized copies of software. Unlicensed software is more likely to fail as a result of an inability to update. It is more prone to contain malware, rendering computers and their information useless. Expect no warranties or support for unlicensed software, leaving your company on its own to deal with failures. There are legal consequences for unlicensed software as well, including stiff civil penalties and criminal prosecution. Software pirates increase costs to users of legitimate, authorized software and decrease the capital available to invest in research and development of new software.

Members may want to have a policy that requires product key labels and certificates of authenticity to be kept when new media is purchased. CDs, DVDs, and USB media include holographic security features to help ensure you receive authentic products and to protect against counterfeiting.

Should


Page 16


4.12 Data should be backed up once a week or as appropriate. All sensitive and confidential data should be stored in an encrypted format.

Data backups should take place as data loss may affect individuals within an organization differently. Daily backups are also recommended in case production or shared servers are compromised/lose data. Individual systems may require less frequent backups, depending on what type of information is involved.

Media used to store backups should preferably be stored at a facility offsite. Devices used for backing up data should not be on the same network as the one used for production work. Backing up data to a cloud is acceptable as an “offsite” facility.

Should

4.13 All media, hardware, or other IT equipment that contains sensitive information regarding the import/export process must be accounted for through regular inventories. When disposed, they must be properly sanitized and/or destroyed in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization or other appropriate industry guidelines.

Some types of computer media are hard drives, removable drives, CD-ROM or CD-R discs, DVDs, or USB drives.

The National Institute of Standards and Technology (NIST) has developed the government’s data media destruction standards. Members may want to consult NIST standards for sanitization and destruction of IT equipment and media.

Media Sanitization: https://www.nist.gov/publications/nist-special-publication-800-88-revision-1-guidelines-media-sanitization

Must

https://www.nist.gov/publications/nist-special-publication-800-88-revision-1-guidelines-media-sanitization

https://www.nist.gov/publications/nist-special-publication-800-88-revision-1-guidelines-media-sanitization


Page 17

Second Focus Area: Transportation Security

5. Conveyance and Instruments of International Traffic Security – Smuggling schemes often involve the modification of conveyancesand Instruments of International Traffic (IIT), or the hiding of contraband inside IIT. This criteria category covers security measuresdesigned to prevent, detect, and/or deter the altering of IIT structures or surreptitious entry into them, which could allow theintroduction of unauthorized material or persons.

At the point of stuffing/loading, procedures need to be in place to inspect IIT and properly seal them. Cargo in transit or “at rest” isunder less control, and is therefore more vulnerable to infiltration, which is why seal controls and methods to trackcargo/conveyances in transit are key security criteria.

Breaches in supply chains occur most often during the transportation process; therefore, Members must be vigilant that these keycargo criteria be upheld throughout their supply chains.

Key Definition: Instruments of International Traffic (IIT) – ITT includes containers, flatbeds, unit load devices (ULDs), lift vans, cargovans, shipping tanks, bins, skids, pallets, caul boards, cores for textile fabrics, or other specialized containers arriving (loaded orempty), in use or to be used in the shipment of merchandise in international trade.


5.1 Conveyances and Instruments of International Traffic (IIT) must be stored in a secure area to prevent unauthorized access, which could result in an alteration to the structure of an Instrument of International Traffic or (as applicable) allow the seal/doors to be compromised.

The secure storage of conveyances and Instruments of International Traffic (both empty and full) is important to guard against unauthorized access.

Must

5.2 The CTPAT inspection process must have written procedures for both security and agricultural inspections.

With the prevalence of smuggling schemes that involve the modification of conveyances or Instruments of International Traffic, it is imperative that Members conduct inspections of conveyances and Instruments of International Traffic to look for visible pests and serious structural deficiencies. Likewise, the prevention of pest contamination via conveyances and IIT is of paramount concern, so an agricultural component has been added to the security inspection process.

Must


Page 18


Pest contamination is defined as visible forms of animals, insects or other invertebrates (alive or dead, in any lifecycle stage, including egg casings or rafts), or any organic material of animal origin (including blood, bones, hair, flesh, secretions, excretions); viable or non-viable plants or plant products (including fruit, seeds, leaves, twigs, roots, bark); or other organic material, including fungi; or soil, or water; where such products are not the manifested cargo within instruments of international traffic (i.e. containers, unit load devices, etc.).

5.3 CTPAT Members must ensure that the following systematic CTPAT security and agricultural inspections are conducted. Requirements for these inspections will vary depending upon if the supply chain is land-based (Canada or Mexico) or if the supply chain originates overseas (ocean and air modes). Prior to stuffing/packing, all empty Instruments of International Traffic (IIT) must be inspected, and conveyances must also be inspected when they are crossing land borders into the United States.

Inspection requirements for CTPAT shipments via ocean, air, and land borders (as applicable) by rail or intermodal freight:

A seven-point inspection must be conducted on all empty containers and unit load devices (ULDs); and an eight-point inspection must be conducted on all empty refrigerated containers and ULDs:

1. Front wall;2. Left side;3. Right side;4. Floor;5. Ceiling/Roof;6. Inside/outside doors, including the reliability of the

locking mechanisms of the doors;7. Outside/Undercarriage; and8. Fan housing on refrigerated containers.

Security and agricultural inspections are conducted on instruments of international traffic (IIT) and conveyances to ensure their structures have not been modified to conceal contraband or have been contaminated with visible agricultural pests.

Expectations for overseas supply chains are to inspect all IIT at the point of stuffing/packing. However, if an ocean/air based supply chain is higher risk, it may warrant including more extensive inspection procedures to include conveyances and/or inspections at marine port terminals or air logistics facilities. Usually, there are higher levels of risk involved in shipments with land border crossings, which is why both the conveyance and IIT undergo multiple inspections.

