TRANSPORTATION SECURITY ADMINISTRATION – Progress and Challenges Faced in Strengthening Three Key Security Programs, GAO, March 2012 (CORE1004)

/0 Comments/in , , , , , , , , , , , /by

Summary: The report discusses status and future challenges of the Transportation Security Administration’s three key security programs: The Advanced Imaging Technology (AIT), the Screening of Passengers by Observation Techniques (SPOT) and the Transportation Worker Identification Credential (TWIC) program. The two earlier programs are related to the passenger security, which not in the scope of the CORE project. The third TWIC program – an initiative for vetting backgrounds of maritime workers that require access to regulated maritime facilities and vessels – is the only program on supply chain security. The report recommends that the Department of Homeland Security (DHS) would improve its internal procedures (e.g., enrolment practices, background checking and quality control) and define and measure performance criteria for assessing the TWIC program’s efficiency and effectiveness. This GAO report discusses mainly passenger security programs that are not interesting for the CORE and for most of the project partners. However, learning about the TWIC program might be useful for at least those CORE demonstrations on maritime supply chain security. The document is available for download at: http://www.gao.gov/assets/590/589587.pdf (accessed 12.3.2016)

[s2If is_user_logged_in()]

Full review: This GAO report has only a limited use in the CORE project because of its emphasis on passenger security programs (the Transportation Worker Identification Credentials (TWIC) program is the only program discussed in the report that has something to do with supply chain security). The CORE’s maritime demonstrations may find it useful to learn about the US way for managing credentials and access to regulated maritime facilities and vessels. The CORE’s risk cluster might learn something about conducting risk-based background checks for logistics workers, and the CORE’s educational cluster might use the description of CWIT, that this report provides, to produce training material and guidebooks on how to implement and maintain access control schemes.

CORE1004

[/s2If]

FP7-CORE Education – Two new diagrams

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , /by

Today’s CBRA Blog presents two new diagrams which have been recently designed and developed in the context of FP7-CORE Education and training work (Work package 19.1). The information visualized in the diagram is based on CBRA’s supply chain security research work since year 2001, particularly from the past 5-6 years.

Some background information on the first diagram of crime types in global supply chains has been presented before for example in CBRA’s Blog of 13 October 2014 – Crime taxonomies from Athens. In the center of this diagram we list the crime types – including document fraud and cybercrime – which in the supply chain criminal context are performed in order to succeed with the actual economic or ideological crime, e.g. cargo theft or terrorism.

The left area of the circle lists four examples of crime types, which typically are of primary concern for supply chain companies: cargo theft, sabotage, parallel trade and product specification fraud. With such crime types it is commonly up to the companies to prevent, to detect and to react – of course, law enforcement agencies can be called for any time there is reasonable suspicion of such activities (and naturally in certain cases the government agencies may even be the first ones to detect and react, e.g. in case of armed robberies and truck hijackings).

The right area of the circle deals with supply chain incidents where the authorities typically focus on prevention, detection and reaction: fraud in indirect border taxes; trafficking / violations in cross-border restrictions and prohibitions; human trafficking; and exploitation of illicit labor. From supply chain perspective one can characterize them as “a priori non-disruptive illegal activities – only if / after authorities detect the violations, the supply chain is disrupted and the involved supply chain companies can get in trouble”.

Lastly, on the bottom area of the circle, we list four supply chain crime areas where the prevention typically is in strong interest of both supply chain companies and governmental agencies – and, the detection and (instant) reaction varies on case-by-case basis: counterfeiting, sales channel violations, sea piracy and terrorism. Counterfeiting hits revenues on both sides of the equation, and, with many products can also be health damaging or even lethal. Not having proper sales licenses, and/or selling to unauthorized buyers – for example cigarettes and alcohol, dual use and strategic goods etc. – can again harm both the involved companies and the society as a whole. And of course, sea pirates hijacking cargo ships; bombs exploding and bringing planes down; and terrorists attacking critical supply chain infrastructures, all are in the best interest of both companies and government agencies to prevent, to detect, and to react – in the fastest and most effective possible manner.

