Global Security Verification Report

Transcription

1 Measured Performance - Improved Security Global Security Verification Report Silver Star Garment Limited Registration Number : A Company : Silver Star Garment Limited Date of Verification : 20-Sep-2016 Auditor(s) Name : David Yang Overall Rating Low Risk Priority (86 100) Meet Expectations Participating Facilities : Medium Risk Priority(76 85) Further Improvement Needed High Risk Priority(0 75) Urgent Action Required Send Us a secure message. Complete the GSV on-line Compliments and Complaints feedback form Go Now

2 COMPANY PROFILE COMPANY INFORMATION Company name: Contact name: Address 1: Address 2: City: State: Silver Star Garment Limited Mr.Justin Lin Guanlu Village, Huahu Town, Huilai County, Jieyang Guangdong Postal Code: Country: China Phone: Fax: Website: Nil NUMBER OF EMPLOYEES Permanent: 1250 Temporary: 0 Overseas / Migrant: 0 Total: 1250 BUSINESS OVERVIEW Industry: Key / Main product: Country of operation: Participation in security initiatives: Description of security initiative: Apparel Jeans China No Nil FACILITY STRUCTURE Number of buildings 3 Distribution: 0 Production: 1 Warehouse: 0 Container yards: 0 Other: 2 Facility land size: Total facility floor size: Warehouse customs bonded: Free trade zone: 20000M. Sq M. Sq. NO NO Logistics/Transportation for shipments to US Trucks owned By Company: No Percent of goods exported to US By air: 0% By sea: 100% By rail: 0% By truck: 0% Description of "other" buildings: one dormitory building and one canteen building Export Logistics Facility responsible for the relationships with the following type of logistics : Consolidators: Never 1

3 Air : Never Sea : Never Rail : Never Land Carriers: Never GENERAL OVERVIEW Freight forwarders: NVOCC: Other 3rd party logistics providers: Always Never Never Brief Description of the Facility: Brief Description of Loading Process for Shipment: Brief Description of Sealing Process: Brief description of direct shipments to port process: In-country transport services detail: The companies used vary routes: The companies used employ security guards: The companies used provide vehicle escort: The companies used Global Positioning Satellite (GPS): The companies used truck convoys: Required transit time between audited facility to the port/the next supply chain: CCTV details: Silver Star Garment Limited is located at Guanlu Village, Huahu Town, Huilai County, Jieyang City, Guangdong Province, China. The total land area is about square meters. They started their operation at the existing location since The main products manufactured by the facility are jeans. In view of the facilities, one 3-storey building is used as production floor, warehouse, one 3-storey canteen building and one 4-storey dormitory building are used. The exported country is USA. Currently, there are 1250 employees including 250 males and 1000 females. All the sea carriers were delegated by clients and also the facility was not responsible for those client delegated carriers. Freight forwarders were selected by the facility. And the facility conducted full container loading. The facility used bolt seal and provided certification to show that the seal was ISO/PAS17712 compliant. Yes, The containers go directly to the port. Yes, Freight forwarder: Guang Dong Shen Tong Limited and Hua Cheng Xiong Hui Transportation Company, both cooperated from Yes, No, No, No, No, Required transit time from facility to the port is 3 hours. Yes, There are 32 CCTV cameras installed in the facility. The CCTV monitors are installed in office and security room by security guards. The record was kept for 7 days. Security guard force details: Yes, Facility has 13 security guards and manning the facility 24/7. 2

4 I. NUMBER OF NON-COMPLIANCES NOTED IN EACH CATEGORY The C-TPAT Security Criteria and Security Guidelines indicate that there are must and should requirements. "Must" means that it is a requirement of the program participation. "Should" means that the procedure is considered to be an industry "best practice" however as the program matures, more "shoulds" will become "musts." Category Name Score Must Do Should Do Best Practice Records & Documentation Personnel Security Physical Security Information Access Controls Shipment Information Controls Storage & Distribution Contractor Controls Export Logistics OVERALL High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 3

