FSR List of Changes 2014 v 2017

Transcription

1 FSR List of Changes 2014 v Sections / Requirement #s TAPA FSR 2014 TAPA FSR 2017 A B C Requirement 2017 Sections / Requirement #s A B C Description of Change / New Requirement Self audits x x x Results of self-audits shall be forwarded to the IAB within ten (10) working days of completion Self audits x x x Changed from within 10 working days to within 30 days of original certification anniversary dates to align with TSR and for clarity / Results of self-audits shall be forwarded to the IAB within thirty days (30) of original certification anniversary dates. Waivers x x x Added for clarity / Info provided is the full responsibility of the LSP Reason for Waiver Requests: x x x LSP considers a specific requirement in the FSR is not required from a security standpoint Reason for Waiver Requests 1 Reason for Waiver Requests 2 HVC Waiver Requirements; 1 HVC Waiver Requirements;2 HVC Waiver Requirements;3 HVC Waiver Requirements; 4 x x x Added for clarity / LSP can t meet a specific requirement in the FSR. x x x Added for clarity / LSP establishes and verifies mitigation measures x x x Added to address requests to modify the HVC requirement AND to clarity the circumstances under which a Waiver for HVC requirements would be accepted / The waiver request is submitted using the official TAPA Waiver Request form and is endorsed by the IAB/AA x x x Added to address requests to modify the HVC requirement AND to clarity the circumstances under which a Waiver for HVC requirements would be accepted / The waiver request includes an attached declaration signed by the LSP/Applicant stipulating that no Buyers require an HVC x x x Added to address requests to modify the HVC requirement AND to clarity the circumstances under which a Waiver for HVC requirements would be accepted / The waiver request includes details of any mitigating measures to ensure that vulnerable goods are not at unnecessary risk of theft or loss. x x x Added to address requests to modify the HVC requirement AND to clarity the circumstances under which a Waiver for HVC requirements would be accepted / Appropriate mitigation actions to minimize risk (where an HVC is not available) are considered and documented in the annual risk assessment. Note: TAPA may request visibility of the risk assessment HVC Waiver Requirements; 5 x x x Added to address requests to modify the HVC requirement AND to clarity the circumstances under which a Waiver for HVC requirements would be accepted / LSP/Applicant understands that a waiver may be revoked by TAPA should TAPA officials and/or Buyers successfully challenge that waiver conditions have changed 1 Perimeter Security 1 Revised Section Header / Perimeter

2 1.1. New Section Header for revised format. / 1.1: Warehouse External Cargo Handling, Shipping, and Receiving Yard (General) x x x New requirement./ Procedure documented describing how unauthorized vehicles and persons are to be managed. Training on procedure must be delivered to relevant members of workforce, including guards x New Requirement for Option 1 'Physical Barriers in Place.' (already was applicable for Option 2) and moved to Section 1.1. General Warehouse Requirements. to remove repetition of the same requiremement under Option 1 and Option 2./ For ground level accessible windows or dock doors, the annual risk assessment must evaluate the need for anti-ram barriers (cross reference Risk Assessment: section 6.2.3)." Option New Section Header/ 1.2. Option 1: Physical Barriers in Place x Physical barrier encloses cargo handling, shipping and receiving yard x Physical barrier height is a minimum of 6 feet / 1.8 meters x Numbering change only x Integrated previous Guidance Note into the standard./ Physical barrier height is a minimum of 6 feet / 1.8 meters. Note: The physical barrier, designed to prevent unauthorized entrée, must be a height of 6 feet / 1.8 meters along its entire length, including areas where ground level changes (I.e. is lower) x Physical barrier maintained in good condition x Numbering change only x Physical barrier is inspected for integrity and damage regularly x Changed from regularly to weekly for clarification./physical barrier is inspected for integrity and damage at least weekly x Gate(s) manned or electronically controlled x Numbering change only x x Cargo handling and receiving yard is adequately controlled to prevent unauthorized access x x Now applies to Section 1.1. General Warehouse Requirements. to remove repetition of the same requiremement under Option 1 and Option 2. Option New Section Header/ 1.3 Option 2: No Physical Barriers in Place x Visible perimeter signs in local language indicating No unauthorized access, No unauthorized parking x Visible signs on external dock doors or walls instructing drivers, visitors etc. to proceed to appropriate lobby, security control x Documented procedure requiring periodic sweeps/patrols by CCTV and/or guards and/or responsible member of the workforce x Procedure documented describing how unauthorized vehicles and persons are to be managed. Training on procedure must be delivered to relevant members of workforce, including guards x Numbering change only x Numbering change only x Numbering change only x Numbering change only