blog10.03.161

The second new educational diagram below depicts the negative socio-economic impact areas – six in total – caused by twelve typical smuggling and trafficking activities. The data behind it has been presented before e.g. in CBRA’s Blog of 14 January 2015 – Socio-economic damages. Inside the square we present the six societal impact areas – the larger the area, the more links there are between the trafficking activities and the negative impacts. As an example of a “big area”, seven different types of trafficking typically lead into increasing market place distortions and/or unfair competition. In the other extreme, only trafficking in stolen cultural products leads to losses in cultural heritage.

blog10.03.162

That’s all for the CBRA Blog today – please let us know if you see this type of visualization as beneficial when teaching and learning about the big picture of supply chain security!  Thanks, Juha Hintsa ( email: cbra@cross-border.org )

Revisiting the Yemen bomb plot of 2010

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , /by

blog_070316This CBRA blog revisits the Yemen bomb plot from 2010, the most decisive turning point in modern air cargo security. More than five years after the events, this blog discusses the plot’s implications to the contemporary air cargo security and outlines CBRA’s recommendations for future security work. Parts of this blog text have already been published in the doctoral thesis of CBRA researcher Toni Männistö.

Two explosive devices aboard passenger planes: The series of events, that we call the Yemen bomb plot, took place on 29 October in 2010. On that day, al-Qaeda terrorists almost destroyed two passenger airplanes with a pair of express courier parcels, each enclosing plastic explosives hidden inside a printer toner cartridge. The explosive parcels where sent to Chicago from the capital of Yemen, Sana’a, via two different express courier operators.

Both parcel bombs were eventually intercepted and defused, without fatalities or injuries. But before the interception, the bombs had already travelled onboard multiple air freighters and passenger planes. Many people flew that day with a fully functional explosive device under their seat! Though the parcels were addressed to Chicago, officials think that terrorists wanted to detonate the bombs mid-air, just before landing using cell phone timer alarms.

A Lockerbie-style mayhem was slightly avoided, largely thanks to a timely piece of intelligence. The bomb plot started to uncover when a suspected double agent tipped Saudi-Arabian intelligence that al-Qaeda terrorists had shipped two parcel bombs from Yemen to the US via the express courier service. The Saudi intelligence forwarded the tracking numbers of the suspected explosive devices to their US and German colleagues and told them to look for printer toner cartridges.

The first parcel was intercepted in Dubai, and the second one at the East Midlands airport, nearly 200 km to the northwest from London. In the UK, a bomb squad did not first recognize anything suspicious when they screened the suspected parcel. “It looked like a printer cartridge – there were no wires or anything,” one of CBRA’s contacts at World Customs Organization (WCO) recounts. “But of course, what the cartridge did contain was explosive that current technologies couldn’t detect.” Later laboratory tests revealed that each parcel contained 300 to 400 grams of PETN, military grade plastic explosive, wirings, and a detonator hidden inside a printer’s toner cartridge. The bombs were so meticulously concealed that they had not only passed the standard air cargo and safety screening but also the special screening of the bomb squad.

Aftermaths: The Yemen incident was rude reminder of the vulnerability of the air cargo logistics to terrorism. Sure, the day was saved by old-school, field intelligence work and prompt government response. But before interception, the first parcel travelled aboard three different flights: Sana’a – Dubai, Dubai – Cologne, and Cologne – East Midlands Airport. The second explosive parcel flew first from Sana’a to Doha and then to Dubai where it was intercepted.

In the immediate aftermaths of the events, aviation security authorities in the US and many European countries stopped accepting freight shipments from Yemen. Germany also cancelled all passenger flights from Yemen for more than two weeks. “As often happens in these situations,” the WCO’s air cargo specialist remarks, “the first reaction was stopping anything coming from this part of the world – any plane for any reason.” The new security rules changed the air cargo operations virtually overnight, seriously disrupting the air cargo and mail service. Delays were widespread and lengthy, but the worst aspect of the disruption was that no one knew when the new apparently transient security regime was to be revoked.