5 II. FACILITY SCORE CARD Security Sections Section/Subsection Score (0-100) Records & Documentation 98 Personnel Security 85 Documented Personnel Security Policies/Procedures 100 Personnel Screening 100 Identification System 56 Education/Training/Awareness 100 Physical Security 89 Plant Security 87 Perimeter Security 100 Outside Lighting 100 Container Storage NA Security Force 100 Access Controls 88 Visitor Controls 79 Entering/Exiting Deliveries 97 Employee/Visitor Parking 100 Production, Assembly, Packing Security 40 Information Access Controls 82 Shipment Information Controls 100 Storage & Distribution 82 Storage 33 Loading for Shipment 85 Contractor Controls 68 Export Logistics 67 OVERALL SCORE 86 High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 4

6 III. RISK ASSESSMENT Criteria: The facility does not have a risk assessment program to analyze and identify critical areas of its supply chain that is the most likely targets for infiltration. The facility does not use computer software risk-based assessment tool. The facility does not have written processes for the selection of their business partners to include a detailed risk assessment. The facility does not have a comprehensive risk assessment covering their own facility. The facility does not have a comprehensive risk assessment covering point of packing and stuffing. The facility does not have comprehensive risk assessment covering contractors. The facility does not have a comprehensive risk assessment covering export logistics and at each transportation link within the chain. The facility does not conduct a comprehensive risk assessment annually. The facility has not adopted the 5 Step Risk Assessment Process Guide in conducting security risk assessment of their supply chain(s). Compliant/Non- Compliant Non-Compliant Non-Compliant Non-Compliant Non-Compliant Non-Compliant Non-Compliant Non-Compliant Non-Compliant Non-Compliant 5

7 IV. OPPORTUNITIES FOR IMPROVEMENTS The following sections includes all exceptions noted during the on-site audit. Each exception is color coded to indicate the severity as indicated in the C-TPAT criteria for foreign manufacturers. Must Do Should Do Best Practices Informative 98% Section: Records & Documentation Exceptions Noted: The facility has no documented procedure and/or assessment reports to conduct periodic security checks to ensure that Contractor Controls procedures are being performed properly. No contractor control was covered. Compliance % 61 % 85% Section: Personnel Security SubSection: Documented Personnel Security Policies / Procedures No exceptions noted SubSection: Personnel Screening No exceptions noted SubSection: Identification System International Supply Chain Security Requirements & Criteria Management or security personnel must adequately control the issuance and removal of employee, visitor, and vendor ID badges An employee identification system must be in place for positive identification and access control purposes Employees should only be given access to those secure areas needed for the performance of their duties Companies must have procedures in place to remove identification, facility and system access for terminated employees. Exceptions Noted: Compliance % The security staffs is not informed of missing IDs. 61 % Security guard was not informed of such lost. IDs are not required to access restricted areas 52 % During the facility tour, some employees in the packing, warehouse, loading area and office did not wear the special ID. IDs do not specify access for loading/unloading/packing dock areas 50 % During the facility tour, some employees in the packing, warehouse, loading area and office did not wear the special ID. IDs should specify access for loading/unloading/packing dock areas by color coding 40 % List of terminated employees is not given to security to deny access to facility. 73 % No such name list was given to security guards. Guards do not check employees ID to monitor access to the restricted areas 37 % No such monitor in the restricted area. High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 6

8 SubSection: Education / Training / Awareness No exceptions noted 89% Section: Physical Security SubSection: Plant Security International Supply Chain Security Requirements & Criteria Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling/storage areas Exceptions Noted: The facility does not have Access Control Program that includes an inventory process to account for all keys/access cards. No such inventory was conducted. Compliance % The facility does not have an intrusion detection or an alarm system 36 % No such system was installed in the finished-good warehouse. SubSection: Perimeter Security No exceptions noted SubSection: Outside Lighting No exceptions noted SubSection: Security Force No exceptions noted SubSection: Access Controls International Supply Chain Security Requirements & Criteria Access controls must include the positive identification of all employees, visitors, and vendors at all entry points / Procedures must be in place to identify, challenge, and address unauthorized/unidentified persons Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas. Exceptions Noted: Recordings (e.g., tapes or electronic files) are not kept for a minimum of 30 days or according to client specific requirement, whichever is longer. The record only kept for 7 days. 62 % Compliance % Employees are not observed by and/or subject to security inspection when entering the building 57 % No such inspection was conducted. SubSection: Visitor Controls International Supply Chain Security Requirements & Criteria Access controls must include the positive identification of all employees, visitors, and vendors at all entry points Visitors must present photo identification for documentation purposes upon arrival. 47 % High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 7

