Milliken and Company CTPAT Security Profile. Guidelines and Procedures for maintaining compliance with the CTPAT minimum security requirements

Transcription

1 Milliken and Company CTPAT Security Profile Guidelines and Procedures for maintaining compliance with the CTPAT minimum security requirements

2 Business Partner Requirements Milliken maintains written processes for the selection of business partners. As part of this process, a business partner's CTPAT status is determined by means of their SVI or CTPAT certificate. The vast majority of Milliken s logistics service providers have current CTPAT certifications. For those partners who have submitted an SVI as proof of their participation, their SVI has been entered into the CTPAT portal for validation and is updated annually. For those business partners who are not eligible for CTPAT or who have chosen not to join CTPAT, their security level is assessed by means of a security questionnaire administered via the internet. A copy of this questionnaire is available at The information provided in the questionnaire is then used to assess the security risks of partners without current CTPAT certification. Milliken s purchasing department is responsible for collecting and reviewing applications by material suppliers, and Milliken s logistics department is responsible for reviewing logistics providers. For those partners who have submitted an SVI as proof of their participation, their SVI has been entered into the CTPAT portal for validation and is checked annually. For the partners who have submitted a copy of their certificate as validation, Milliken maintains a copy of the certificate on file. Milliken will assess the risks associated with our import supply chains in order to insure their security. This process is based on the 5 Step Risk Assessment Process recommended by CBP. The risk assessment process is owned by the Logistics & Trade Compliance department working in conjunction with Purchasing, Supply Chain Management and other affected functional areas. A risk assessment will be conducted on all major import supply chains upon initiation of business or at the discretion of the Trade Compliance team based on changes in the supply chain or on their knowledge of the current security situation. Cargo flows will be mapped from origin to domestic distribution point using the CTPAT Cargo Flow / Business Partner Analysis template. The threat assessment will be completed by the Logistics & Trade Compliance team using the CTPAT Threat Assessment template. The available sources include those listed in Attachment B of the CTPAT 5 Step Risk Assessment Process Guide published at plus other resources as determined by Milliken associates. The level of threat will be evaluated as follows: 1. Low Risk - No recent incidents/intelligence/information 2. Medium Risk - No recent incidents/some intelligence/information on possible activity

3 3. High Risk - Recent incidents and intelligence/information The vulnerability assessment will be done by verifying the partner s participation in CTPAT for those partners are eligible or by completing Milliken s security questionnaire for those partners who can t or have chosen not to participate in CTPAT. More details can be found in the Milliken s Business Partner Requirements section. Upon completion of the aforementioned assessments, the CTPAT Risk Assessment Action Plan will be used to document findings and actions to address deficiencies. Milliken's Logistics Department or Purchasing Department is responsible for ensuring that partners take appropriate actions to address problems. Security Procedure, Point of Origin Milliken has developed its "supplier portal" which is used to communicate via the internet security information and CTPAT criteria with our business partners. The URL for the portal is Milliken has also developed its "CTPAT Shipping Security Guidelines" which provide specific information on how business partners are expected to ship materials to Milliken. A copy of these guidelines can be found in the CTPAT Partner Document Exchange section of this portal. These guidelines have been incorporated into the supplier portal. Security Procedure, Participation / Certification in Foreign Customs Administrations Supply Chain Security Programs As part of the security questionnaire, Milliken asked each of its suppliers or service providers to indicate their participation in any supply chain security programs administered by a foreign Customs Administration. This information is available upon request. Security Procedure, Other internal criteria for selection Milliken's non-logistics purchasing activities are controlled by the Global Purchasing group. Milliken's logistics purchasing activities are controlled by the Global Logistics group. The purchasing group reports to the Vice President of Purchasing, and the logistics group reports to the President of Manufacturing. This change in organization took place in Milliken associates are responsible for ensuring that potential business partners are viable, legitimate, on-going businesses that are capable of meeting the needs of Milliken & Company. For non-logistics suppliers, the primary record of a supplier's viability is an approving the business to be a Milliken Supplier and the creation of a Vendor Number. This process is initiated through an request for the Supplier to provide information into the Milliken Supplier Add Database. This database records the supplier's organization, primary product or services offered, physical and remit-to