Eventually, once the precautionary stoppage was ended, new unprecedentedly stringent security requirements entered into force, disrupting the air cargo and mail service further. The US Transportation Security Administration, TSA, introduced the most stringent rules: any mail originating or transiting through Somalia or Yemen was banned, as well as printers or printer toner cartridges from high-risk locations. Moreover, parcels originating from any business partners had to be screened up to high-risk screening standards, piece by piece, if such shipment did not accompany a tendering statement, a document assuring that cargo comes from a known and trusted shipper. The new regime disrupted seriously international air cargo logistics, causing air cargo shippers worldwide to accumulate huge backlogs of US-bound shipments. Annoyed and surprised about the turn of events, the air cargo industry reacted to the US rules with a barrage of criticism, calling the measures superfluous and impractical. Over the following weeks, the reactive security rules were gradually relaxed to enable clearing of the backlog of US-bound air cargo.

In the long term, the Yemen events put air cargo security into a spotlight, securing political commitment and spurring further reforms for years to come. The International Civil Aviation Organization, ICAO, for example, included advanced security, concepts such as the “secure supply chain” principle, the concept of high-risk cargo and mail, and the consignment security declaration, CSD, into the new edition of the Annex 17 of the Chicago Convention. Also the European Union expanded the EU air cargo regime to cover airlines operating into the EU aviation security area – EU-28 plus Switzerland, Norway and Iceland – from third country airports. The amendment also specified criteria for identifying and screening high-risk cargo and mail, known as HRCM.

CBRA considerations for future air cargo security: The modern air cargo security has taken major leaps since the Yemen incident, but the work towards higher air cargo security still continues. The CBRA research team considers that, like in any other area of supply chains, it is crucial both to facilitate cross-border logistics and to ensure adequate security. This classic dilemma of striking the balance between trade facilitation and supply chain security is not easy to solve, but we believe that there are some promising ways to promote logistics-friendly air cargo security.

Governments should normally consult the air cargo industry before introducing new security rules. New security rules should avoid reducing speed, on-time reliability, or cost-efficiency of the air cargo service. There are often ways to integrate new security requirements seamlessly into the sequence of day-to-day logistics activities, but this requires close government-business coordination.

One promising way forward is to improve capabilities of pre-loading risk assessment, so that the riskiest air cargo shipments can be identified early on and subjected to a more stringent screening. Many projects on this matter are under way, most notably the Air Cargo Advance Screening (ACAS) in the US and Pre-loading Consignment Information for Secure Entry
 (PRECISE) in the European Union. The CBRA team applauds these efforts of advancing risk assessment and reminds of the importance of proactive updating of risk-scoring algorithms.

EU’s decision of forcing flights from third countries into EU to comply with EU’s air cargo security regime makes also good sense. It is reasonable to secure air cargo up to an adequate standard sooner rather than later, preferably before the first flight. More global capacity building – especially training and funds for modern screening equipment – are needed in developing countries. Also, auditing activities in third countries would benefit from further resources.

Harmonization and mutual recognition is another key theme for years to come. In the EU, civil aviation and customs authorities might find some synergies if they harmonized their respective Known Consignor (KC) and Authorized Economic Operator (AEO) programs. Air cargo companies would also benefit if types and performance requirements of screening methods would be uniform across the members of the European Union.

Bibliography:

BBC, Q&A: Air freight bomb plot, 2 November 2010

European Commission, Regulation 173/2012, amending 185/2010

International Civil Aviation Organization, Chicago convention, Annex 17, 9th edition

Koolloos M.F.J., Männistö T., van der Jagt O.C., Jezierska M.M., Hintsa J., Kähäri P. and Tsikolenko V. (2015), Security Screening for the Air Express Cargo Industry, Final Report, Brussels, Belgium.

Männistö, T., 2015. Mitigating Crime and Security Risks in the International Logistics Network: the Case of Swiss Post. Doctoral thesis, École Polytechnique Fédérale de Lausanne (EPFL).