9 Exceptions Noted: Compliance % Photo identification is not required of all visitors. 59 % During the onsite tour, no photo identification for some visitors was required. A visitor's log which records entries and exits is not maintained 79 % No escort name logged in the records. SubSection: Entering / Exiting Deliveries International Supply Chain Security Requirements & Criteria Written procedures must stipulate how seals are controlled and affixed to loaded containers, including recognizing and reporting compromised seals and/or containers to local Customs authorities Exceptions Noted: There is no documented procedure to verify seal number against facility documentation when the container/trailer is turned over to the next supply chain link (including trucks and closed vans). No such verification when turned over to the next supply chain link. SubSection: Employee / Visitor Parking No exceptions noted SubSection: Production, Assembly, Packing Security International Supply Chain Security Requirements & Criteria Compliance % Measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain Employees should only be given access to those secure areas needed for the performance of their duties / Procedures must be in place to identify, challenge, and address unauthorized/unidentified persons Exceptions Noted: There are no security measures in place to prevent the introduction of foreign material(s) into the assembly area No such control was noted on site. There are no security measures in place to prevent the introduction of foreign material(s) into the packing area No such control was noted on site. 67 % Compliance % Employee access is not limited to the relevant areas of responsibility 77 % No such access limitation. 77 % 77 % 82% Section: Information Access Controls International Supply Chain Security Requirements & Criteria Procedures must be in place to ensure that all information used in clearing merchandise/cargo is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information Exceptions Noted: The facility does not have documented procedures for identifying which employees are allowed access to electronic information systems. Compliance % 84 % High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 8

10 No relevant written procedure addressing these access rights. The facility does not have documented procedures for identifying which employees are allowed access to shipping forms No relevant written procedure addressing these access rights. The facility does not have documented procedures for identifying which employees are allowed access to shipping data No relevant written procedure addressing these access rights. The facility does not have documented procedures for identifying which employees are allowed access to shipping/cargo movement data No relevant written procedure addressing these access rights. There is no system in place to suspend a login user ID after three failed access attempts 41 % There was no such setting in the computer. 78 % 78 % 78 % 100% Section: Shipment Information Controls No exceptions noted 82% Section: Storage & Distribution SubSection: Storage Exceptions Noted: The facility does not have fencing or other barrier materials to enclose cargo handling and storage areas to prevent unauthorized access. No barrier material was used to enclose cargo handling or storage area. Compliance % 51 % SubSection: Loading for Shipment International Supply Chain Security Requirements & Criteria Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas / Employees should only be given access to those secure areas needed for the performance of their duties / Procedures must be in place to identify, challenge, and address unauthorized/unidentified persons Container integrity must be maintained to protect against the introduction of unauthorized material/person(s) / Procedures must be in place to identify, challenge, and address unauthorized/unidentified persons Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas Exceptions Noted: Compliance % The loading dock access is not restricted to authorized personnel only 63 % The loading area was not restricted to authorized personnel only. There are no security controls in place to prevent the introduction of foreign materials at point of loading 71 % No such control was noted on site. Cargo handling and storage areas are not secured with perimeter walls, fencing or other barrier materials to prevent unauthorized access. No such measure was provided. 50 % High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 9