Some examples of IIT for various modes are ocean containers, refrigerated containers/trailers, over-the-road trailers, flatbed trailers, tank containers, rail/boxcars, hoppers, and unit load devices (ULDs).

The Public Library Section of the CTPAT Portal contains training material on security and agricultural conveyance/Instruments of International Traffic inspections.

Must


Page 19


Additional inspection requirements for land border crossings via highway carriers:

Inspections of conveyances and IIT must be conducted at conveyance/IIT storage yards.

Where feasible, inspections must be conducted upon entering and departing the storage yards and at the point of loading/stuffing. These systematic inspections must include 17-point inspections:

Tractors:

1. Bumper/tires/rims;2. Doors, tool compartments and locking mechanisms;3. Battery box;4. Air breather;5. Fuel tanks;6. Interior cab compartments/sleeper; and7. Faring/roof.

Trailers:

1. Fifth wheel area - check natural compartment/skid plate;2. Exterior - front/sides;3. Rear - bumper/doors;4. Front wall;5. Left side;6. Right side;7. Floor;8. Ceiling/roof;9. Inside/outside doors and locking mechanisms; and10.Outside/Undercarriage.


Page 20


5.4 Conveyances and Instruments of International Traffic (as appropriate) must be equipped with external hardware that can reasonably withstand attempts to remove it. The door, handles, rods, hasps, rivets, brackets, and all other parts of a container’s locking mechanism must be fully inspected to detect tampering and any hardware inconsistencies prior to the attachment of any sealing device.

Consider using containers/trailers with tamper resistant hinges. Members may also place protective plates or pins on at least two of the hinges of the doors and/or place adhesive seal/tape over at least one hinge on each side.

Must

5.5 The inspection of all conveyances and empty Instruments of International Traffic should be recorded on a checklist. The following elements should be documented on the checklist:

• Container/Trailer/Instruments of International Traffic number;• Date of inspection;• Time of inspection;• Name of employee conducting the inspection; and• Specific areas of the Instruments of International Traffic that wereinspected.

If the inspections are supervised, the supervisor should also sign the checklist.

The completed container/Instruments of International Traffic inspection sheet should be part of the shipping documentation packet. The consignee should receive the complete shipping documentation packet prior to receiving the merchandise.

Should

5.6 All security inspections should be performed in an area of controlled access and, if available, monitored via a CCTV system.

Should


Page 21


5.7 If visible pest contamination is found during the conveyance/Instruments of International Traffic inspection, washing/vacuuming must be carried out to remove such contamination. Documentation must be retained for one year to demonstrate compliance with these inspection requirements.

Keeping records on the types of contaminants found, where they were found (conveyance location), and how the pest contamination was eliminated, are helpful actions that may assist Members in preventing future pest contamination.

Must

5.8 Based on risk, management personnel should conduct random searches of conveyances after the transportation staff have conducted conveyance/Instruments of International Traffic inspections.

The searches of the conveyance should be done periodically, with a higher frequency based on risk. The searches should be conducted at random without warning, so they will not become predictable. The inspections should be conducted at various locations where the conveyance is susceptible: the carrier yard, after the truck has been loaded, and en route to the United States border.

Supervisory searches of conveyances are conducted to counter internal conspiracies.

As a best practice, supervisors can hide an item (like a toy or colored box) in the conveyance to determine if the field test screener/conveyance operator finds it.

Supervisory personnel could be a security manager, held accountable to senior management for security, or other designated management personnel.

Should

5.14 CTPAT Members should work with their transportation providers to track conveyances from origin to final destination point. Specific requirements for tracking, reporting, and sharing of data should be incorporated within terms of service agreements with service providers.

Should

5.15 Shippers should have access to their carrier's GPS fleet monitoring system, so they may track the movement of their shipments.

Should

5.16 For land border shipments that are in proximity to the United States border, a “no-stop” policy should be implemented with regard to unscheduled stops.

Cargo at rest is cargo at risk. Scheduled stops would not be covered by this policy, but would have to be considered in an overall tracking and monitoring procedure.

Should


Page 22


5.24 In areas of high risk, and immediately prior to arrival at the border crossing, CTPAT Members should incorporate a "last chance" verification process for U.S. bound shipments for checking conveyances/Instruments of International Traffic for signs of tampering to include visual inspections of conveyances and the VVTT seal verification process. Properly trained individuals should conduct the inspections.

V – View seal and container locking mechanisms; ensure they are OK; V – Verify seal number against shipment documents for accuracy; T – Tug on seal to make sure it is affixed properly; T – Twist and turn the bolt seal to make sure its components do not unscrew, separate from one another, or any part of the seal becomes loose.

Should

5.29 If a credible (or detected) threat to the security of a shipment or conveyance is discovered, the Member must alert (as soon as feasibly possible) any business partners in the supply chain that may be affected and any law enforcement agencies, as appropriate.

Must


Page 23

6. Seal Security – The sealing of trailers and containers, to include continuous seal integrity, continues to be a crucial element of a securesupply chain. Seal security includes having a comprehensive written seal policy that addresses all aspects of seal security; using thecorrect seals per CTPAT requirements; properly placing a seal on an IIT, and verifying that the seal has been affixed properly.


6.1 CTPAT Members must have detailed, written high-security seal procedures that describe how seals are issued and controlled at the facility and during transit. Procedures must provide the steps to take if a seal is altered, tampered with, or has the incorrect seal number, including documentation of the event, communication protocols to partners, and investigation of the incident. The findings from the investigation must be documented, and any corrective actions must be implemented as quickly as possible.

These written procedures must be maintained at the local operating level so that they are easily accessible. Procedures must be reviewed at least once a year and updated as necessary.

Written seal controls must include the following elements:

Controlling Access to Seals: • Management of seals is restricted to authorized personnel.• Secure storage.

