Menard, Inc. ( Menard, Inc. ) C-TPAT Protocols for Suppliers

Transcription

1 Menard, Inc. ( Menard, Inc. ) C-TPAT Protocols for Suppliers February 2016 I have read this page: Date: Doc C Page 1

2 Table of Contents Introduction 1. Procedural Security 2. Physical Security 3. Access Controls / Information Technology 4. Personnel Security 5. Education & Awareness Training 6. SVI Monitoring Tool I have read this page: Date: Doc C Page 2

3 Menard, Inc. ( Menard, Inc. ) Introduction In the wake of 9/11, the Bureau of Customs and Border Protection ( CBP ) immediately tightened security at U.S. borders and cautioned the importing community of the susceptibility of the supply chain to breeches in cargo security. The tragedy also prompted CBP to institute a voluntary security program known as the Customs-Trade Partnership Against Terrorism (C-TPAT). This joint initiative between CBP and the global business community will not only strengthen the supply chain but it will also give visible benefits to those companies choosing to join. In exchange for implementing improved security practices and communicating security requirements to their business partners, importers can expect to have reduced inspections and quicker clearance of imported freight. By participating in the C-TPAT program, Menard, Inc. hopes to increase vigilance amongst its employees and partners, and establish a more secure & efficient supply chain. By setting a precedent for our foreign counterparts, Menard, Inc. will prove itself to be a leader in supply chain security. We at Menard, Inc. understand that if our supply chain were disturbed by an act of terror, it could have a significant impact on our business and business relationships. Therefore, we are asking the vendors with which we do business to enhance their safety and security procedures in the following areas: procedural security, physical security, conveyance security, access controls, personnel security, and education and awareness training. Menard, Inc. has developed a list of requirements for each of these specific areas of focus. We recognize that some of the requirements may be based on U.S. standards and may not be possible to implement in other countries. We also recognize that certain requirements may not be appropriate for some vendors due to the factory s size and structure. However, it is important for each manufacturer to acknowledge that security regulations are formulated and implemented to protect both the company and its employees. It is imperative that all employees observe the facility security policies and report any suspicious or improper actions to management and/or the proper authorities. Menard, Inc. reserves the right to conduct background investigations on manufacturers before doing business with them. In particular, Menard, Inc. is interested in investigating the company for financial solvency and the principles for criminal activity. I have read this page: Date: Doc C Page 3

4 Vendor Compliance Commitment To Supply Chain Security Menard, Inc. has committed to cooperate with the US Customs and Border Protection (CBP) to develop a more secure border environment by focusing on the proper security of the physical production, handling and transportation of Imported Products. Through CBP s program known as C-TPAT, (Customs-Trade Partnership Against Terrorism), Menard, Inc. will be required to verify, document, and enhance security processes through out its supply chain process. Additional information about C-TPAT can be found at Menard, Inc. will now require their suppliers, and/or buying agents (Reps) adhere to C-TPAT requirements involving Best Practices and security assessments. Menard, Inc. will also require its suppliers and/or buying agents and representatives to participate in the SVI monitoring tool on the C-TPAT website. SVI (Status Verification Interface) refers to U.S. Customs and Border Protection Internet based user interface. The SVI is the point of electronic access to verify the C-TPAT status of another Status Verification Interface Participant (SVIP). The SVI will allow a consenting certified C-TPAT partner to verify the participation status of other consenting certified C-TPAT partners. To participate in SVI, a company must: 1. Have an active C-TPAT account in good standing (certified or above). 2. Consent to share their status with other companies, as is stated in the SVI agreement. If you already participate in SVI, read and understand Menard, Inc. C-TPAT protocols and fill out the Acknowledgement form. If you do not participate in SVI, Menard, Inc. requires you to read and understand Menard, Inc. C-TPAT protocols, complete Menard s Vendor Questionnaire, and fill out the Acknowledgement form. What does it all mean? The importer, its suppliers, buying agents and/or reps all share the responsibility and accountability of Securing the Nation s Supply chain. We must all do our part to prevent an attack on our nation from ever happening again. 1. Procedural Security Procedural Security measures regulate incoming and outgoing goods and are designed to prevent the introduction of unmanifested materials into the supply chain, or the loss or exchange of Menard, Inc. merchandise. 1.1 Each factory should have a designated employee supervising the introduction and removal of cargo. 1.2 All merchandise must be properly marked, weighed, counted, and documented. 1.3 Procedures must be in place to govern the detection and recording of shortages and overages. 1.4 Containers, trailers, and/or railcars left at the facility overnight must be secured. Containers that are full of cargo must be locked and sealed with industry-approved seals (ISO 17712:2013) and said seal numbers must be recorded. The seals should be uniquely numbered and require destruction to be removed. 1.5 The factory should have a procedure for inspecting and verifying seals. Discrepancies must immediately be reported to management and/or security personnel. 1.6 The physical integrity of the container must be fully inspected (handles locking, front wall, left side, right side, ceiling/roof, floor, doors, underneath) prior to container stuffing. 1.7 All containers or trailers entering or leaving the facility must be recorded, along with the name of the driver who took custody of the merchandise. 1.8 Arriving packages/mail should be periodically screened. 1.9 All security procedures must be documented with formal self-assessments (see attached) completed every year. Copies of the self-assessment must be forwarded to Menard, Inc. Import Manager. I have read this page: Date: Doc C Page 4