11 The loading and departure of containers/trailers is not captured on CCTV and/or does not provide adequate views of loading activities and inside container and/or the recording is kept for 30 to 45 days (applicable to trucks and closed vans). The CCTV record only kept for 7 days. 44 % 68% Section: Contractor Controls International Supply Chain Security Requirements & Criteria Foreign manufacturers must ensure that business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin, assembly or manufacturing. Periodic reviews of business partners processes and facilities should be conducted based on risk, and should maintain the security standards required by the foreign manufacturer. Exceptions Noted: Compliance % Contractors are not retained through legally binding contracts 89 % Contracts for some contractors were not provided for review. The facility does not require its contractors to conduct self-assessment of their security policies and procedures and to share the results of those assessments with the facility The self-assessment was not required for some contractors. 31 % 67% Section: Export Logistics International Supply Chain Security Requirements & Criteria Foreign manufacturers must have written and verifiable processes for the selection of business partners including, carriers, other manufacturers, product suppliers and vendors (parts and raw material suppliers, etc). For those business partners eligible for C-TPAT certification (carriers, importers, ports, terminals, brokers, consolidators, etc.) the foreign manufacturer must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified. Exceptions Noted: Compliance % When selecting carriers, the facility does not consider the carriers' financial stability 57 % No such records for one carrier. When selecting carriers, the facility does not consider the carriers' corporate history 68 % No such records for one carrier. The facility does not require eligible and/or ineligible carriers to demonstrate security compliance standards. No such record was provided for review. The facility does not have written or electronic confirmation of its partners' compliance with C-TPAT or C- TPAT-equivalent security criteria (e.g., contract language, a letter of commitment signed at the management level or above, signed acknowledgement of receiving the facility's C-TPAT participation announcement). No C-TPAT or eligible record was provided for review. Facility does not conduct periodic unannounced security check to ensure that transport company is in compliance with the contract. No such record was provided for review. 28 % 0 % 28 % High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 10

12 NS Section: Transparency In Supply Chain Not Scored Exceptions Noted: There is no documented system in place to ensure that management is informed of and investigates all anomalies found in shipments including human trafficking. No such procedure or record. There is no documented cargo verification procedure in place to prevent unmanifested cargo and/or illegal aliens from being loaded. No such procedure or record. The facility does not conduct on-site inspections of the contractors' implementation of the their security standards/procedures that includes compliance with human trafficking and slavery policies. No such procedure or record. The facility does not require its contractors to conduct self-assessment of their security policies and procedures including status of their compliance with human trafficking and slavery policies and share the results of those assessments with the facility. No such procedure or record. The facility does not have written or electronic confirmation of its partners' compliance with Business Transparency on Human Trafficking and Slavery Act (e.g., contract language, a letter of commitment signed at the management level or above, signed acknowledgement of receiving the facility's participation announcement). No such procedure or record. The facility does not have written security standards and documented procedures for selection of its contractors (contracts, manuals, etc.) and handling contractors failing to meet company standards regarding security and slavery and trafficking. No such procedure or record. There is no written security awareness program covering awareness of current terrorist threat(s), human trafficking, smuggling trends, and seizures in place to ensure employees understand the threat posed by terrorist at each point of the supply chain. No such procedure or record. Compliance % 46 % 60 % 19 % 15 % 18 % 23 % 24 % NS Section: Risk Assessment Not Scored Exceptions Noted: The facility does not have a risk assessment program to analyze and identify critical areas of its supply chain that is the most likely targets for infiltration. No such program in facility Compliance % The facility does not use computer software risk-based assessment tool. 6 % The facility does not have written processes for the selection of their business partners to include a detailed risk assessment. The facility does not conduct a comprehensive risk assessment annually. 11 % The facility has not adopted the 5 Step Risk Assessment Process Guide in conducting security risk assessment of their supply chain(s). The facility does not have a comprehensive risk assessment covering their own facility. 15 % No 12 % 10 % 6 % High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 11

13 The facility does not have a comprehensive risk assessment covering point of packing and stuffing. 13 % No The facility does not have comprehensive risk assessment covering contractors. 11 % No The facility does not have a comprehensive risk assessment covering export logistics and at each transportation link within the chain. No 11 % High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 12