Inventory, Distribution, & Tracking (Seal Log): • Recording the receipt of new seals.• Issuance of seals recorded in log.• Track seals via the log.• Only trained, authorized personnel may affix seals to Instruments ofInternational Traffic (IIT).

Controlling Seals in Transit: • When picking up sealed IIT (or after stopping) verify the seal is intact withno signs of tampering.• Confirm the seal number matches what is noted on the shippingdocuments.

Must


Page 24


Seals Broken in Transit: • If a load is examined, record the replacement seal number.• The driver must immediately notify dispatch when a seal is broken,indicate who broke the seal, and provide the new seal number.• The carrier must immediately notify the shipper, broker, and importer ofthe seal change and the replacement seal number.• The shipper must note the replacement seal number in the seal log.

Seal Discrepancies: • Retain altered or tampered seals to aid in investigations.• Investigate the discrepancy; follow-up with corrective measures (ifwarranted).• As applicable, report compromised seals to CBP and the appropriateforeign government to aid in the investigation.

6.2 All CTPAT shipments that can be sealed must be secured immediately after loading/stuffing/packing by the responsible party (i.e. the shipper or packer acting on the shipper’s behalf) with a high-security seal that meets or exceeds the most current International Organization for Standardization (ISO) 17712 standard for high-security seals. Qualifying cable and bolt seals are both acceptable. All seals used must be securely and properly affixed to Instruments of International Traffic that are transporting CTPAT Members’ cargo to/from the United States.

The high-security seal used must be placed on the secure cam position, if available, instead of the right door handle. The seal must be placed at the bottom of the center most vertical bar of the right container door. Alternatively, the seal could be placed on the center most left-hand locking handle on the right container door if the secure cam position is not available. If a bolt seal is being used, it is recommended that the bolt seal be placed with the barrel portion or insert facing upward with the barrel portion above the hasp.

Must

6.5 CTPAT Members (that maintain seal inventories) must be able to document that the high-security seals they use meet or exceed the most current ISO 17712 standard.

Acceptable evidence of compliance is a copy of a laboratory testing certificate that demonstrates compliance with the ISO high-security seal standard. CTPAT Members are expected to be aware of the tamper indicative features of the seals they purchase.

Must


Page 25


6.6 If a Member maintains an inventory of seals, company management or a security supervisor must conduct a seal audit that includes periodic inventory of stored seals and reconciliation against seal inventory logs and shipping documents. All audits must be documented.

As part of the overall seal audit process, dock supervisors and/or warehouse managers must periodically verify seal numbers used on conveyances and Instruments of International Traffic.

Must

6.7 CTPAT’s seal verification process must be followed to ensure all high-security seals (bolt/cable) have been affixed properly to Instruments of International Traffic, and are operating as designed. The procedure is known as the VVTT process:

V – View seal and container locking mechanisms; ensure they are OK; V – Verify seal number against shipment documents for accuracy; T – Tug on seal to make sure it is affixed properly; T – Twist and turn the bolt seal to make sure its components do not unscrew, separate from one another, or any part of the seal becomes loose.

When applying cable seals, they need to envelop the rectangular hardware base of the vertical bars in order to eliminate any upward or downward movement of the seal. Once the seal is applied, make sure that all slack has been removed from both sides of the cable. The VVTT process for cable seals needs to ensure the cables are taut. Once it has been properly applied, tug and pull the cable in order to determine if there is any cable slippage within the locking body.

Must


Page 26

7. Procedural Security – Procedural Security encompasses many aspects of the import-export process, documentation, and cargostorage and handling requirements. Other vital procedural criteria pertain to reporting incidents and notification to pertinent lawenforcement. Additionally, CTPAT often requires that procedures be written because it helps maintain a uniform process over time.Nevertheless, the amount of detail needed for these written procedures will depend upon various elements such as a company’sbusiness model or what is covered by the procedure.

CTPAT recognizes that technology used in supply chains continues to evolve. The terminology used throughout the criteriareferences written procedures, documents, and forms, but this does not mean these have to be paper based. Electronic documents,signatures, and other digital technologies are acceptable to meet these measures.

The Program is not designed to be a “one size fits all” model; each company must decide (based on its risk assessment) how toimplement and maintain procedures. However, it is more effective to incorporate security processes within existing proceduresrather than create a separate manual for security protocols. This creates a more sustainable structure and helps emphasize thatsupply chain security is everyone’s responsibility.


7.1 When cargo is staged overnight, or for an extended period of time, measures must be taken to secure the cargo from unauthorized access.

Must

7.2 Cargo staging areas, and the immediate surrounding areas, must be inspected on a regular basis to ensure these areas remain free of visible pest contamination.

Preventative measures such as the use of baits, traps, or other barriers can be used as necessary. Removal of weeds or reduction of overgrown vegetation may help in the elimination of pest habitat within staging areas.

Must

7.4 The loading/stuffing of cargo into containers/IIT should be supervised by a security officer/manager or other designated personnel.

Should


Page 27


7.5 As documented evidence of the properly installed seal, digital photographs should be taken at the point of stuffing. To the extent feasible, these images should be electronically forwarded to the destination for verification purposes.

Photographic evidence may include pictures taken at the point of stuffing to document evidence of the cargo markings, the loading process, the location where the seal was placed, and properly installed seal.

Should

7.6 Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo is legible; complete; accurate; protected against the exchange, loss, or introduction of erroneous information; and reported on time.

Must

7.7 If paper documents are used, forms and other import/export related documentation should be secured to prevent unauthorized use.

Measures, such as using a locked filing cabinet, can be taken to secure the storage of unused forms, including manifests, to prevent unauthorized use of such documentation.

Should

7.8 The shipper or its agent must ensure that bill of ladings (BOLs) and/or manifests accurately reflect the information provided to the carrier, and carriers must exercise due diligence to ensure these documents are accurate. BOLs and manifests must be filed with U.S. Customs and Border Protection (CBP) in a timely manner. BOL information filed with CBP must show the first foreign location/facility where the carrier takes possession of the cargo destined for the United States. The weight and piece count must be accurate.