CBRA Blog by Dr. Toni Männistö

COSO. Enterprise Risk Management — Integrated Framework – Executive Summary. Committee of Sponsoring Organizations of the Treadway Commission. September 2004. (CORE1106)

/0 Comments/in , , , , , , , , /by

Summary: The Committee of Sponsoring Organizations of the Treadway Commission, COSO, defines Enterprise Risk Management, ERM, as a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The entity objectives are set forth in following four categories: (i) Strategic – high-level goals, aligned with and supporting its mission; (ii) Operations – effective and efficient use of its resources; (iii) Reporting – reliability of reporting; and (iv) Compliance – compliance with applicable laws and regulations. According to COSO, ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Within the context of FP7-CORE project – and, supply chain security management in general – ERM can be seen as a useful approach particularly when it comes to aligning security risk appetite and strategy; to enhancing security risk response decisions; and to reducing security related operational surprises and losses. Some other ERM aspects such as seizing opportunities (“positive risks”) may not apply in supply chain security management context. One more interesting note, which could also be applied for supply chain security: everyone in an entity has some responsibility for ERM. This executive summary document is available for download at: http://www.coso.org/documents/coso_erm_executivesummary.pdf

[s2If is_user_logged_in()]

Full review:
Background: The first version of the “Internal Control – Integrated Framework” was issued by the Committee of Sponsoring Organizations of the Treadway Commission, COSO, in early 1990s, to help businesses and other entities assess and enhance their internal control systems. The change of the millennium saw heightened concern and focus on risk management, and it became clear that a need exists for a robust framework to effectively identify, assess, and manage risk.  In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.
According to COSO (p.1), Enterprise Risk Management, ERM, encompasses:
•    Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
•    Enhancing risk response decisions –Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
•    Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
•    Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
•    Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
•    Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.
COSO (pp.3-4) states that ERM consists of eight interrelated components, derived from the way management runs an enterprise and are integrated with the management process:
•    Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
•    Objective Setting – Objectives must exist before management can identify potential events affecting their achievement.  Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
•    Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
•    Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed.  Risks are assessed on an inherent and a residual basis.
•    Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
•    Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
•    Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.  Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
•    Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary.  Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Lastly, as potential readers / users of this report, COSO suggests following: Board of Directors; Senior Management; Managers and other personnel; Regulators; Professional Organizations; and Educators.
CORE1106
https://www.dropbox.com/s/aetbp8jr6dr4z31/CORE1106-coso_erm_executivesummary.pdf?dl=0

[/s2If]

COSO. Enterprise Risk Management — Integrated Framework – Executive Summary. Committee of Sponsoring Organizations of the Treadway Commission. September 2004. (CORE1106)

/0 Comments/in , , , , , , , , , /by

Summary: The Committee of Sponsoring Organizations of the Treadway Commission, COSO, defines Enterprise Risk Management, ERM, as a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The entity objectives are set forth in following four categories: (i) Strategic – high-level goals, aligned with and supporting its mission; (ii) Operations – effective and efficient use of its resources; (iii) Reporting – reliability of reporting; and (iv) Compliance – compliance with applicable laws and regulations. According to COSO, ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Within the context of FP7-CORE project – and, supply chain security management in general – ERM can be seen as a useful approach particularly when it comes to aligning security risk appetite and strategy; to enhancing security risk response decisions; and to reducing security related operational surprises and losses. Some other ERM aspects such as seizing opportunities (“positive risks”) may not apply in supply chain security management context. One more interesting note, which could also be applied for supply chain security: everyone in an entity has some responsibility for ERM. This executive summary document is available for download at: http://www.coso.org/documents/coso_erm_executivesummary.pdf

[s2If is_user_logged_in()]

Full review:

Background: The first version of the “Internal Control – Integrated Framework” was issued by the Committee of Sponsoring Organizations of the Treadway Commission, COSO, in early 1990s, to help businesses and other entities assess and enhance their internal control systems. The change of the millennium saw heightened concern and focus on risk management, and it became clear that a need exists for a robust framework to effectively identify, assess, and manage risk. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.

According to COSO (p.1), Enterprise Risk Management, ERM, encompasses:

  • Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
  • Enhancing risk response decisions –Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
  • Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
  • Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
  • Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
  • Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.

COSO (pp.3-4) states that ERM consists of eight interrelated components, derived from the way management runs an enterprise and are integrated with the management process:

  • Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
  • Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
  • Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
  • Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
  • Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
  • Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
  • Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
  • Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

Lastly, as potential readers / users of this report, COSO suggests following: Board of Directors; Senior Management; Managers and other personnel; Regulators; Professional Organizations; and Educators.