14 V. BEST PRACTICES AND RECOMMENDED BEST PRACTICES CBP describes Best practices as innovative security measures that exceed the C-TPAT minimum security criteria and industry standards. The following are a list of best practices this supplier has implemented. Existing Best Practices: Section: Personnel Security Criminal record checks are conducted Drug screening checks are conducted Other type of checks such as criminal record checks are conducted on all employees Periodic drug screening checks are conducted. Personnel are encouraged to report irregularities through Suggestion Box Personnel are encouraged to report irregularities through Phone Number/Hotline The facility provides training in local language or language understood by employees of different origin. The facility performs emergency response mock drills. Section: Physical Security The lighting system has an emergency power source/generator Access to the lighting switches is restricted to only authorized personnel. Lights are illuminated automatically. Gates are monitored during operating hours by guards at the gate Gates are monitored during operating hours by CCTV Gates are monitored by guards during non-operating hours Gates are monitored by cameras during non-operating hours For conveyance entries/exits, logs are maintained with name of the guard Parking lots for visitors and employees are separated Visitor and employee personal vehicle parking lots are monitored by security guards during facility operating hours. The company requires the use of visual identification for employee parking The facility has digital cameras as part of surveillance. The facility has motion activated cameras as part of surveillance. Advance notice is required for a pick-up or delivery transport company. The gate security or a designated facility manager performs truck outbound inspection and the results are recorded in an Outbound Vehicle Log. The facility have an automatic intrusion detection or alarm system installed in those areas of the perimeter of the facility that are inaccessible to security patrols. The intrusion alarm system is equipped with audible alarm that provides alert to gate security or central security command center. Guards receive specific training in General Security. Guards receive specific training in Site-Specific. Guards receive specific training in C-TPAT. 13

15 All visitors given are safety and security pamphlet and/or visitors ID which lists general company safety and security rules that need to be followed while on the premises. Corrective actions are taken when missing visitor badges are identified. A log is maintained with Driver's license number. Section: Information Access Controls Facility implemented into its network system anintrusion warning system and/or virus protection The facility provides different level of access rights to employees according to their roles. Employees are required to sign a Non-Disclosure Agreement (NDA) to secure and protect Company's information. Section: Shipment Information Controls Information requirements for shipments are automated The facility have electronic access control system to secure sensitive trade documents. Section: Storage & Distribution The facility keeps records of seal numbers together with the name of person using the seal and date of use of seal. Container/trailer loading process is monitored by security or a supervisor. Empty containers are inspected by the gate guards upon entry to the facility. The facility obtains copy of Container Interchange report and review it to ensure that it has been inspected by the forwarder prior to delivery to the facility. Loaded containers/trailers' final inspection is conducted. The facility receives approval from the importer/buyer before cargo can be loaded into a container. The container/trailer loading process monitored by more than one personnel including security and supervisor. The seal verification and inspection process includes the following VVTT procedure: Verify seal number. Multiple seals or security devices are used on each container/trailer. Section: Contractor Controls The facility require assigning an ID badge to a contractor s employee that enters the premises. The facility terminates service with non-compliant contractors. The facility communicates its security policies to its contractors. The facility communicates the company's security policies through: publication. The facility communicates the company's security policies through: electronic advertisement. Section: Export Logistics The facility has a procedure for in-country carriers to report security violations to facility s management Cargo trucks are monitored and checked every hour. There is a written procedure in place to identify/inquire if trucks are late for their scheduled appointment. The facility utilizes a progress control system to monitor the status of up its cargo delivery (including contracted incountry transport). Recommended Best Practices: Section: Personnel Security IDs should specify access for loading/unloading/packing dock areas by Numeric coding IDs should specify access for loading/unloading/packing dock areas by Map coding IDs should specify access for loading/unloading/packing dock areas by electronic coding 14