When picking up sealed Instruments of International Traffic, carriers may rely on the information provided in the shipper's shipping instructions.

Requiring the seal number to be electronically printed on the bill of lading (BOL) or other export documents helps guard against changing the seal and altering the pertinent document(s) to match the new seal number.

However, for certain supply chains, goods may be examined in transit, by a foreign Customs authority, or by CBP. Once the seal is broken by the government, there needs to be a process to record the new seal number applied to the IIT after examination. In some cases, this may be handwritten.

Must


Page 28


7.23 CTPAT Members must have written procedures for reporting an incident, which includes a description of the facility's internal escalation process.

A notification protocol must be in place to report any suspicious activities or security incidents (such as drug seizures, discovery of stowaways, etc.) that take place anywhere around the world and which affects the security of the member's supply chain. As applicable, the Member must report any global incidents to its Supply Chain Security Specialist, the closest port of entry, any pertinent law enforcement agencies, and business partners that may be part of the affected supply chain. Notifications to CBP must be made as soon as feasibly possible and in advance of any conveyance or IIT crossing the border.

Notification procedures must include the accurate contact information that lists the name(s) and phone number(s) of personnel requiring notification, as well as for law enforcement agencies. Procedures must be periodically reviewed to ensure contact information is accurate.

Examples of incidents warranting notification to U.S. Customs and Border Protection include (but are not limited to) the following: • Discovery of tampering with a container/IIT or high-security seal;• Discovery of a hidden compartment in a conveyance or IIT;• An unaccounted new seal has been applied to an IIT;• Smuggling of contraband, including people; stowaways;• Unauthorized entry into conveyances, locomotives, vessels, oraircraft carriers;• Extortion, payments for protection, threats, and/or intimidation;• Unauthorized use of a business entity identifier (i.e., Importer ofRecord (IOR) number, Standard Carrier Alpha (SCAC) code, etc.).

Must

7.24 Procedures must be in place to identify, challenge, and address unauthorized/unidentified persons. Personnel must know the protocol to challenge an unknown/unauthorized person, how to respond to the situation, and be familiar with the procedure for removing an unauthorized individual from the premises.

Must

7.25 CTPAT Members should set up a mechanism to report security related issues anonymously. When an allegation is received, it should be investigated, and if applicable, corrective actions should be taken.

Internal problems such as theft, fraud, and internal conspiracies may be reported more readily if the reporting party knows the concern may be reported anonymously.

Members can set up a hotline program or similar mechanism that allows people to remain anonymous if they fear reprisal for their actions. It is recommended that any report be kept as evidence to

Should


Page 29


document that each reported item was investigated and that corrective actions were taken.

7.27 All shortages, overages, and other significant discrepancies or anomalies must be investigated and resolved, as appropriate.

Must

7.28 Arriving cargo should be reconciled against information on the cargo manifest. Departing cargo should be verified against purchase or delivery orders.

Should

7.29 Seal numbers assigned to specific shipments should be transmitted to the consignee prior to departure.

Should

7.30 Seal numbers should be electronically printed on the bill of lading or other shipping documents.

Should

7.37 Following a significant security incident, Members must initiate a post-incident analysis immediately after becoming aware of the incident and in order to determine where the supply chain may have been compromised. This analysis must not impede/interfere with any known investigations conducted by a government law enforcement agency. The company’s post-incident analysis findings must be documented, completed as soon as feasibly possible, and, if allowed by law enforcement authorities, made available to the SCSS upon request.

Must A security incident is a breach in which security measures have been circumvented, eluded, or violated, and have resulted or will result in a criminal act. Security incidents include acts of terrorism, smuggling (narcotics, human, etc.), and the presence of stowaways.


Page 30

8. Agricultural Security – Agriculture is the largest industry and employment sector in the U.S. It is also an industry threatened bythe introduction of foreign animal and plant contaminants such as soil, manure, seeds, and plant and animal material which mayharbor invasive and destructive pests and diseases. Eliminating contaminants in all conveyances and in all types of cargo maydecrease CBP cargo holds, delays, and commodity returns or treatments. Ensuring compliance with CTPAT’s agriculturalrequirements will also help protect a key industry in the U.S. and the overall global food supply.

Key Definition: Pest contamination – The International Maritime Organization defines pest contamination as visible forms ofanimals, insects or other invertebrates (alive or dead, in any lifecycle stage, including egg casings or rafts), or any organic materialof animal origin (including blood, bones, hair, flesh, secretions, excretions); viable or non-viable plants or plant products(including fruit, seeds, leaves, twigs, roots, bark); or other organic material, including fungi; or soil, or water; where such productsare not the manifested cargo within instruments of international traffic (i.e. containers, unit load devices, etc.).


8.1 CTPAT Members must, in accordance with their business model, have written procedures designed to prevent visible pest contamination to include compliance with Wood Packaging Materials (WPM) regulations. Visible pest prevention measures must be adhered to throughout the supply chain. Measures regarding WPM must meet the International Plant Protection Convention’s (IPPC) International Standards for Phytosanitary Measures No. 15 (ISPM 15).

WPM is defined as wood or wood products (excluding paper products) used in supporting, protecting, or carrying a commodity. WPM includes items such as pallets, crates, boxes, reels, and dunnage. Frequently, these items are made of raw wood that may not have undergone sufficient processing or treatment to remove or kill pests, and therefore remain a pathway for the introduction and spread of pests. Dunnage in particular has been shown to present a high risk of introduction and spread of pests.

The IPPC is a multilateral treaty overseen by the United Nation’s Food and Agriculture Organization that aims to secure coordinated, effective action to prevent and to control the introduction and spread of pests and contaminants.