3 x For ground level accessible windows or dock doors, the annual risk assessment must evaluate the need for anti-ram barriers (see Risk Assessment: section 5.2.3) x Numbering change for requirement, numbering change for reference to other requirement, and moved to Section 1.1. to avoid repetition of the same requirement for Option 1 and Option 2.. / For ground level accessible windows or dock doors, the annual risk assessment must evaluate the need for anti-ram barriers (see Risk Assessment: section 6.2.3) x x Cargo handling and receiving yard is adequately controlled to prevent unauthorized access x x Numbering change only. Moved to Section 1.1. to remove repetition of the same requiremement under Option 1 and Option CCTV shipping and receiving yard 1.1. Previous CCTV section integrated into general Warehouse External Cargo Handling, Shipping, and Receiving Yard section./1.1. Warehouse External Cargo Handling, Shipping, and Receiving Yard (General) x x CCTV able to view all traffic at shipping and receiving yard (including entry and exit point) ensuring all vehicles and individuals are recognizable at all times unless temporary obstruction due to operational needs (i.e. truck unloading) x x Added description to example to clarify truck loading and unloading in real time./cctv able to view all traffic at shipping and receiving yard (including entry and exit point) ensuring all vehicles and individuals are recognizable at all times unless temporary obstruction due to operational needs (i.e. truck loading and unloading in real time) 1.3. CCTV coverage of all external dock areas 1.4. Previous CCTV section integrated into general External Dock Areas section./1.4. External Dock Areas x x x Dock areas covered via colour or day/night x x x Numbering change only exterior cameras x Cameras mounted to be able to view all operations and movement around external dock area x x x Added exception for temporary obstructions due to operational needs, clarified truck loading and unloading in the example, and applied requirement to all three levels. / Cameras mounted to be able to view all operations and movement around external dock area at all times unless temporary obstruction due to operational needs (i.e. truck loading and unloading in real time) x x Cameras mounted to be able to view all operations and movement around external dock area unless temporary obstruction due to operational needs (i.e. truck unloading) x x Integrated into and added "and unloading in real time" to the example x All vehicles and individuals clearly recognizable x Numbering change only x x Vehicles and individuals visible in most cases x x Numbering change only 2 New Section Header / Outside Walls, Roof, and Doors 1.4. CCTV system exterior sides of the facility 2.1. Revised Section Header / Exterior Sides of the Facility: CCTV x Colour or day/night exterior camera system in place covering all exterior sides of the facility x Numbering change only x Colour or day/night exterior camera system in place covering exterior sides of facility with doors, windows or other openings x Numbering change only x All vehicles and individuals clearly recognizable x Numbering change only x Vehicles and individuals visible in most cases x Numbering change only x x All views clear at all times unless temporary obstruction due to operational needs (i.e. truck unloading) x x Added 'truck loading' and 'in real time' to the example. / All views clear at all times unless temporary obstruction due to operational needs (i.e. truck loading and unloading in real time)

4 Lighting 1 New Section Header / Perimeter 1.5 Flood lighting of loading/unloading areas 1.1. New Section Header / Warehouse External Cargo Handling, Shipping, and Receiving Yard (General) x x x Lighting adequate in loading and unloading areas. (Constant light or activated by alarm or motion detection providing immediate illumination) x x x Integrated 'Guidance Note' into the requirement / Lighting adequate in loading and unloading areas. Note: Lighting may be constant, activated by alarm, motion, sound detection, etc., with immediate illumination provided x All vehicles and individuals clearly recognizable x Numbering change only x x Vehicles and individuals visible in most cases x x Numbering change only 1.6 Dock doors lighting 1.4 New Section Header / External Dock Areas x x x All dock doors fully illuminated x x x Numbering change only 1.7: Exterior and interior lighting 5.5 Numbering change only x x x Exterior and interior lighting levels are sufficient to x x x Numbering change only support CCTV images that allow investigation and evidential quality image recording x All vehicles and individuals clearly recognizable x Numbering change only Perimeter Alarm Detection 2 New Section Header / Outside Walls, Roof, and Doors 1.8: All facility external doors alarmed 2.2: New Section Header / Exterior Walls and Roof x x x All facility external warehouse doors alarmed to detect unauthorized opening and linked to main alarm system x x x Added "and office doors" for clarification / All facility external warehouse and office doors alarmed to detect unauthorized opening and linked to main alarm system x x All exits from warehouse used for emergency purposes only (Fire exits etc) alarmed at all times with an individual or zoned auditable sounder so area can be identified and linked to main alarm system x x Reworded for clarity / Emergency exits are used for emergency purposes only (Ex: Fire exits), and are alarmed at all times with an individual or zoned audible sounder, and identified / linked to main alarm system x Each facility external warehouse door or opening can be uniquely identified per door or per zone within main alarm system x Numbering change only Perimeter Windows and other openings 2 Revised Section Header / Outside Walls, Roof, and Doors 1.9 Windows and any openings in warehouse walls and roof secured x x All windows and any openings (smoke vents, air vents), in warehouse walls protected by physical means (bars, mesh or any other material that would harden opening to burglary). 2.2 Revised Section Header / Exterior Walls and Roof; under "Wall Physical Barrier or Intrusion Detection" x x Integrated the 'OR' option of windows/openings being alarmed into one requirement / Any open-able window, vent or other aperture must have a physical barrier or be alarmed and linked to the main alarm system. or x x All windows and any openings (smoke vents, air vents), in warehouse walls alarmed to detect unauthorized opening and linked to main The word "OR" is removed x x Integrated the 'OR' option of windows/openings being alarmed into one requirement / Any open-able window, vent or other aperture must have a physical barrier or be alarmed and linked to the main alarm system.