16 The facility should have a process in place to publicize the security procedures throughout the facility (i.e. posters, bulletin boards, etc) The facility should provide online training portal. The facility should provide Certificate of Completion and/or similar recognition to all employees who attended the training. A security awareness assessment should be given annually to a random sample of employees to gauge their understanding of the company's general security policy. Photos of authorized employees to access the restricted areas should be posted in the work area to detect any unauthorized entry/access. Personnel should be encouraged to report irregularities through Hotline Section: Physical Security The facility should have a back-up power source for the alarm system The alarm system or intrusion detection system should be tested regularly. Violations to the alarm system should be reported Gates should be monitored during operating hours by patrolling guards Gates should be monitored during operating hours by motion detectors Gates should be monitored during non-operating hours by patrolling guards Gates should be monitored during non-operating hours by motion detectors Vendors should be required advance information before visiting the facility premises The facility should maintain an up-to-date list of names and addresses of all contractor (e.g., canteen staff), vendor, repair personnel. Visitors should be subject to metal detector and/or scanner screening. Visitors should be subject to X-ray of their personal belongings. Vehicles should be prohibited/prevented from parking near perimeter fencing. The facility should require the use of visual identification for visitor parking. The emergency contact numbers should be posted in the security posts and command center. Pilfer or tamper proof packaging and tapes should be utilized to secure the goods. Section: Information Access Controls The facility should conduct review of access rights to safeguard electronic business data. Access to the data should be protected from being copied, altered, tampered or deleted. Each office workstation should contain a photo of the employee who is assigned to that work area to detect any unauthorized computer terminal usage. The facility should limit use of VPN to access company's network directory. Security warning message should be displayed when guest are given access to company's internet access. USB ports and external drives should be disabled/sealed to prohibit copying of company information. Visitors should be required to declare all electronic equipment entered in the facility. Section: Shipment Information Controls Facility should conduct review of shipment information and documentation controls to verify accuracy and security at least every six months Section: Storage & Distribution Facility should have a procedure that seals are affixed to the right door of the container/trailer on the hasp that has the welded rivet. 15

17 Facility should have a procedure that after the seal is affixed to the container, there is an authorized employee who should make sure that the seal is secure by pulling down on it. The seal verification and inspection process includes the following VVTT procedure: View seal and container locking hardware. The seal verification and inspection process should include the following VVTT procedure: Tug on seal to make sure it's on right. The seal verification and inspection process should include the following VVTT procedure: Twist and turn seal to make sure it doesn't unscrew. There are signs posted at each of the loading doors with pictures and examples of the correct seal verification and inspection process. Section: Contractor Controls The facility should implement a corrective action process for non-compliance found during on-site inspections of the contractors. The facility should require its contractors to participate in security awareness training. The facility should provide periodic security awareness training to all of the contractors. The facility should communicate the company's security policies through internet websites (homepage contains information and/or link of C-TPAT and other security standards). Section: Export Logistics The carrier should have intermediate staging/rest period/layover of cargo conveyances prior to reaching the consolidation center/port/border The facility s written agreement with their transport company should indicate preferred transit route(s) used by the driver, the allowable transit time limit, designated rest/meal stop locations and a process for a driver to report a container or trailer security issue. The facility should conduct a security review of their transport company to ensure compliance with the contract. 16

18 VI. PERFORMANCE TREND ANALYSIS Why Performance Trend Analysis Matter? Investors in the international supply chain look closely at trends to make a judgment about the current and future direction of a businesspartners performance. It is often easier to determine how best to support the development and implementation of measures for enhancing business performance, by looking at a chart of performance trends over a period of time, in relation to the performance traits of similar such enterprises operating within like industries. Mutual understanding of cause and effect is an important first step toward achieving a shared objective of continuously enhancing performance and building stronger business partner relationships. Current Assessment (20-Sep-2016) Last Assessment (Not Applicable) First Assessment (30-Mar-2010) Section Name Current Last First Change (Current-Last) Change (Current-First) Records & Documentation 98 Not Applicable 68 Not Applicable 44 % Personnel Security 85 Not Applicable 89 Not Applicable -4 % Physical Security 89 Not Applicable 87 Not Applicable 2 % Information Access Controls 82 Not Applicable 72 Not Applicable 13 % Shipment Information Controls 100 Not Applicable 100 Not Applicable 0 % Storage & Distribution 82 Not Applicable 72 Not Applicable 13 % Contractor Controls 68 Not Applicable 62 Not Applicable 9 % Export Logistics 67 Not Applicable 70 Not Applicable -4 % Overall Score 86 Not Applicable 81 Not Applicable 6 % Advancers Constant Decliner 17