ISPM 15 includes internationally accepted measures that may be applied to WPM to reduce significantly the risk of introduction and spread of most pests that may be associated with WPM. ISPM 15 affects all wood packaging material requiring that they be debarked and then heat treated or fumigated with methyl bromide and stamped or branded with the IPPC mark of compliance. This mark of compliance is colloquially known as the "wheat stamp". Products exempt from the ISPM 15 are made from alternative materials, like paper, metal, plastic or wood panel products (i.e. oriented strand board, hardboard, and plywood).

Must


Page 31

Third Focus Area: People and Physical Security

9. Physical Security – Cargo handling and storage facilities, Instruments of International Traffic storage areas, and facilities whereimport/export documentation is prepared in domestic and foreign locations must have physical barriers and deterrents that guardagainst unauthorized access.

One of the cornerstones of CTPAT is flexibility, and security programs should be customized to fit each company’s circumstances. The need for physical security can vary greatly based on the Member’s role in the supply chain, its business model, and level of risk. The physical security criteria provides a number of deterrents/obstacles that will help prevent unwarranted access to cargo, sensitive equipment, and/or information, and Members should employ these security measures throughout their supply chains.


9.1 All cargo handling and storage facilities, including trailer yards and offices must have physical barriers and/or deterrents that prevent unauthorized access.

Must

9.2 Perimeter fencing should enclose the areas around cargo handling and storage facilities. If a facility handles cargo, interior fencing should be used to secure cargo and cargo handling areas. Based on risk, additional interior fencing should segregate various types of cargo such as domestic, international, high value, and/or hazardous materials. Fencing should be regularly inspected for integrity and damage by designated personnel. If damage is found in the fencing, repairs should be made as soon as possible.

Other acceptable barriers may be used instead of fencing, such as a dividing wall or natural features that are impenetrable or, otherwise impede, access such as a steep cliff or dense thickets.

Should

9.4 Gates where vehicles and/or personnel enter or exit (as well as other points of egress) must be manned or monitored. Individuals and vehicles may be subject to search in accordance with local and labor laws.

It is recommended that the number of gates be kept to the minimum necessary for proper access and safety. Other points of egress would be entrances to facilities that are not gated.

Must

9.5 Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas, and conveyances.

Locate parking areas outside of fenced and/or operational areas - or at least at substantial distances from cargo handling and storage areas.

Should


Page 32


9.6 Adequate lighting must be provided inside and outside the facility including, as appropriate, the following areas: entrances and exits, cargo handling and storage areas, fence lines, and parking areas.

Automatic timers or light sensors that automatically turn on appropriate security lights are useful additions to lighting apparatus.

Must

9.7 Security technology should be utilized to monitor premises and prevent unauthorized access to sensitive areas.

Electronic security technology used to secure/monitor sensitive areas and access points includes: burglary alarm systems (perimeter and interior) –these are also known as Intrusion Detection Systems (IDS); access control devices; and video surveillance systems (VSS) -including Closed Circuit Television Cameras (CCTVs). A CCTV/VSS system could include components such as Analog Cameras (coax-based), Internet Protocol-based (IP) cameras (network-based), recording devices, and video management software.

Secure/sensitive areas, which would benefit from video surveillance, may include: cargo handling and storage areas, shipping/receiving areas where import documents are kept, IT servers, yard and storage areas for Instruments of International Traffic (IIT), areas where IIT are inspected, and seal storage areas.

Should

9.8 Members who rely on security technology for physical security must have written policies and procedures governing the use, maintenance, and protection of this technology.

At a minimum, these policies and procedures must stipulate:

• That access to the locations where the technology is controlledor managed is limited to authorized personnel;

• The procedures that have been implemented to test/inspectthe technology on a regular basis;

• That the inspections include verifications that all of the

Security technology needs to be tested on a regular basis to ensure it is working properly. There are general guidelines to follow:

• Test security systems after any service work and during and aftermajor repairs, modifications, or additions to a building or facility. Asystem’s component may have been compromised, eitherintentionally or unintentionally.

• Test security systems after any major changes to phone or internetservices. Anything that might affect the system’s ability tocommunicate with the monitoring center should be double-checked.• Make sure video settings such as motion activated recording;motion detection alerts; images per second (IPS), and quality level,have been set up properly.

• Make sure camera lenses (or domes that protect the cameras) are

Must


Page 33


equipment is working properly, and if applicable, that the equipment is positioned correctly;

• That the results of the inspections and performance testing isdocumented;

• That if corrective actions are necessary, they are to beimplemented as soon as possible and the corrective actions aredocumented;

• That the documented results of these inspections bemaintained for a sufficient time for audit purposes.

If a third party central monitoring station (off-site) is used, the CTPAT Member must have written procedures stipulating critical systems functionality and authentication protocols such as (but not limited to) security code changes, adding or subtracting authorized personnel, password revisions, and systems access or denials.

Security technology policies and procedures must be reviewed and updated annually, or more frequently, as risk or circumstances dictate.

clean and lenses are focused. Visibility should not be limited by obstacles or bright lights.

• Test to make sure security cameras are positioned correctly andremain in the proper position (cameras may have been deliberatelyor accidentally moved).

9.9 CTPAT Members should use licensed/certified resources when considering the design and installation of security technology.

Today’s security technology is complex and evolves rapidly. Oftentimes companies purchase the wrong security technology that proves to be ineffective when needed and/or pay more than was necessary. Seeking qualified guidance will help a buyer select the right technology options for their needs and budget.

According to the National Electrical Contractors Association (NECA), in the U.S. 33 states currently have licensing requirements for professionals engaged in the installation of security and alarm systems.

Should


Page 34


9.10 All security technology infrastructure must be physically secured from unauthorized access.

Security technology infrastructure includes computers, security software, electronic control panels, video surveillance or closed circuit television cameras, power and hard drive components for cameras, as well as recordings.