5 1.9.3 x Any part of the roof designed to be open (smoke vents, air vents, sky-lights) protected by physical means (bars, mesh or any other material that would harden opening to burglary). ü x Combined with another 'Roof' requirement for clarity / Any open-able window, skylight, vent, access hatch or other aperture must have a physical barrier or be alarmed and linked to the main alarm system. or The word "OR" is removed 2.2 Revised Section Header / Exterior Walls and Roof; sub section" Roof Physical Barrier or Intrusion Detection" x Any other openings in warehouse roof (smoke vents, air vents, sky-lights) alarmed to detect unauthorized opening and linked to main alarm system x Removed and combined with another 'Roof' requirement (2.2.3.) for clarity / Any open-able window, skylight, vent, access hatch or other aperture must have a physical barrier or be alarmed and linked to the main alarm system Dock Doors construction 2.2 Revised Section Header / Exterior Walls and Roof subsection Dock Doors x x x All dock doors of sufficient strength so the doors will deter and/or delay forced entry by use of small portable hand tools x x x Numbering change only 1.11 Pedestrian doors from warehouse 2.2 Revised Section Header / Exterior Walls and Roof; subsection 'Warehouse Pedestrian Doors" ; x x x Warehouse pedestrian doors and frames cannot be easily penetrated; if hinges on outside they must be pinned or spot welded x x x Added clarification regarding glass doors / Warehouse pedestrian doors and frames cannot be easily penetrated; if hinges on outside they must be pinned or spot welded. Glass doors are unacceptable unless glass break detectors are fitted and alarmed directly to the monitoring centre. 4 New Section Header / Inside Warehouse and Office 1.12 Exterior walls and roof designed and maintained to resist penetration or alarmed 2.2 Revised Section Header / Exterior Walls and Roof x x x Exterior walls and roof designed and maintained x x x Numbering change only to resist penetration (Example: brick, block, tilt up concrete slab, sandwich panel walls) x x x Interior floor to ceiling multi-tenant walls and roof constructed/designed and maintained to resist penetration (Example: brick, block, tilt up concrete slab, sandwich panel walls) x x x Numbering change only. Now under header 4; Inside warehouse and Office or x x x If Interior floor to ceiling multi-tenant walls are constructed of security grade wire mesh or other industry recognized secure barrier then it is also to be alarmed to detect intrusion. Note: netting, low grade fencing or non-security grade mesh is not allowable x x x Numbering change only Moved to Section Option 2: Security Systems 2 New Section Header / Outside Walls, Roof, and Doors 1.13 External access to roof secured. N/A if no external roof access 2.2 New Section Header / Exterior Walls and Roof; under section " External Access to Roof"

6 x External access to roof (ladder or stairs) physically locked and covered by CCTV (Colour or day/night cameras) x Added 'or alarmed' to requirement / External access to roof (ladder or stairs) physically locked and covered by CCTV (Colour or day/night cameras) or alarmed x x External access to roof (ladder or stairs) physically locked x x Numbering change only x x x Keys controlled. Removed. 2 Access Control - Office Areas, Office Entrances 3 Revised Section Header / Office and Warehouse Entry and Exit Points 2.1 Visitor entry point(s) controlled 3.1 Revised Section Header / Office Area Visitor Entry Point(s) x x x Access at visitor entry point(s) controlled by an employee/guard/receptionist that has been trained on badge issuance, controls, logging, visitors, escort requirement, etc (process for out of hours visits in place) x x x Numbering change only x x Visitor entry point(s) covered by CCTV; (Colour or x x Numbering change only day/night cameras) individuals clearly recognizable at all times x x Duress (panic) alarm installed in covert position in x x Changed "regularly" to "weekly" for clarification / Duress visitor entry point(s) and tested regularly. (panic) alarm installed in covert position in visitor entry point(s) and tested weekly 2.2 Workforce entry point(s) controlled (24/7) 3.2 Revised Section Header / Workforce Entry Point(s) x x Workforce entry point(s) access controlled 24/ x x Numbering change only x Workforce entry point(s) controlled through electronic access control device 24/7. Access logged x x Workforce entry point(s) covered by CCTV. (Colour or day/night cameras). 3 Facility Dock/Warehouse - Access Control Between Office & Dock/Warehouse x Numbering change only x x Numbering change only 4 New Section Header / Inside Warehouse and Office 3.1 Security controlled access points (e.g. Guard, card access or CCTV with intercom) 4.3 Revised Section Header / Access Control Between Office and Dock/Warehouse x x Access controlled between office and warehouse or dock x x Numbering change only x Card access or intercom door alarms are locally audible and generate an alarm for response when held open for more than 60 seconds or immediately if forced open x Numbering change only x Door alarms are locally audible or send alarm for response when held or forced open. ü x Numbering change only Limited Access To Dock Areas 4 Revised Section Header / Inside Warehouse and Office 3.2 Access to dock/warehouse 4.3 Revised Section Header / Access Control Between Office and Dock/Warehouse