CORE1106

[/s2If]

C-TPAT Program Benefits Reference Guide, 2014 (CORE1032)

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , /by

Summary: This guidebook outlines the key elements and benefits of the Customs-Trade Partnership Against Terrorism (C-TPAT) program that is designed to secure global supply chains and to improve United States border security. Document is available at: https://www.cbp.gov/sites/default/files/documents/C-TPAT%20Program%20Benefits%20Guide.pdf (link tested on 3 March 2016)

[s2If is_user_logged_in()]

Full review: C-TPAT partners receive a wide range of benefits listed below:

  • C-TPAT Partners are examined at a considerably lower rate than non-C-TPAT Partners.
  • C-TPAT certified/validated highway carrier Partners are granted expedited border crossing privileges. C-TPAT Partners at many Canada/Mexico land border ports of entry have access to Free and Secure Trade (FAST) Lanes.
  • Some categories of C-TPAT importer Partners are exempt from stratified exams.
  • C-TPAT shipments subject to examination are moved ahead of any non-C-TPAT shipments, to the extent possible.
  • In the event of a significant disruption/delay in cargo processing operations, actions are taken to maintain communication and coordination with C-TPAT Partners for business resumption.
  • C-TPAT Partners’ trade compliance issues are given priority over those issues related to non-C-TPAT Partners.
  • Each C-TPAT Partner is assigned a Supply Chain Security Specialist (SCSS) who coordinates between the C-TPAT Partner and the US Customs and Border Protection agency (CBP). The Specialist also assists the Partner with supply chain security issues.
  • Partners have access to the C-TPAT’s automated Portal system, to communicate with CBP and exchange program related information in a secure manner.
  • C-TPAT Partners are eligible to attend C-TPAT events like the annual Conference and other training seminars organized by the program.
  • C-TPAT importer Partners are eligible to participate in the Importer Self-Assessment (ISA) Program.
  • The Penalty Mitigation benefit is granted to sea carriers for late submission of data required under the Importer Security Filing requirements.
  • C-TPAT members are eligible to participate in other U.S. Government pilot programs, such as the Food and Drug Administration’s Secure Supply Chain program.

In addition, some benefits are associated with Mutual Recognition Arrangements (MRAs) when two customs authorities formally acknowledge the security requirements or standards of one program, as being equivalent to the other program. Some of the resulting benefits to the trade community are illustrated below:

  • C-TPAT importer Partners that also conduct export operations and Partners of the foreign Customs Administration programs (manufacturers and exporters of record) are granted a reduction in their overall cargo risk score, implying fewer examinations at export and import ports.
  • A C-TPAT validation for an overseas partner is not required if an MRA is in place because CBP recognizes the status of the Partner in the foreign partnership program.
  • Companies covered by MRAs need only to comply with a common set of security requirements, avoiding the hassle of following multiple sets of requirements from one partnership program to another.
  • MRAs lead to more transparency in international commerce. Mutual exchange of information between these partners facilitates trade across Mutual Recognition Partner nations.

CORE1032

[/s2If]

C-TPAT Best Practices Catalog Addendum, 2009 (CORE1031)

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , /by

Summary: This addendum document lists cargo security best practices with focus on prevention of weapons of mass effect, terrorists, and/or contraband from infiltrating into the international supply chain. Each best practice is linked to a specific business entity, such as a Manufacturing Company, a Highway Carrier, an Importer or a Foreign Consolidator but these may apply to other business types as well. The document is available at: https://www.cbp.gov/sites/default/files/documents/ctpat_bpa_2009_0.pdf (link tested on 3 March 2016)

[s2If is_user_logged_in()]

Full review: The best practices are outlined as follows:

Risk assessment: Programs are in place to enable the identification of the most vulnerable supply chain areas, to grade suppliers supply chain security criteria. Specific processes have been developed to manage the supplier’s products, software and services and internal monitoring systems to enhance the safety and security procedures.

Business partner requirements: Several security measures have been taken by entities. These include conducting supply chain security audits to ensure compliance of non-C-TPAT business partners; carrying out security audits of a foreign manufacturer; making security self-assessments, conducting onsite inspections to ensure freight security; shipping cargo only through accredited ports and steamship lines; monitoring compliance of manufacturing facilities; screening procurements to identify ineligible status of suppliers, and performing audits of business partners.