Must

9.11 Security technology systems should be configured with an alternative power source that will allow the systems to continue to operate in the event of an unexpected loss of direct power.

A criminal trying to breach your security may attempt to disable the power to your security technology in order to circumnavigate it. Thus, it is important to have an alternative source of power for your security technology. An alternative power source may be an auxiliary power generation source or backup batteries. Backup power generators may also be used for other critical systems such as lighting.

Should

9.12 If camera systems are deployed, cameras should monitor a facility’s premises and sensitive areas to deter unauthorized access. Alarms should be used to alert a company to unauthorized access into sensitive areas.

Sensitive areas, as appropriate, may include cargo handling and storage areas, shipping/receiving areas where import documents are kept, IT servers, yards and storage areas for Instruments of International Traffic (IIT), areas where IIT are inspected, and seal storage areas.

Should

9.13 If camera systems are deployed, cameras must be positioned to cover key areas of facilities that pertain to the import/export process.

Cameras should be programmed to record at the highest picture quality setting reasonably available, and be set to record on a 24/7 basis.

Positioning cameras correctly is important to enable the cameras to record as much as possible of the physical “chain of custody” within the facility’s control.

Based on risk, key areas or processes may include cargo handling and storage; shipping/receiving; the cargo loading process; the sealing process; conveyance arrival/exit; IT servers; container inspections (security and agricultural); seal storage; and any other areas that pertain to securing international shipments.

Must

9.14 If camera systems are deployed, cameras should have an alarm/notification feature, which would signal a “failure to operate/record” condition.

A failure of video surveillance systems could be the result of someone disabling the system in order to breach a supply chain without leaving video evidence of the crime. The failure to operate feature can result in an electronic notification sent to predesignated person(s) notifying them that the device requires immediate attention.

Should


Page 35


9.15 If camera systems are deployed, periodic, random reviews of the camera footage must be conducted (by management, security, or other designated personnel) to verify that cargo security procedures are being properly followed in accordance with the law. Results of the reviews must be summarized in writing to include any corrective actions taken. The results must be maintained for a sufficient time for audit purposes.

If camera footage is only reviewed for cause (as part of an investigation following a security breach etc.), the full benefit of having cameras is not being realized. Cameras are not only investigative tools. If used proactively, they may help prevent a security breach from occurring in the first place.

Focus the random review of the footage on the physical chain of custody to ensure the shipment remained secure and all security protocols were followed. Some examples of processes that may be reviewed are the following:

• Cargo handling activities;• Container inspections;• The loading process;• Sealing process;• Conveyance arrival/exit; and• Cargo departure, etc.

Purpose of the review: The review is intended to evaluate overall adherence and effectiveness of established security processes, identify gaps or perceived weaknesses, and prescribe corrective actions in support of improvement to security processes. Based on risk (previous incidents or an anonymous report on an employee failing to follow security protocols at the loading dock, etc.), the Member may target a review periodically.

Items to include in the written summary: • The date of the review;• Date of the footage that was reviewed;• Which camera/area was the recording from;• Brief description of any findings; and• If warranted, corrective actions.

Must


Page 36


9.16 If cameras are being used, recordings of footage covering key import/export processes should be maintained on monitored shipments for a sufficient time to allow an investigation to be completed.

If a breach were to happen, an investigation would need to be conducted, and maintaining any camera footage that covered the packing (for export) and loading/sealing processes would be of paramount importance in discovering where the supply chain may have been compromised.

For monitoring, the CTPAT program recommends allotting at least 14 days after a shipment has arrived at its first point of distribution. This is where the container is first opened after clearing Customs.

Should

10. Physical Access Controls – Access controls prevent unauthorized access into facilities/areas, help maintain control of employees andvisitors, and protect company assets. Access controls include the positive identification of all employees, visitors, service providers,and vendors at all points of entry.


10.1 CTPAT Members must have written procedures governing how identification badges and access devices are granted, changed, and removed.

Where applicable, a personnel identification system must be in place for positive identification and access control purposes. Access to sensitive areas must be restricted based on job description or assigned duties. Removal of access devices must take place when the employees separate from the company.

Access devices include employee identification badges, visitor and vendor temporary badges, biometric identification systems, proximity key cards, codes, and keys. When employees are separated from a company, the use of exit checklists help ensure that all access devices have been returned and/or deactivated. For smaller companies, where personnel know each other, no identification system is required. Generally, for a company with more than 50 employees, an identification system is required.

Must


Page 37


10.2 Visitors, vendors, and service providers must present photo identification upon arrival, and a log must be maintained that records the details of the visit. All visitors should be escorted. In addition, all visitors and service providers should be issued temporary identification. If temporary identification is used, it must be visibly displayed at all times during the visit.

The registration log must include the following:

• Date of the visit;• Visitor's name;• Verification of photo identification (type verified such as licenseor national ID card). Frequent, well known visitors such as regularvendors may forego the photo identification, but must still belogged in and out of the facility;• Time of arrival;• Company point of contact; and• Time of departure.

Must

10.3 Drivers delivering or receiving cargo must be positively identified before cargo is received or released. Drivers must present government-issued photo identification to the facility employee granting access to verify their identity. If presenting a government-issued photo identification is not feasible, the facility employee may accept a recognizable form of photo identification issued by the highway carrier company that employs the driver picking up the load.

Must


Page 38


10.4 A cargo pickup log must be kept to register drivers and record the details of their conveyances when picking up cargo. When drivers arrive to pick up cargo at a facility, a facility employee must register them in the cargo pickup log. Upon departure, drivers must be logged out. The cargo log must be kept secured, and drivers must not be allowed access to it.

The cargo pickup log should have the following items recorded:

• Driver's name;• Date and time of arrival;• Employer;• Truck number;• Trailer number;• Time of departure;• The seal number affixed to the shipment at the time ofdeparture.