7 3.2.1 x x x LSP s authorized workforce and escorted visitors x x x Numbering change only permitted access to dock/warehouse areas based on a business need and restricted x x Access list reviewed on regular basis to limit/verify that access is only granted to designated/authorized personnel, processes are documented x x Changed "regularly" to "at least quarterly" for clarification / Access list reviewed at least quarterly to limit/verify that access is only granted to designated/authorized personnel, processes are documented. High Value Storage Areas 4 New Section Header / Inside Warehouse and Office 3.3 High Value Cage specifications 4.4 Revised Section Header / High Value Cage/Area x x Perimeter caged or hard-walled on all sides, including top/roof x x Numbering change only x x Locking device on door/gate x x Numbering change only x Complete CCTV (Colour or day/night cameras) coverage on cage or vault entrance and internal area x Integreated 'Guidance Note' for clarity / Complete CCTV (Color or day/night cameras) coverage on cage or vault entrance and internal area. Note: If the cage / vault is too small to locate a camera inside, camera coverage of the entrance is sufficient x CCTV (Colour or day/night cameras) coverage on cage or vault entrance x x Access logged and access list in place to limit/verify that access is only granted to designated/authorized personnel x Numbering change only x x Numbering change only x Perimeter of cage/vault maintained in good condition and regularly inspected for integrity and damage x Changed "regularly" to "monthly" for clarification / Perimeter of cage/vault maintained in good condition and inspected monthly for integrity and damage x If access to the HV cage is needed by more than x Numbering change only 10 persons then access is to be controlled electronically by card/fob. If access is required by 10 or less persons then a heavy duty lock or padlock system supported by a controlled key issuing system. Keys can be signed out to individuals to cover a shift but must not be transferred without approval and recorded in the key log. All keys to be returned and accounted for when not in use x HV cage doors/gates are alarmed to detect forced entry. Alarms can be generated by door contacts and/or use of CCTV motion detection to detect unauthorized access x Numbering change only

8 3.3.9 x x Approved access list to HV cage reviewed monthly and updated in real time when employee leaves employment or no longer requires access. LSP to ensure that access is only granted to designated/authorized personnel. Processes are documented x x Added 'LSP to ensure that access is only granted to designated/authorized personnel.' for clarity. LSP to ensure that access is only granted to designated/authorized personnel. Approved access list to HV cage reviewed monthly and updated in real time when employee leaves employment or no longer requires access. Processes are documented x x The size and use of HV cages may be dictated by x x Numbering change only Buyer/LSP agreement. If an agreement is not present then the HV cage must be able to store a minimum of 6 cubic meters of product. All External Dock And Warehouse Doors Secured 2 New Section Header / Outside Walls, Roof, and Doors 3.4 External dock and warehouse doors secured 2.2 Revised Section Header / Exterior Walls and Roof; under sub-section " Dock doors" x x Dock doors closed (when not in active use) x x Integrated three requirements regarding dock doors being secured into one requirement to streamline / Nonoperational hours: Dock doors closed, secured (I.e. electronically disabled or physically locked). Operational hours: Dock doors must be closed when not in active use. Scissor gates, if used, must be secured by mechanical slide / latch lock and be a minimum of 8 feet / 2.4 meters high x x Dock doors secured during non -operational Removed standalone reuirement and integrated into hours (so that doors cannot be opened due to being electronically disabled or physically locked) or x x Scissor gates secured by mechanical slide/latch locking hardware (minimum height of 8 feet/2.4 meters) or equivalent in place and used on dock doors when not in active use. Removed "or" due to integration of requirements into Removed standalone reuirement and integrated into x x x All external warehouse doors always closed and secured when not in active use x x Integrated two requirements regarding external warehouse doors being secured and keys controlled into one requirement to streamline / All external warehouse (dock) doors always closed and secured when not in active use. Keys/Codes Controlled x x x Keys/Codes Controlled Removed standalone reuirement and integrated into CCTV Coverage 4 New Section Header / Inside Warehouse and Office 3.5 Internal dock doors and dock areas. 4.2 Numbering Change Only / Internal Dock Doors and Dock Areas x x x All internal dock doors and dock areas covered by CCTV. (Colour or day/night cameras) x x x Numbering change only x x x Views of freight being loaded/unloaded clear at all times unless temporary obstruction due to operational needs (i.e. truck unloading) x x x Views of freight being loaded/unloaded clear at all times unless temporary obstruction due to operational needs (i.e. truck loading and unloading in real time).