4 addresses, payment information, D&B number, Tax Identification Number, terms, contacts and security data. The supplier is also asked to accept and acknowledge Milliken s Supplier Code of Conduct and Terms and Conditions, before acceptance as a Milliken Supplier. This database is maintained by the Global Sourcing group until the supplier is removed from the approved suppliers list. Milliken's non-logistics purchasing activities are controlled by the Global Purchasing group. Milliken's logistics purchasing activities are controlled by the Global Logistics group. Milliken associates are responsible for ensuring that potential business partners are viable, legitimate, on-going businesses that are capable of meeting the needs of Milliken & Company. For non-logistics suppliers, the primary record of a supplier's viability is the "Request for New Supplier Form". A copy of this can be found in the CTPAT Document Exchange section of this portal. This document records the supplier's organization, primary product or services offered, physical and remit-to addresses, payment information, D&B number, Tax Identification Number, terms,contacts and security data. This report is maintained by the Global Purchasing group until the supplier is removed from the approved suppliers list. For logistics suppliers, the primary record of a supplier's viability is the "Carrier Information Report" maintained by the logistics department. Logistics department associates are responsible for completing this report for each provider. A copy of the "Carrier Information Report" can be found in the Partner Document Exchange section of this portal. Container Security, General Milliken maintains procedures covering the inspection, loading, sealing, and manifesting of containers. These procedures have incorporated USCBP's guidance for a 7-point inspection process, proper commercial invoice data in accordance with 19CFR141.86, and the usage of seals compliant with ISO A copy of this procedure (CTPAT shipping security guidelines) can be found in the CTPAT Partner Document Exchange section of this portal. Container Security, Container Inspection Milliken has incorporated USCBP's 7-point inspection plan into the "CTPAT shipping security guidelines". A copy of this procedure can be found in the CTPAT Partner Document Exchange section of this portal. Container Security, Container Seals Milliken maintains procedures for the control, affixation, and documentation of container seals as part of its "CTPAT shipping security guidelines". A copy of this procedure can be found in the CTPAT Partner Document Exchange section of this portal. Container Security, Container Storage

5 Milliken's CTPAT shipping security guidelines dictate that containers must be kept in a secure location, and any breach of security must be communicated to location management and other authorities as the case warrants. A copy of this procedure can be found in the CTPAT Partner Document Exchange section of this portal. Physical Access Controls, Employees Access to all Milliken locations is controlled by electronic proximity cards and/or security personnel. All Milliken & Co. associates are required to carry a company issued identification badge. Processes are maintained by the Human Resources department at each location to control the issuance and revocation of associate identification badges. Physical Access Controls, Visitor Controls All Milliken locations require visitors including contractors, subcontractors, suppliers, and customers to present positive/current identification in the form of a government issued identification upon initial arrival at the Milliken location. All locations maintain a visitor s log/badge system to include: Name of Visitor Time of Arrival Nature of Visit Milliken Contact/Host Name of Company or Business Time of Departure Upon completion of the visitor sign in/out process, the visitor is assigned a visitor pass that must be visible at all times while at the Milliken location. Each visitor to a Milliken location is assigned a Milliken associate to act as a host and guide while they are on-site. All Milliken locations maintain an unauthorized access control process for responding to unknown persons in company facilities or on company property. Physical Access Controls, Building Security All access points at Milliken locations are either staffed with security personnel that ensures the Milliken Visitor procedures are followed or the access point requires that you scan a Milliken-issued badge to enter. All badges contain a photo ID which is required to be visible at all times. Physical Access Controls, Deliveries (including mail) See information in previous section. Mail and packages coming into Milliken locations are inspected by personnel in the mail rooms or incoming mail delivery areas. Anything leaving a Milliken location that is not customer products must have an ADOE, Authorized Deposit of Equipment before it can leave the location/plant.