Conveyance/Container/Trailer Security: Examples of such security practices are: integrating special security features in the GPS (global positioning system); using laser beams to protect trailers; using colour codes for matching consignments; installing infrared sensors in docks to prevent unauthorized access; using special codes to identify correct shipments; documenting all seal changes for shipments in transit; ensuring delivery by authorized Company drivers; sealing containers; operating through C-TPAT carriers; using only “seaworthy” containers; installing in-transit temperature data sensors to ensure product quality; enclosing container storage area; conducting non-intrusive inspection prior to loading a vessel; establishing specific inspection points; using multiple security devices on each container; using automated container yards; instructing foreign suppliers to provide inspection checklists; using dock locking arms for container storage; installing motion sensors in a trailer; operating through contracted highway carriers and security services; documenting a seal destruction policy, and so forth.

Physical Access Controls: Some practices by Importers include establishing multiple security stations within the building; using metal detectors for employees; installing an electronic swipe card/ lock box systems for access control for sensitive documents; conducting electronic scanning of visitors’ drivers licenses; utilizing a third-party software system to manage key inventory; and providing panic buttons for company employees.

Physical Security: Several innovative solutions have been designed to ensure physical security, such as electronically closing gates and activating tire puncturing devices to prevent vehicle exits; using an electronic security information reporting system, installing invisible electronic fences; installing laser sensors; setting up optical light beams to detect intruders; fitting double locks on doors; Installing infrared sensors on fences; using body alarm functions for emergencies; appointing patrolling guards, using multiple glass meeting rooms; using multiple interior infrared security alarm beams to detect unauthorized access; and installing security guard view towers.

Personnel Security: An Importer requires business partners to provide a monthly master list of employees and immediately notify when their employees are hired or terminated, in order to ensure that only authorized business partner’s employees enter the manufacturing facilities.

Security Training/Threat Awareness/Outreach: Business entities have invested in a wide range of training programs. One such initiative is the four-tier C-TPAT training targeted for management and supervisors, shipping and receiving personnel, internal personnel dealing with contractors and hourly staff. Other businesses use different approaches, like establishing an online training portal;; offering general security training and of site-specific training for security guards; issuing security advisories; making regular security awareness assessments; establishing a situation matrix chart to address possible incidents; establishing a direct communication channel between the president of the company and employees; putting in place a toll free hotline for company personnel; conducting security drills and exercises; establishing a web-based security awareness training; documenting security incidents in a central database; and establishing a global communication system to contact all employees and contractors remotely.

Procedural Security: Instances of this type of security measures include a bio-thermal intrusion alarm system; a global SAP network to generate all written orders for import and export; automatic screening procedures of purchase orders for restricted parties; lock boxes for sensitive documentation; an automated loading module called the Automatic Truck Loading System (ATLS); a container seal number as the shipment tracking (invoice/bill of lading) number, and so forth.

Information Technology (IT) Security: Such security practices include a biometric fingerprint door lock; a remote data backup center; a retina scanning system for access to the computer system; requiring supervisory approval to copy data; use of electronic password protected purchase orders; establishing a daily “e-test” for employees to access computers, and so forth.

CORE1031

[/s2If]

CEN Supply Chain Security — Good Practice Guide for Small and Medium Sized Operators, 2012 (CORE1030)

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , /by

Summary: This is a guidance document for small and medium sized enterprises, SMEs. on how to apply a supply chain security approach to their operations in order to mitigate the risk of criminal activities. It gives an overview of the main crime types occurring in the supply chain along with some countermeasures, as well as the supply chain security initiatives, and the compliance requirements thereof. The document is available for purchase e.g. at:   http://shop.bsigroup.com/ProductDetail/?pid=000000000030258778  (link tested on 3 March 2016)

[s2If is_user_logged_in()]

Full review: The recommended supply chain strategy rests on a six-step approach. The first step is to define a context for the supply chain, crime prevention and security management activities taking into consideration the security sensitiveness, the geography and transport modes, and the main stakeholders involved in the supply chain operation. The second step is to make a threat and vulnerability analysis with regard to terrorist and other criminal threats in the supply chain. The main criteria included are the gaps existing in enhanced security, the high-risk crime types, and the potential consequences of crime occurrences. The third step covers the regulatory framework, the major aspects being the regulations and programs required for successful business operations, expectations of customers and suppliers, requirements laid down by insurance providers, and relevant government authorities. The fourth step refers to an overall security plan, taking into account the physical security, data security, human resources security (including selection, training, and exit procedures), business partner security (including selection, and auditing), and process control and monitoring of deviations. The fifth step involves implementing into practice concrete security measures, investment in technologies, procurement of services, in-house solutions and so forth. The final step is to monitor and measure the security performance and take appropriate corrective actions.