19 VII. KEY STRENGTHS AND CHALLENGES Criteria Must Do Facility Strengths: Facility performance ranks in the top percentile of the population and/or has implemented a best practice process There is a system in place to review periodically and maintain daily security logs for invalid password attempts and file access Compliance% 34% Must Do Reference checks are conducted 41% Should Do Guards or security personnel with no other assignments monitor CCTVs. 44% Must Do Security guidelines for hiring are evaluated periodically to ensure their effectiveness 47% Should Do Employment history checks are conducted 49% Must Do Should Do Must Do The facility does not have adjoining/overhanging structures or foliage which would potentially facilitate illicit entry over the fenced areas into the facility Periodic and follow-up background checks are conducted on employees based on circumstances and/or sensitivity/scope of employee responsibility. Each month facility management reviews and approves a list of employees with special access to controlled or sensitive areas 49% 50% 55% Should Do The facility has a process in place requiring all personnel to participate in the security awareness program 56% Must Do The facility has documented security improvement action plan summarizing identified vulnerabilities and their relevant corrective actions 56% Criteria Facility Challenges: Facility performance ranks in the bottom percentile of the population Compliance% Must Do Contractors are not retained through legally binding contracts 89% Must Do The facility does not have documented procedures for identifying which employees are allowed access to electronic information systems. 84% Must Do A visitor's log which records entries and exits is not maintained 79% Must Do Must Do There are no security measures in place to prevent the introduction of foreign material(s) into the packing area There are no security measures in place to prevent the introduction of foreign material(s) into the assembly area 77% 77% Must Do List of terminated employees is not given to security to deny access to facility. 73% Must Do There are no security controls in place to prevent the introduction of foreign materials at point of loading 71% Must Do When selecting carriers, the facility does not consider the carriers' corporate history 68% Must Do The loading dock access is not restricted to authorized personnel only 63% Must Do The facility does not have Access Control Program that includes an inventory process to account for all keys/access cards. 62% 18

20 VIII. COMPARISON BENCHMARK High Risk Priority (0-75%) Medium Risk Priority(76-85%) Low Risk Priority(86-100%) 19

21 FACILITY PHOTOS FOR SILVER STAR GARMENT LIMITED 1.Facility Photo 2.Facility Entrance 3.Perimeter Fencing 20

22 4.Facility Building 5.Employee Parking 6.Visitor Parking 21

23 7.Outside Lighting 8.Security Room- Communication Equipment 9.CCTV system and monitor 22

24 10.Packing Area 11.Finished Goods Warehouse 12.Loading Area 23

25 13.Facility Name 14.Employee ID Badge 15.Container Manifest and Inspection Record 24

26 16.Visitor's ID Badge 17.Shipping Logs 18.Shipping Documents 25

27 19.Non-Compliance Issues 26

28 DISCLAIMER This report is for the exclusive use of the client of Intertek named in this report ( Client ) and is provided pursuant to an agreement for sevices between Intertek and Client ( Client Agreement ).No other person may rely on the terms of this report. This report provides a summary of the findings and other applicable information found/gathered during the audit conducted at the specified facilities on the specified date only. Therefore, this report does not cover, and Intertek accepts no responsibility for, other locations that may be used in the supply chain of the relevant product or service. Further, as the audit process used by Intertek is a sampling exercise only,intertek accepts no responsibility for any non-compliant issues that may be revealed relating to the operations of the identified facility at any other date.intertek's responsibility and liability are also limited in accordance to the terms and conditions of the Client Agreement.Intertek assumes no liability to any party, for any loss, expense or damage occasioned by the use of this information other than to the Client and in accordance with the Client Agreement and these disclaimers. In case there is any conflict between the disclaimers stated herein and the applicable terms and conditions of Intertek incorporated into the Client Agreement, then these disclaimers shall prevail. 27