6 All Milliken manufacturing locations are protected by perimeter fencing with several exceptions. Exceptions include security guards and/or prox card systems to prevent entry into the location. Where fencing applies, this fencing is inspected at least annually by Milliken & Co. location/plant associates and at least every two years by the corporate security director to ensure integrity and/or implement repairs where needed and where recorded. Access points in the fencing are monitored by electronic proximity cards, security personnel, and/or CCTV Digital Cameras. Physical Access Controls, Challenging and Removing Unauthorized Persons See information in previous section. Milliken & Co. has a corporate guideline that requires all Milliken locations maintain an unauthorized/unidentified access control process for responding to unknown persons in company facilities or on company property. A copy of this procedure can be found in the partner document exchange section under "Unauthorized Access Procedure". Personnel Security If any red flags are raised during the application process or during employment which indicates follow up is needed, checks may be done. Milliken may use government websites, databases, and law enforcement agencies to help facilitate the screening. A copy of the "Associate Employment Guide" can be found in the CTPAT Partner Document Exchange section of this portal. Personnel Security, Pre-Employment Verification Milliken has a standard process for verifying and documenting employment history and references prior to employment. A copy of the "Associate Employment Guide" can be found in the CTPAT Partner Document Exchange section of this portal. Personnel Security, Background checks / investigations If a review of the employment application indicates that follow up is needed, local government websites may be used. We may also involve our Labor Law Attorney who has access to certain state databases. If associates are hired through certain temporary agencies, the temp agency performs background checks. Once employed, checks may be done based on cause. Personnel Security, Personnel Termination Procedures Milliken has standard procedures and processes in place to remove identification, facility, and system access for all terminated associates. Copies of the management and non-management exit interview documentation can be found in the partner s document exchange section of this portal.

7 Procedural Security, Documentation Processing Milliken maintains procedures to ensure that all information used for entering cargo is legible, complete, and accurate. These procedures can be found in "CTPAT Shipping Security Guidelines" and the "Supplier Documentation Guidelines" in the CTPAT Partners Document Exchange section of this portal. Milliken also maintains procedures to safeguard computer access and information. This information can be found in "IT Security SPI 9011" in the document exchange section. Procedural Security, Manifesting Procedures See "CTPAT Shipping Security Guidelines" and the "Supplier Documentation Guidelines" in the CTPAT Partner Document Exchange section of the portal for information on manifesting procedures. Procedural Security, Shipping & Receiving Milliken maintains written procedures to control the shipping and receiving processes. These procedures include instructions for verifying the authenticity of the load and identity of the driver, inspecting the conveyance and seal for tampering, and reconciling the contents of the shipment against shipment documentation. Copies of these procedures can be found in the document exchange section of the portal under "CTPAT Receiving Process" Procedural Security Milliken considers a business partner anyone in the supply chain that could have access to the goods. This includes transportation partners and warehousing partners. Milliken maintains written processes for the selection of business partners. As part of this process, a business partner's CTPAT status is determined by means of their SVI or CTPAT certificate. For those business partners who are not eligible for CTPAT or who have chosen not to join CTPAT, their security level is assessed by means of a security questionnaire administered via the internet. This information is then used to assess the security risks of these business partners. Procedural Security, Cargo Discrepancies Milliken maintains procedures for identifying and investigating shortages, overages, and other discrepancies. These are part of Milliken's receiving process. A copy can be found in the CTPAT partner document exchange under "CTPAT Receiving Process". Security Training and Threat Awareness All Milliken locations maintain updated Crisis Communications/Emergency