5 1.10 Menard, Inc. conducts assessments on a periodic basis. All vendors must provide free access to Menard, Inc. and/or its agents to conduct these assessments. 2. Physical Security Factories from which Menard, Inc. sources should have the following characteristics: 2.1 Buildings must be constructed of materials that resist unlawful entry and protect against outside intrusion. 2.2 Entrances and exits must be monitored. Doors should be locked or otherwise secured when not in use. 2.3 External and internal doors, windows, and fences must be protected by appropriate means. Perimeter fencing should enclose the areas around cargo handling and storage facilities. 2.4 Fencing should be inspected regularly for integrity and damage. 2.5 The number of gates should be kept to a minimum. 2.6 Alarms to detect unauthorized entry after hours. Systems should be monitored by a security guard or outside agency. 2.7 External doors that are alarmed and linked to the main alarm system. 2.8 Windows secured with alarms or other protective barriers/deterrents (bars, etc.). 2.9 Reinforced exit doors. Likewise, dock doors should be constructed of materials that prevent unlawful entry Adequate lighting inside and outside the facility. All corners of parking lots must be illuminated at night. Inside lighting should be bright enough to eliminate dark spots or corners Flood lighting on loading and unloading areas. Dock doors should be illuminated at night Clear zones must be maintained internally and externally to monitor the security of the facility. Brush and growth should be cleared at least 35 feet from perimeter barrier A guard or receptionist to monitor office entrances There must be a formal registration process for documenting visitors to the operations Parking for employees must be separate from the dock and cargo operations All containers and trailers that remain at the warehouse overnight should be secured. Trailers loaded with cargo should also be sealed, with the seal number recorded and verified Seal numbers must be verified before the trailer or truck is released Employees should also be familiar with the trucking vendors. The identification of the driver should be checked before cargo is released to his or her custody Truck drivers should never be allowed to randomly enter the factory and pick up a trailer without supervision Each facility should also have communication systems in place to contact internal security personnel or local law enforcement police in the event of an emergency. I have read this page: Date: Doc C Page 5

6 3. Access Controls / Information Technology Factories from which Menard, Inc. sources are expected to meet the requirements detailed below. We understand that all measures may not be appropriate for all factories because of differences in size and structure. However, the vendor should strive to implement as many measures as necessary to ensure that access to Menard, Inc. merchandise is restricted to authorized employees. 3.1 Factories should have a formal system for identifying both permanent and temporary employees. Ideally, ID badges with the employee s name and picture should be used. 3.2 Badges should be visible at all times. Employees must be required to show their badges upon entering the facility. 3.3 Badges should be color-coded to help distinguish workers from assigned areas to various areas of the operation. 3.4 Factories should limit employee access to loading docks. Only employees scheduled to work on the loading docks or otherwise approved should be granted access. 3.5 All facilities must have a controlled access gate that monitors activity coming in and out of the facility. All containers, trailers, and drivers must be logged in and out of the facility. 3.6 Visitors should be formally registered and required to wear a visitor s badge at all times. 3.7 An employee must escort all visitors while in a loading facility or warehouse. 3.8 Employees or security personnel must challenge unknown persons in the facility. 3.9 The procedures for the issuance, removal and changing of access devices must be documented Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges and also control the issuance of locks and keys Computers or networks containing sensitive trade data should be secured so as to prevent unauthorized access to such data. Computer workstations and the network should be password-protected Any information in the public domain (e.g., the Internet) must be protected by a firewall. Anti-virus protection and encryption software should be used to prevent against outside intrusion Limited access should be granted to sensitive information; employees should only have access to information that directly pertains to their job. A log of access rights should be maintained. Once employees are terminated, access rights must be revoked All vendors, manufacturers and business partners should have a data backup plan. System backup data should be stored at an off-site location for safekeeping. 4. Personnel Security Implementing personnel security measures is an important step in securing the supply chain. The focus of a personnel security program is to investigate the background of prospective employees to ensure that they pose no risk to Menard, Inc. s operations. Please note that the requirements provided below are based on U.S. standards and may not be possible to fulfill in other countries. However, we expect all manufacturers with which we do business to take as many steps as possible to avoid hiring someone who may pose a threat to Menard, Inc. or its supply chain. 4.1 Prospective employees must undergo pre-screening prior to commencement of employment. This applies to prospective permanent, temporary, and contract employees. Manufacturers should conduct a background check of all prospective employees. 4.2 The background check should include the following: Criminal convictions All felony and misdemeanor convictions involving workplace violence, burglary/robbery, theft, assault, identity theft, murder, kidnapping, rape, terrorist threats, or other crimes. I have read this page: Date: Doc C Page 6