9 3.6 Buyer assets under CCTV surveillance 4.2 Internal Dock Doors and Dock Areas x x Buyer assets under 100% CCTV surveillance in cargo movement or staging areas (i.e. pallet breakdown/build up areas, routes to and from storage racks, dock, transit corridors) x x Addition of Guidance Note for clarification / Buyer assets under 100% CCTV surveillance in cargo movement or staging areas (i.e. pallet breakdown/build up areas, routes to and from storage racks, dock, transit corridors). Note: The transit corridors needs to be covered by CCTV, including cargo lifts where the forklift driver is in the cargo lift with the cargo. Intrusion detection 2.2 New Section Header / Exterior Walls and Roof 3.7 Intrusion detection. N/A if risks documented, mitigated in local risk assessment and warehouse activity is true 24x7x366 operation x Now part of 3.1.4: Intrusion detection alarms installed in the office and warehouse (e.g. Infrared, motion, sound, or vibration detection), with the system activated during non-operational hours and linked to the main alarm system Note: If a facility is a true 24/7/366 operation, then Intrusion detection inside the facility (warehouse / Office) is N/A if risks documented, mitigated in local Risk Assessment. Regardless of operational hours, intrusion detection, or physical barriers, is always required on external doors and ground-floor windows in office and warehouse. (See section 2.2.) x x x All facility external warehouse doors alarmed to detect unauthorized opening and linked to main alarm system x x x Added "office doors" to the requirement for clarification / All facility external warehouse and office doors alarmed to detect unauthorized opening and linked to main alarm system x x x System activated during non-operational hours x x x Added "all" to systems and added "and linked to the main alarm system" for clarification / All systems activated during non-operational hours and linked to the main alarm system x Intrusion detection alarms installed in office and warehouse to detect intrusions outside nonoperational hours x Added examples of types of intrustion detection systems to the requirement for clarification and added "linked to the main alarm system" for clarification / Intrusion detection alarms installed in the office and warehouse (e.g. Infrared, motion, sound, or vibration detection), with the system activated during non-operational hours and linked to the main alarm system Note: 1) If a facility is a true 24/7/366 operation then Intrusion detection inside the facility (warehouse / Office) is N/A if risks documented, mitigated in local risk assessment. Regardless of operational hours; intrusion detection, or physical barriers, is always required on external doors and ground-floor windows in office and warehouse. (See section 2.2) 4 Security Systems 5 Section Header Change / Security Systems : Design, Monitoring, and Response 4.1 Monitoring post 5.1 Numbering Change Only / Monitoring Post

10 4.1.1 x x x Monitoring of alarm events 24x7x366 via an internal or 3rd party external monitoring post, secured from attack x x x Added previous 'Guidance Note' for clarification / Monitoring of alarm events 24x7x366 via an internal or 3rd party external monitoring post, protected from unauthorized access Note: Monitoring posts may be located on or off site, and can be company owned, or third party. In all cases, access must be controlled through the use of an electronic access control system (badges), locks, or biometric scanners. 4.2 Alarms response 5.1 New Section Header / Monitoring Post x x x All security system alarms responded to in realtime 24x7x x x x Monitoring post acknowledges alarm-activation and escalates in less than 3 minutes x x x Numbering change only x x x Numbering change only x x x Alarm monitoring reports available x x x Numbering change only x x x Documented response procedures x x x Numbering change only Intruder Alarm Systems 5.2 Numbering Change Only / Intruder Alarm Systems 4.3 System alarm records 5.2 Integrated into exisitng Section / Intruder Alarm System x x 60 days of security system alarm records maintained x Security system alarm records, securely stored and backed up x x Numbering change only x Numbering change only x Security system alarm records securely stored x Numbering change only 4.4 System restrictions 5.2 Integrated into existing section / Intruder Alarm System x x x Security system access restricted (Central equipment and data access) x x x Integrated three requirements regarding security system access, controls changing when invdividuals depart, and the documentation of the procedures into one requirement to streamline / Documented procedure to ensure security system access is restricted to authorized individuals or system administrators. This includes servers, consoles, controllers, panels, networks, and data. Access privileges must be promptly updated when individuals depart the organization, or change roles, no longer requiring access x x x Controls changed when individuals depart Removed as standalone requirement and integated into x x Documented procedure Removed as standalone requirement and integated into Alarms transmitted and monitored 5.2 Integrated into existing section / Intruder Alarm System x x x Alarm transmitted on power failure/loss x x x Added previous 'Guidance Note' for clarificiation / Alarm transmitted on power failure/loss. Note: For systems with Uninterrupted Power Supply (UPS), the alarm is transmitted when the UPS battery fails.

11 4.5.2 x x x Alarm set verification in place x x x Added previous 'Guidance Note' for clarificiation / Alarm set verification in place. Note: Documented procedures validating that alarms are armed during non-operational hours x x Alarm transmitted on device and/or line failure x x Numbering change only x x Back-up communication system in place on device and/or line failure x x Numbering change only CCTV Systems 5.4 Revised Section Header / CCTV 4.6 CCTV recording 5.4 Removed sub-section header x x x Digital recording in place x x x Numbering change only x x x Digital recording functionality checked daily on operational days via documented procedure. Records available x x x Numbering change only x x x Minimum 3 frames per second per camera x x x Numbering change only 4.7 CCTV access 5.4 Removed sub-section header x x x Access tightly controlled to CCTV system, including hardware, software, and data/video storage x x x CCTV images, for security purposes, are only viewed by authorized personnel x x Documented procedures in place detailing CCTV data protection policy regarding use of real time and archive images in accordance with local law x x x Numbering change only x x x Numbering change only x x Numbering change only 4.8 CCTV recording retention 5.4 Removed sub-section header x x x CCTV recordings stored for a minimum of 30 days where allowed by local law. LSP to provide evidence of local law if less than 30 days retention is possible x x x Numbering change only Electronic Access Control System 5.3 Numbering change only 4.9 Access recording retention 5.3 Numbering change only x x 90 days of system transaction records available. Records securely stored; backed up x x Numbering change only 4.1 Access restriction 5.3 Numbering change only