A visitor log may double as a cargo log as long as the extra information is recorded in it.

Must

10.7 Prior to arrival, the carrier should notify the facility of the estimated time of arrival for the scheduled pick up, the name of the driver, and truck number. Where operationally feasible, CTPAT Members should allow deliveries and pickups by appointment only.

This criterion will help shippers and carriers to avoid fictitious pickups. Fictitious pick-ups are criminal schemes that result in the theft of cargo by deception that includes truck drivers using fake IDs and/or fictitious businesses set up for the purpose of cargo theft.

When a carrier has regular drivers that pick up goods from a certain facility, a good practice is for the facility to maintain a list of the drivers with their pictures. Therefore, if it is not feasible to let the company know which driver is coming, the company will still be able to verify that the driver is approved to pick up cargo from the facility.

Should

10.8 Arriving packages and mail should be periodically screened for contraband before being admitted.

Examples of such contraband include, but are not limited to, explosives, illegal drugs, and currency.

Should


Page 39


10.10 If security guards are used, work instructions for security guards must be contained in written policies and procedures. Management must periodically verify compliance and appropriateness with these procedures through audits and policy reviews.

Though guards may be employed at any facility, they are often employed at manufacturing sites, seaports, distribution centers, storage yards for Instruments of International Traffic, consolidator, and forwarders operating sites.

Must

11. Personnel Security – A company’s human resource force is one of its most critical assets, but it may also be one of its weakestsecurity links. The criteria in this category focus on issues such as employee screening and pre-employment verifications.Many security breaches are caused by internal conspiracies, which is where one or more employees collude to circumvent securityprocedures aimed at allowing an infiltration of the supply chain. Therefore, Members must exercise due diligence to verify thatemployees filling sensitive positions are reliable and trustworthy. Sensitive positions include staff working directly with cargo or itsdocumentation, as well as personnel involved in controlling access to sensitive areas or equipment. Such positions include, but arenot limited to, shipping, receiving, mailroom personnel, drivers, dispatch, security guards, any individuals involved in loadassignments, tracking of conveyances, and/or seal controls.


11.1 Written processes must be in place to screen prospective employees and to periodically check current employees. Application information, such as employment history and references, must be verified prior to employment, to the extent possible and allowed under the law.

CTPAT is aware that labor and privacy laws in certain countries may not allow all of the application information to be verified. However, due diligence is expected to verify application information when permitted.

Must


Page 40


11.2 In accordance with applicable legal limitations, and the availability of criminal record databases, employee background screenings should be conducted. Based on the sensitivity of the position, employee vetting requirements should extend to temporary workforce and contractors. Once employed, periodic reinvestigations should be performed based on cause, and/or the sensitivity of the employee’s position.

Employee background screening should include verification of the employee’s identity and criminal history, encompassing city, state, provincial, and country databases. CTPAT Members and their business partners should factor in the results of background checks, as permitted by local statutes, in making hiring decisions. Background checks are not limited to verification of identity and criminal records. In areas of greater risk, it may warrant more in-depth investigations.

Should

11.5 CTPAT Members must have an Employee Code of Conduct that includes expectations and defines acceptable behaviors. Penalties and disciplinary procedures must be included in the Code of Conduct. Employees/contractors must acknowledge that they have read and understood the Code of Conduct by signing it, and this acknowledgement must be kept in the employee’s file for documentation.

A Code of Conduct helps protect your business and informs employees of expectations. Its purpose is to develop and maintain a standard of conduct that is acceptable to the company. It helps companies develop a professional image and establish a strong ethical culture. Even a small company needs to have a Code of Conduct; however, it does not need to be elaborate in design or contain complex information.

Must


Page 41

12. Education, Training and Awareness – CTPAT’s security criteria are designed to form the basis of a layered security system. If onelayer of security is overcome, another layer should prevent a security breach, or alert a company to a breach. Implementing andmaintaining a layered security program needs the active participation and support of several departments and various personnel.One of the key aspects to maintaining a security program is training. Educating employees on what the threats are and how theirrole is important in protecting the company’s supply chain is a significant aspect to the success and endurance of a supply chainsecurity program. Moreover, when employees understand why security procedures are in place, they are much more likely toadhere to them.


12.1 Members must establish and maintain a security training and awareness program to recognize and foster awareness of the security vulnerabilities to facilities, conveyances, and cargo at each point in the supply chain, which could be exploited by terrorists or contraband smugglers. The training program must be comprehensive and cover all of CTPAT’s security requirements. Personnel in sensitive positions must receive additional specialized training geared toward the responsibilities that the position holds.

One of the key aspects of a security program is training. Employees who understand why security measures are in place are more likely to adhere to them. Security training must be provided to employees, as required, based on their functions and position on a regular basis, and newly hired employees must receive this training as part of their orientation/job skills training.

Members must retain evidence of training such as training logs, sign in sheets (roster), or electronic training records. Training records should include the date of the training, names of attendees, and the topics of the training.

Training topics may include protecting access controls, recognizing internal conspiracies, and reporting procedures for suspicious activities and security incidents. When possible, specialized training should include a hands-on demonstration. If a hands-on demonstration is conducted, the instructor should allow time for the students to demonstrate the process.

For CTPAT purposes, sensitive positions include staff working directly with import/export cargo or its documentation, as well as personnel involved in controlling access to sensitive areas or equipment. Such positions include, but are not limited to, shipping, receiving, mailroom personnel, drivers, dispatch, security guards, any individuals involved in load assignments, tracking of conveyances, and/or seal controls.

Must


Page 42


12.2 Drivers and other personnel that conduct security and agricultural inspections of empty conveyances and Instruments of International Traffic (IIT) must be trained to inspect their conveyances/IIT for both security and agricultural purposes.