7 4.2.2 Application verification Prior employment Address verification 4.3 As discussed in the manual section on Access Controls, photographs of all employees should be held on file. 4.4 All business partners must have procedures in place to remove identification, facility and system access for terminated employees. 5. Education and Training Awareness 5.1 To promote security in the supply chain, our vendors should develop a formal security training program for all employees. 5.2 The training program should address the following: Recognizing internal conspiracies Maintaining product integrity Discovering and addressing unauthorized access of the facility or information 5.3 Employees should receive security training within the first 30 days of being hired, and all training should be documented and available for review. 5.4 The training program should be included in the factory s self-audit process. 5.5 Incentives should be established to encourage employees to actively participate in security programs and communicate potential security issues involving theft, conspiracy, or terrorist activities. 5.6 Menard, Inc. reserves the right to approve vendors education & training programs. Menard, Inc. further reserves the right to conduct yearly audits of the programs. 6. SVI Monitoring Tool 6.1 SVI has undergone significant changes in Portal 2.0. The SVI number has transitioned to the new SVI monitoring system. Partner monitoring allows C-TPAT partners to track the C-TPAT status of their business partners. Menard, Inc. requires its importers and/or buying agents and representatives to participate in SVI. To participate in SVI, a company must: (1) have an active C-TPAT account in good standing (certified or above) and (2) consent to share their status with other companies, as is stated in the SVI agreement. I have read this page: Date: Doc C Page 7

8 Acknowledgement Form Menard, Inc. ( Menards ) ACKNOWLEDGMENT of notice of Menards participation in the Customs Trade Partnership Against Terrorism (C-TPAT) program I have received a copy of Menards C-TPAT protocols and have read and understand its contents in their entirety. Company Name: Do you participate in the Status Verification Interface (SVI) monitoring tool on the C-TPAT website? YES NO Company Address: Telephone Number: Do you participate in any foreign customs administration supply chain program, or initiatives? (Circle One) Fax Number: YES NO Address: Signature of Contact person If yes, please provide and attach all certification and documentation regarding your participation. Print Name of Contact person Date of Signature I have read this page: Date: Doc C Page 8

9 Security Self-Assessment Questionnaire *** A questionnaire needs to be completed for each factory that is providing us product. *** *** Do not leave any boxes empty. *** Vendors Name: Factory Name & Address: Reviewer Name: Reviewer Title: Reviewer Company & Contact Information: Date of Review: Are you participating in a C-TPAT or an equivalent WCO accredited security program administrated by a foreign customs authority? YES NO If yes, please provide all certification and documentation regarding your participation. 1. Physical Security Question Yes No 1.1 Are entrances and exits to the warehouse/distribution center monitored? 1.2 Who monitors the entrances/exits? 1.3 Are entrances and exits locked and secured outside of business hours? 1.4 Are intrusion alarms used to detect unauthorized entry after hours? 1.5 Are all external doors alarmed and linked to the main alarm system? 1.6 Are windows secured with alarms or other intrusion deterrents (bars, wiring, etc.)? 1.7 Are dock doors closed and locked unless a shipment is being received or dispatched? 1.8 Is parking for employees & visitors separate from the dock and cargo areas? 1.9 Is lighting both inside and outside the facility adequate to eliminate dark corners? 1.10 Is flood lighting used on loading and unloading areas? 1.11 Are dock doors illuminated at night? 1.12 Are clear zones maintained around the facility (i.e., are brush and growth cleared from the perimeter barrier)? 1.13 Does a guard or receptionist monitor the office entrances? Are communication systems in place to contact internal security 1.14 personnel or local law enforcement officers in the event of an emergency? 1.15 Is international and domestic cargo segregated and marked? 1.16 Is dangerous goods cargo segregated and stored in a safe, caged or fenced-in area? 1.17 Is high-value cargo segregated and stored in a safe, caged or fencedin area? 1.18 Is fencing inspected regularly for integrity and damage? I have read this page: Date: Doc C Page 9