12 x x Access restricted to access control system functions x x Integrated three requirements regarding access to access control system functions, controls changing when invdividuals depart, and the documentation of the procedures into one requirement to streamline /Documented procedure to ensure system access is restricted to authorized individuals or system administrators. Access privileges must be promptly updated when individuals depart the organization, or change roles, no longer requiring access x x Controls changed when individuals depart Removed standalone requirement and combined into x x Documented procedure Removed standalone requirement and combined into Review of access reports. 5.3 Numbering change only x x Access system reports reviewed at least quarterly x x Integrated two requirements regarding the access to identify irregularities or misuse (i.e. multiple unsuccessful attempts, false readings (i.e. disabled card), evidence of card sharing to allow unauthorized access, etc.). system reports and the documentation of the procedure regarding reports into one requirement to streamline / Access system reports reviewed at least quarterly to identify irregularities or misuse (i.e. multiple unsuccessful attempts, false readings (i.e. disabled card), evidence of card sharing to allow unauthorized access, etc.). Documented process in place x x Documented procedure Removed standalone requirement and combined into Security Procedures 6 Revised Section Header / Training and Procedures 5.1 Escalation procedures 6.1 Numbering Change Only / Escalation procedures x x x Local documented procedures in place for handling Buyer s assets and escalation of security incidents to the Buyer and consistently followed x x x Integrated two requirements regarding procedures for handling Buyer's assets, escalation of security incidents, and process for timely reporting into one requirement to streamline. Also changed 12 hour window for reporting incidents to 24 hour to accomodate time differences in global shipments / Local documented procedures in place for handling Buyer s assets including process for timely reporting of lost, missing or stolen Buyer s assets. Incidents to be reported by the LSP to the Buyer within 24 hours. Obvious thefts reported immediately. Process consistently followed x x x Process for timely reporting of lost, missing or stolen Buyer s assets. Incidents to be reported by the LSP to the Buyer within 12 hours. Obvious thefts reported immediately. Process consistently followed x x x Changed 12 hour window for reporting incidents to 24 hour to accomodate time differences in global shipments, and removed standalone requirement and integrated into 6.1.1

13 5.1.3 x x x Emergency Buyer and LSP facility management contacts for security incidents listed and available x x x Listing regularly updated and includes law enforcement emergency contacts x x x Integrated two requirements regarding Emergency Contact lists into one requirement to streamline. / Emergency Buyer and LSP facility management contacts for security incidents listed and available. Listing regularly updated and includes law enforcement emergency contacts x x x Removed standalone requirement and integrated into Management commitment 6.2 Numbering Change Only / Management commitment x x x The supplier must have a formally appointed person for security on site who is responsible for maintaining TAPA FSR and company supply chain security requirements. The supplier must also have a person (can be the same) responsible for monitoring the FSR programme x x x Added "...includes scheduling self-audits, communications with AAs, recertification, changes to the FSR standard, etc." for clarification / The supplier must have a formally appointed person for security on site who is responsible for maintaining TAPA FSR and company supply chain security requirements. The supplier must also have a person (can be the same) responsible for monitoring the FSR programme. This includes scheduling self-audits, communications with AAs, recertification, changes to the FSR standard, etc x x x Management must develop, communicate, and maintain a documented security policy to assure all relevant persons (i.e. employees and contractors) are clearly aware of the provider s security expectations x x x Numbering change only x x x A facility risk assessment which recognizes the likelihood and impact of security related events must be conducted/updated at least annually. The risk assessment process must be documented and require management to make informed decisions that record if mitigation of risk is necessary At a minimum, the following common internal/external events must be assessed: theft of cargo or information, unauthorized access to facilities or cargo, tampering with/destruction of security systems, fictitious pickups of cargo, security continuity during workforce shortages, or natural disasters, etc x x x Changed wording in regards to the risk assessment to "about vulneratbilities and mitigation" to streamline and clarify the requirement / A facility Risk Assessment which recognizes the likelihood and impact of security related events must be conducted/updated at least annually. The Risk Assessment process must be documented and require management to make informed decisions about vulnerabilities and mitigation. At a minimum, the following common internal/external events must be assessed: theft of cargo or information, unauthorized access to facilities or cargo, tampering with/destruction of security systems, fictitious pickups of cargo, security continuity during workforce shortages, or natural disasters, etc. Additional events may be considered based on local/country risks. Additional events may be considered based on local/country risks. 5.3 Training 6.3 Training