Five supply chain crime types have been elucidated in this guide. These include:  Property theft (cargo theft, intellectual property breaches); targeted damage (terrorism, sabotage); cross-border duty and tax fraud; illegitimate transporting, exporting and/or importing (smuggling of prohibited and restricted goods, people smuggling); and crime facilitation (document forgery, bogus companies, cybercrime). For each crime type, the main focus should be on the issue (main features and typical sectors/products involved), scope of the problem and actions to mitigate risks.

This guidebook has chosen eight security initiatives for illustration purposes. It explains the context of each initiative, whom it is meant for, and some basic requirements and the implications. These are as follows:

  • Import Control System (ICS) in the EU (a systems tool meant for the lodging and processing of Entry Summary Declarations, and for the exchange of messages across national customs agencies, economic operators and the European Commission).
  • Export Control System (ECS) in the EU (introduces EU procedures to computerize and control indirect exports and to implement the EU safety and security regulations);
  • Maritime Security Legislation, International Ship and Port Facility Security (ISPS) Code in the EU (International regulations to ensure the security of maritime transportation are being issued by the International Maritime Organization, IMO, in the International Ship and Port Facility Security Code);
  • Aviation Security Legislation, Air Cargo Supply Chains in the EU (three categories of aviation security legislation exist in the EU- Framework regulation, supplementing regulations, and implementing regulations-all targeted towards civil aviation security).
  • European Union Authorized Economic Operator, EU AEO (operators involved in international trade of goods certified as complying with WCO or equivalent supply chain security standards);
  • Regulated agent, Known consignor and Account consignor in the EU (Specific “trusted trader” status existing in the European air cargo supply chains);
  • ISO 28000 Series of Standards on Supply Chain Security Management Systems (address potential security issues at all stages of the supply process, e.g. terrorism, fraud and piracy);
  • Transported Asset Protection Association (TAPA) in Europe (fighting cargo crime using real-time intelligence and the latest preventative measures).

CORE1030

[/s2If]

SUPPLY CHAIN SECURITY – U.S. Customs and Border Protection Has Enhanced Its Partnership with Import Trade Sectors, but Challenges Remain in Verifying Security Practices, GAO, April 2008 (CORE1011)

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , /by

Summary: The GAO report discusses the progress the Customs and Border Protection (CPB), a component agency of the US Department of Homeland Security (DHS), has made since 2015 with its flagship business-private supply chain security program Customs-Trade Partnership Against Terrorism (C-TPAT). The report focuses on three main areas of the C-TPAT’s management and governance: (1) awarding benefits for the C-TPAT compliant companies, (2) validating the member companies’ security compliance and (3) addressing CBP’s staffing challenges that the increasing popularity of the C-TPAT program brings. The report recommends CPB to improve its C-TPAT validation processes and instruments and to establish performance criteria for assessing the program’s impact on supply chain security and trade facilitation. The C-TPAT program and this GAO report contain useful information for the CORE’s demonstrations that import goods into the US. Also the CORE’s risk cluster can learn about opportunities and challenges a voluntary, risk-based supply chain security entails. The report is available at http://www.gao.gov/assets/280/274773.pdf.

[s2If is_user_logged_in()]

Full review: This report contains information that is particularly useful for two CORE demonstrators that cover US imports. The first WP9 demonstration is about shipping automobile parts from the EU to the US via the port of Bremerhaven. In this demo, the General Motors (GM) is the importer. Because GM holds a C-TPAT certificate, most of the information this report offers about the status and challenges of the C-TPAT program must be of interest for the company and for its CORE demonstration. The same applies to the WP14 demonstration “FALACUS” that is about importing ceramic tiles from Italy to the US via the Port of La Spezia. The demonstration has to deal with the C-TPAT program, and therefore the demo partners’ might benefit from studying this GAO report. In addition to the demonstrations, this report might support the work of the CORE’s risk cluster because the document discusses in detail challenges and possibilities of a voluntary, risk-based supply chain security program, which builds on business-government collaboration.