8 Preparedness processes as a part of the Safety/Health/Security Process. All associates receive annual education/training as it relates to Safety/Health/Security. All locations also have detailed Business Continuity/Contingency Planning Processes. All locations have Crisis Models which include Bomb Threats, Workplace Violence, Terrorism, etc. Education/Training through this initiative is included in the Crisis Models for each location/plant. These processes are also reviewed by OSHA (Occupational Safety & Health Administration) in that all 39 Milliken & Co. U.S. sites are OSHA VPP "STAR" sites. All Milliken locations include the following in their crisis models; Risk Assessments Security Reviews Emergency & Crisis Management and Planning Physical Security, Fencing Milliken utilizes perimeter fencing where necessary to secure its facilities. This fencing is inspected at least annually by Milliken associates to ensure integrity and/or implement repairs. This inspection is typically the responsibility of the location engineering associate. Milliken & Co. Security Director reviews these audits at least every 24 months. This is included in the Milliken & Co. Security Audit Process. Physical Security, Gates and Gate Houses Gates at Milliken locations are monitored by security personnel, Milliken associates, and/or electronic access control devices. Gates are kept to a minimum with all access gates having CCTV Digital Cameras to monitor entry and exit. Physical Security, Parking Milliken's cargo handling facilities are separated from associate and visitor parking areas by fencing that incorporates access control procedures. Physical Security, Building Structure Milliken's facilities are constructed of concrete, steel, metal, or other substantial building materials. The condition of all facilities is inspected regularly by plant personnel. Physical Security, Building Security Milliken treats internal cargo handling and storage locations as Milliken facilities and are covered by the company security procedures detailed in this security profile. Milliken considers any outside cargo handling or storage facility as a business partner.

9 Milliken maintains written processes for the selection of business partners. As part of this process, a business partner's CTPAT status is determined by means of their SVI or CTPAT certificate. For those business partners who are not eligible for CTPAT or who have chosen not to join CTPAT, their security level is assessed by means of a security questionnaire administered via the internet. This information is then used to assess the security risks of these business partners. Physical Security, Locking Devices and Key Controls All windows, gates, and fences are secured by means of a locking device. All Master and Grand Master locks are accounted for by location/plant engineering. Physical Security, Lighting Milliken's exterior and interior lighting is designed and maintained to comply with all local building codes. All lighting is reviewed on the Corporate Security Audit that is done every 16 months by the corporate director of Safety/Health/Security/IP. Physical Security, Alarms Systems & Video Surveillance Cameras All Milliken locations/plants have specific designed security systems in place to include CCTV Digital Camera systems, lighting, prox card access controls, fencing and/or Security Services either from SFI or American Security. All locations are reviewed at least every 16 months. This process is also included on the Corporate Security Audit Process. Information Technology Security - Password Protection Milliken's set of information security policies begin with our Information Security Charter which outlines the mission, roles, and responsibilities associated with our program (SPI 91.00). This high-level policy is supported by several, more specific policies covering topics such as data classification, secure computing behaviors, user ID management, and password policy. These security policies are accessible on Milliken's intranet site and are reviewed on an annual basis. Milliken's information systems are designed to ensure both individual accountability and auditability. Access to company information systems is controlled by unique user identification and passwords. Individual passwords must be changed periodically according to corporate standards. All Milliken associates receive mandatory security training on an annual basis which is supplemented with live presentations, mass communications, and intranet news bulletins. Information Technology Security Accountability

10 It is the responsibility of each associate to report data security violations to their manager. Milliken also utilizes firewalls, endpoint protection software, and security monitoring systems for the purpose of identifying security breaches or other improprieties. Milliken maintains Human Resource policies that outline disciplinary procedures to be used in the event of data security breaches. (See Personnel Policy Manual SPI 8.07) Milliken Data Security schedules annual reviews with Data Owners to validate that current access is appropriate. In addition, a Governance, Risk, and Compliance (GRC) system has been implemented to identify segregation of duty issues, track usage of critical transactions, and report activity of associates with a high level of access. GRC reports are reviewed by designated owners either on a daily, or a monthly basis, as determined by the GRC Administrator. Access to data resources is approved by Data Owners and administered by the Data Security team. Data Security is notified of new hires, job changes, and terminations automatically through the HR system to insure access is prompted added or removed.