14 5.3.1 x x x Security Awareness / Threat Awareness training provided to all workforce within the scope of the facility security programme. Training repeated every 2 years x x x Security / Threat Awareness training provided every 2 years to all members of the work force that includes both general, and any specific / unique local risks x x x Training is delivered to all members of workforce and includes both general security risks, in addition to any specific local risks x x x Removed; combined into ID badges 3.2: New Section Header / Workforce Entry Point(s) x x After vetting, all employees must be issued with company photo ID badges x x All other workforce must be provided with a company ID badge to make them recognizable within the facility x x Numbering change only x x Numbering change only x x All workforce s badges clearly displayed x x Numbering change only x x New Requirement to specifically address badge sharing / Badges must not be shared under any circumstances and a badge issuance policy must be documented 5.5 Access to Buyer s assets 6.4 Numbering change only / Access to Buyer s assets x x Written and documented procedures in place to restrict employees, visitors and contractors access to Buyer s assets x x Deleted the "written" to avoid redudancy and rephrased the requirement to clarification / Documented procedure(s) in place to protect buyer's assets (I.e. cargo) from unauthorized access by the workforce, visitors, etc. 5.6 Visitor policy 3.1 Revised Section Header / Office Area Visitor Entry Point(s) x x x All visitors identified using government-issued photo-id (e.g. driver s licence; passport or national ID card, etc.) x x x All visitors registered and log maintained for minimum of 30 days x x x Numbering change only x x x Numbering change only x x All visitor badges reconciled against log x x Added "as the visitor leaves premises" and "full log checked daily" added for clarification / All visitor badges must be reconciled as the visitor leaves the premises and the full log checked daily x x All visitors visibly display temporary badges or passes x x Integrated two requirements about vistors into one requirement to streamline / All visitors visibly display badges or passes and are escorted by company personnel x x All visitors escorted by company personnel Removed standalone requirement and integrated into x x Visitor policy documented x x Numbering change only 5.7 Document Control 6.5 Revised Section Header / Information control x x x Access to shipping documents and information on x x x Numbering change only Buyer s assets controlled based on need to know.

15 5.7.2 x x x Access monitored and recorded x x x Numbering change only x x x Documents safeguarded until destruction x x x Numbering change only x x Information security awareness training provided to workforce having access to information x x Added "every 2 years" to provide clarification on how often information security awareness training was required / Information security awareness training provided every 2 years to workforce having access to information. 5.8 Driver identification 3.3 Revised Section Header / Driver / Vehicle identification x x x All drivers identified using government-issued photo-id (e.g. driver s licence; passport or national ID card, etc.). Copies not made unless allowed by local privacy laws x x x Integrated two requirements regarding driver identification into one to streamline / All drivers identified using government-issued photo-id (e.g. driver s licence; passport or national ID card, etc.) and a driver log maintained x x x Driver log maintained x x x Removed standalone requirement and integrated into x Where allowed by local law, vehicle identifiers are logged manually (i.e. written) or with cameras. Include at a minimum licence plate, vehicle type and colour x Removed "where allowed by local law" to streamline / Vehicle identifiers are logged manually (i.e. written) or with cameras. Include at a minimum licence plate and vehicle type x Verification that photo-id is not expired, matches the driver, and licence appears valid x Numbering change only 5.9 Keys control Buyer Assets 6.11 New Section Header / General Procedures x x x Where applicable keys controlled in areas where Buyer s assets are transiting or stored New Requirement to address all requirements with procedures / Wherever procedures are required, they must be documented for traceability x x x Integrated two requirements regarding keys and access card control to streamline and made both applicable to C level to strengthen C level requirement without a cost impact / Wherever physical locks and/or keys are required, they must be a documented procedure, log and/or key plan to track how keys are managed and controlled x x Written plan for control and issue of keys and access cards issued Made requirement applicable to C-level to strengthen C level requirement without a cost impace AND removed standalone requirement and integrated into Trash inspection from warehouse 4.6 Numbering Change Only / Trash inspection from warehouse x Internal and/or external warehouse main trash collecting bins/ compacting areas are monitored by CCTV x Numbering change only x x Where utilized trash bags are transparent x x Numbering change only 5.11 Security incident reporting 6.6 /Numbering change only / Security incident reporting x x Security incident reporting and tracking system in place, used to implement proactive measures x x Numbering change only

16 5.12 Pre-loading and staging 4.7 Pre-loading and staging x x x No pre-loading or parking of FTL/dedicated Buyers trucks during non -operational hours, externally of the warehouse facility unless mutually agreed between Buyer and LSP including identification and implementation of any alternative preventative security measures (e.g. additional security devices on container) x x x Added 'Guidance Note' for clarification / No pre-loading or parking of FTL/dedicated Buyers trucks outside of the warehouse facility during non -operational hours, unless mutually agreed between Buyer and LSP. Alternative security measures must be implemented (e.g. additional security devices on container). Note: Externally of the warehouse facility are those areas separate, away from, the facility, but still inside the LSP s yard / perimeter fence Personal containers 4.8 Revised Section Header / Personal Containers and Exit Searches x x Written security procedures define how entry of personal containers (defined as lunch boxes, backpacks, coolers, purses, etc.) into the warehouse is controlled x x Rephrased for clarity / Written security procedures define how personal containers are controlled inside the warehouse. Personal containers include lunch boxes, backpacks, coolers, purses, etc Exit searches 4.8 Numbering change only / Personal Containers and Exit Searches x If allowed by local law, LSP must develop and x Numbering change only maintain a documented exit search or inspection 5.15 procedure. Personal vehicles Activation access of the procedure is at the 1.5: Numbering change only / Personal vehicles access x x x Personal vehicles only permitted to shipping and receiving areas if pre-approved and restricted to signed/designated parking areas. No personal parking within 25m walking distance to dock areas x x x Integrated two requirements regarding personal vehicle acess into one requirement to streamline / Personal vehicles only permitted to shipping and receiving areas if pre-approved and restricted to signed/designated parking areas. No personal parking within 25m walking distance to dock areas. The processes for the preapproval and restrictions to be documented x x x Documented procedure Removed standalone requirement and integrated into Control of cargo-handling equipment 4.9 Numbering change only / Control of cargo-handling equipment x x All forklift and other powered cargo-handling equipment disabled during non-operational hours x x Added 'Guidance Note' for clarity AND integrated the documentaiton requirement applicable to 'cargo-handling equipment being disabled' into one requirement / Documented protocol requiring all forklift and other powered cargo-handling equipment being disabled during non-operational hours. Note: This does not include hand-jacks / pallet-jacks x x Documented procedure Removed standalone requirement and integrated into Container or trailer integrity 4.10 Numbering change only / Container or trailer integrity