Refresher training must be conducted periodically, as needed after an incident or security breach, or when there are changes to company procedures.

Inspection training must include the following topics: • Signs of hidden compartments;• Concealed contraband in naturally occurring compartments; and• Signs of pest contamination.

Must

12.4 CTPAT Members should have measures in place to verify that the training provided met all training objectives.

Understanding the training and being able to use that training in one’s position (for sensitive employees) is of paramount importance. Exams or quizzes, a simulation exercise/drill, or regular audits of procedures etc. are some of the measures that the Member may implement to determine the effectiveness of the training.

Should

12.8 As applicable, based on their functions and/or positions, personnel must be trained on the company's cybersecurity policies and procedures. This must include the need for employees to protect passwords/passphrases and computer access.

Quality training is important to lessen vulnerability to cyberattacks. A robust cybersecurity training program is usually one that is delivered to applicable personnel in a formal setting rather than simply through emails or memos.

Must

12.9 Personnel operating and managing security technology systems must receive operations and maintenance training in their specific areas. Prior experience with similar systems is acceptable. Self-training via operational manuals and other methods is acceptable.

Must


Page 43


12.10 Personnel must be trained on how to report security incidents and suspicious activities.

Procedures to report security incidents or suspicious activity are extremely important aspects of a security program. Training on how to report an incident can be included in the overall security training. Specialized training modules (based on job duties) may have more detailed training on reporting procedures, including specifics on the process, such as, what to report, to whom, how to report the incident, and what to do after the report is completed.

Must

Publication Number: 1002-0420

8 Point Container Inspection Checklist

Date: _______________________ Time: ________________ Size: 20 Ft. 40 Ft.

Facility: _______________________ Temperature Controlled (50° F, +/- 5°F)

Consignor/Supplier: _____________ Standard Non-Temperature Controlled

Consignee: _____________________ Order / Reference#:___________________

Container#:____________________ Container Inspector: __________________

Seal# (must meet ISO 17712): ______ Seal applied by: _______________________

Instructions: Complete the checklist. Refer to the drawing instructions below.

Location of Container Secure

1. Outside / Undercarriage………….. Yes No *Containers that do not comply with

these security measures should not be

2. Inside / Outside Doors……………….. Yes No used at any time.

3. Right Side……………………………..……. Yes No

4. Left Side…………………………………..... Yes No

5. Front Wall………………..……………….… Yes No

6. Ceiling / Roof……………………………... Yes No

7. Floor (Inside)………………….…………… Yes No

8. Check for pests:……………………...… Yes No

Visually inspect the outside and inside for visible contaminants such as plants, seeds,

insects, egg masses, snails, animals, animal droppings, and soil.

If contaminants are found reject the container and notify management -do not

load cargo

Key points:

1. Check fan housing on refrigerated containers (if applicable): ……….………… Yes No

2. Please record any container notes or concerns: _________________________________

3. Inspection reviewed by: _________________

/ 3

4. Maintain a copy of the 8 point container inspection checklist with the plant’s daily

paperwork.

5. Submit the 8 point container inspection checklist with the shipping documents.

6. Maintain a copy of the 8 Point Container Inspection Checklist with plant’s daily shipping

paperwork.

Inspection Checklist Guidelines

1. Outside / Undercarriage (before entering facility)

a. Inspect prior to entering facility.

b. Support beams should be visible.

2. Inside / Outside Doors

a. Make sure secure and reliable locking mechanisms are attached to the container.

b. Be on the lookout for different color bonding material.

c. Be on the lookout for loose bolts.

d. Be on the lookout for plates and repairs. Solid plates should not cover standard

container cavities.

e. The door, handles, rods, hasps, rivets, brackets, and all other parts of a

container’s locking mechanism must be fully inspected to detect tampering and

any hardware inconsistencies prior to the attachment of any sealing device.

3. Right Side

a. Look for unusual repairs to structural beams.

b. Repairs to walls on the inside must be visible on the outside.

c. Use tool to tap side walls. Listen and feel for hollow sound.

4. Left Side

a. Look for unusual repairs to structural beams.

/ 3

b. Repairs to walls on the inside must be visible on the outside.

c. Use tool to tap side walls. Listen and feel for hollow sound.

5. Front Wall

a. Check to see if blocks and vents are visible.

b. Use tool to tap front wall. Listen and feel for hollow sound.

c. Use a ranger finder, measuring tape, or even string to determine if the length is

correct.

d. Make sure the length of the interior of the container is correct.

6. Ceiling / Roof

a. Check to make sure ceiling height from floor is accurate.

b. Check to make sure blocks and vents are visible.

b. Repairs to the ceiling on the inside of the container should be visible on the

outside.

c. Use tool to tap ceiling. Listen for hollow sound.

d. Determine if there is an uncomfortable feeling inside the container. If so, the

interior ceiling height may be incorrect.

7. Floor (inside)

a. Check to make sure the floor is the correct height from the ceiling.

b. Make sure the floor is flat. Do not need to step up to get inside.

c. Make sure the floor is a uniform height.

d. Be on the lookout for unusual repairs.

8. Agricultural:

a. Check for visible pest contamination on all shipment conveniences to include but

not limited to: pallets, crates, boxes, reels, and dunnage to ensure they have

undergone sufficient processing or treatment to remove or kill pests.

b. If pallets are present, are they stamped or branded with the IPPC mark of

compliance. (This mark of compliance is colloquially known as the “wheat stamp”.)

Other:

Security Vulnerability Areas where applicable:

a. Support arms of racks (prior to capping)

b. Interior of cardboard tubes (of the product)

c. Beds of the racks

d. Hollow metal bars at the bottom of rack

e. Bottom of rack

f. Between rolls after being put onto the rack (top/bottom, sides)

social responsibility factory guidevincesupplierportal.vince.com/_uploads/ship/shipdocs/vince...

Documents