Cross-references:

Supply Chain Security: Examinations of High-Risk Cargo at Foreign Seaports Have Increased, but Improved Data Collection and Performance Measures Are Needed. GAO-08-187. Washington, D.C.: January 25, 2008.

Maritime Security: The SAFE Port Act and Efforts to Secure Our Nation’s Seaports. GAO-08-86T. Washington, D.C.: October 4, 2007.

Maritime Security: Observations on Selected Aspects of the SAFE Port Act. GAO-07-754T. Washington, D.C.: April 26, 2007.

Combating Nuclear Smuggling: Additional Actions Needed to Ensure Adequate Testing of Next Generation Radiation Detection Equipment. GAO-07-1247T. Washington, D.C.: September 18, 2007.

Cargo Container Inspections: Preliminary Observations on the Status of Efforts to Improve the Automated Targeting System. GAO-06-591T. Washington, D.C.: March 30, 2006.

Additional keywords: Border security, customs-trade partnership against terrorism (C-TPAT), supply chain security, counter-terrorism

CORE1011

[/s2If]

SUPPLY CHAIN SECURITY – Examinations of High- Risk Cargo at Foreign Seaports Have Increased, but Improved Data Collection and Performance Measures Are Needed, GAO, January 2008 (CORE1010)

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , /by

Summary: This report reviews the progress that the US Customs and Border Protection (CBP) has made with the Container Security Initiative (CSI) – a program for screening US-bound high-risk shipping containers in foreign ports with X-ray and radiation detection solutions – since the latest 2005 GAO review. The report discusses how the CBP’s CSI efforts have (1) contributed to the long-term, strategic planning on the US supply chain security, (2) strengthened CSI activities worldwide and (3) established means to evaluate performance of the CSI activities. The report recommends CBP to develop its data collection practices that are related to the CSI team performance and the host government’s inspections of the US-bound containers. This report provides relevant information for CORE demonstrations that deal with US-bound maritime logistics and commerce. Also the risk cluster might benefit from the descriptions of the US risk-based supply chain security scheme – Automated Targeting System (AST), 24-hour rule and the importer security filing 10+2 – that the report elaborates in detail. The report is available at http://www.gao.gov/new.items/d08187.pdf.

[s2If is_user_logged_in()]

Full review: This GAO report elaborates the status and challenges of the US Container Security Initiative, but it also provides a comprehensive outlook on the US maritime supply chain security. This information is likely to be relevant for the CORE’s demonstrations (WP9 and WP14) that deal with US-bound container traffic. The report is a good reference document for those CORE work packages that seek to describe the state-of-the-art of the global supply chain and that are producing relevant training material on supply chain security. The CORE’s risk and IT clusters benefit from the information the report offers on risk-based security solutions that use advance cargo information to calculate risk scores for US-bound shipments by the aid of automatic risk assessment algorithms.

Cross-references:

  • Preventing Nuclear Smuggling: DOE Has Made Limited Progress in Installing Radiation Detection Equipment at Highest Priority Foreign Seaports. GAO-05-375. Washington, D.C.: March 31, 2005.
  • Homeland Security: Process for Reporting Lessons Learned from Seaport Exercises Needs Further Attention. GAO-05-170. Washington, D.C.: January 14, 2005.
  • Port Security: Better Planning Needed to Develop and Operate Maritime Worker Identification Card Program. GAO-05-106. Washington, D.C.: December 10, 2004.
  • Maritime Security: Substantial Work Remains to Translate New Planning Requirements into Effective Port Security. GAO-04-838. Washington, D.C.: June 30, 2004.
  • Homeland Security: Summary of Challenges Faced in Targeting Oceangoing Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 31, 2004.
  • Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors. GAO-03-770. Washington, D.C.: July 25, 2003.

Additional keywords: Container Security Initiative (CSI), counter-terrorism, homeland security, maritime supply chain security

CORE1010

[/s2If]