17 x x x Seven-point physical inspection process or equivalent checks performed for all outbound dedicated Buyer s containers or trailers: Front Wall, Left Side, Right Side, Floor, Ceiling/Roof, Inside/Outside Doors and Locking Mechanism, Outside/Undercarriage x x x Added 'Guidance Note' for clarity AND integrated the documentaiton requirement applicable to 'cargo-handling equipment being disabled' into one requirement / Sevenpoint physical inspection performed on all outbound dedicated Buyer s containers or trailers: Front Wall, Left Side, Right Side, Floor, Ceiling/Roof, Inside/Outside Doors and Locking Mechanism, Outside/Undercarriage. Procedure documented. Note: This applies to all types of trailers & containers under lock and/or seal (I.e. Not limited to ocean freight containers) x x x Documented procedure Removed standalone requirement and integrated into Maintenance programmes 6.7 Numbering change only / Maintenance programs x x x Documented maintenance programmes in place for all technical (physical) security installations/systems to ensure functionality at all times (e.g. CCTV, Access Controls, Intruder Detection, Lighting) x x x Numbering change only x x x Preventative maintenance conducted once a year, or in accordance with manufacturer s specifications x x Functionality verifications of all systems once per week and documented, unless system failure is immediately / automatically reported or alarmed x x x Numbering change only x x Numbering change only x x Response-time to initiate/call out for security system is not more than 2 working days x x Added a requirement for alternative mitigations to be implemented if repairs expected to exceed 24 hours to address risk during system failure / A repair order must be initiated within 48 hours of when the fault is discovered. For any repairs expected to exceed 24 hours, alternative mitigations must be implemented Contractor Orientation 6.8 Numbering change only / Contractor Orientation x LSP to ensure all subcontractors/vendors are aware of and comply with LSP relevant security programs x Numbering change only 6 Background Checks (Vetting) Workforce Integrity 7 Revised Section Header / HR-Related Security Requirements 6.1 Screening/vetting of workforce (As allowed by local law, the following requirements apply to all LSPs) 7.1 Revised Section Header / Workforce Integrity; Screening/Vetting/Background Checks (as allowed by local law)

18 6.1.1 x x x The LSP must have a screening / vetting process x x x Added definition of TAS for clarification / The LSP must that includes at a minimum, past employment and criminal history checks. Screening / vetting applies to all applicants, including employees and contractors. The LSP will also require an equivalent process be applied at contracting companies supplying TAS workers. have a screening / vetting process that includes at a minimum, past employment and criminal history checks. Screening / vetting applies to all applicants, including employees and contractors. The LSP will also require an equivalent process be applied at contracting companies supplying TAS (Temp Agency or Subcontracted worker ) workers x x x TAS (Temp Agency or Subcontracted worker) is required to sign declaration that they have no current criminal convictions and will comply with LSP s security procedures x x x Deleted definition of TAS since already defined in the previous requirement in order to streamline / TAS is required to sign declaration that they have no current criminal convictions and will comply with LSP s security procedures x x x LSP will have agreements in place to have required information supplied by the agency and/or subcontractor providing TAS workers, or shall conduct such screening themselves. Screening must include criminal history check and employment checks x x x Numbering change only x x x Procedure for dealing with applicants/workforce s false declaration pre & post hiring x x x Numbering change only 6.2 Termination of workforce 7.2 Revised Section Header / Termination or Rehiring of Workforce Note: Termination includes both voluntary and involuntary separations terminated and resigned members of workforce x x x Documented procedures in place for termination of members of the workforce. The procedures to include return of ID s, access cards, keys and other sensitive information and/or equipment x x x Revised wording of requirement to streamline and clarify / Recover physical assets from terminated workforce to include company IDs, access badges, keys, equipment, or sensitive information. Documented procedure required x x x Workforce checklist in place for verification x x x Numbering change only x x x Procedures are in place to prevent LSP from rehiring workforce if denial/termination criteria are still valid x x x Added 'Guidance Note' for clarification / Re-hiring: Procedures are in place to prevent LSP from re-hiring workforce if denial / termination criteria are still valid. Note: Records are reviewed prior to re-hiring (Ex: background of previously terminated personnel or rejected applicants (previously denied employment) x x x Procedures are in place to prevent terminated workforce from having access to Buyer s data and records x x x Added that procedure must be documented and added example of buyer's data for clarification / Protect buyer s data: Terminate access to physical or electronic systems that contain buyer s data (inventory or schedules). Documented procedure required. 7 Freight Handover Process 7.1 Security seals 4.11 Revised Section Header / Freight Handover Process, Security seals