10 2. Access Controls / Information Technology Question Yes No 2.1 Does the facility have a formal ID system for permanent and temporary employees? 2.2 Do the ID badges display both the employee s name and a photo? 2.3 Must employees show their badges upon entering the facility? 2.4 Are badges color-coded to help distinguish workers assigned areas? 2.5 Does company management or security personnel adequately control the issuance and removal of employee, visitor and vendor identification badges and also control the issuance of locks and keys? 2.6 Are employees required to wear uniforms? If so, which Departments/employees? 2.7 Is there a controlled access gate to monitor activity coming in and out of the facility? 2.8 Is there a formal registration process to document visitors to the facility? 2.9 Is access to loading docks limited to those employees approved or scheduled to work on the loading docks? 2.10 Do employees escort visitors while in a loading facility or warehouse? 2.11 Do employees or security personnel challenge unknown or unauthorized persons in the facility? 2.12 Are truck drivers given limited access to the facility and supervised at all times? 2.13 Is there a documented procedure in place for the issuance and changing of access devices? 2.14 If an employee separates from the company, when are access rights revoked? 2.15 Is there a documented procedure in place to ensure that all access rights, keys, keycards, badges are revoked? 2.16 Are networks containing sensitive data secured to prevent unauthorized access to such data? If so, how? 2.17 Are individual computer workstations password-protected? How often are passwords required to be changed? 2.18 If information is available in the public domain (e.g., the Internet), is it protected by a firewall? 2.19 Is access to sensitive information and/or systems limited? 2.20 Is a log of computer/building access rights maintained? 2.21 Are anti-virus protection and encryption software used? 2.22 Do you have a data backup plan? Comments: 3. Procedural Security Question Yes No 3.1 Is the introduction and removal of cargo and packages supervised by a designated security officer? 3.2 Do you ensure that all merchandise is properly marked? 3.3 Do you ensure that all merchandise is properly counted? 3.4 Do you ensure that all merchandise is properly weighed? 3.5 Do you ensure that all merchandise is properly documented? 3.6 Do you have a procedure to detect and report shortages and overages? 3.7 Do you utilize industry-approved seals on outbound containers/trailers/railcars? 3.8 Do you have a procedure for storing, recording, tracking, and affixing seals? 3.9 Do you have a procedure for reporting compromised seals to US Customs or to your local authority? 3.10 Is the physical integrity of the container fully inspected prior to stuffing? 3.11 Are containers/trailers/railcars and drivers that enter or leave the facility recorded? 3.12 Do you store containers/trailers/railcars at your facility overnight? 3.13 Are those containers empty or full? 3.14 How are they secured? Comments: I have read this page: Date: Doc C Page 10

11 4. Personnel Security NOTE: We recognize that many of the standards listed below are the common practice in the U.S., though this might not be the case in your country. We also recognize that some data or information that is available in the U.S. may not be available in other countries. Question Yes No 4.1 Are prospective employees pre-screened before employment? 4.2 Is applicant information, such as employment history and references verified prior to employment? 4.3 Once employed, are periodic checks and reinvestigations performed based on cause, and/or the sensitivity of the employee s position? 4.4 Do you also pre-screen temporary and contract employees with the same diligence? Which of the following areas does the pre-screening process include? Application verification Prior employment 4.5 Address verification Criminal convictions Drug testing Other (describe) 4.6 Are photographs of employees held on file? 4.7 Do you have procedures in place to remove identification, facility and system access for terminated employees? Comments: 5. Education & Training Awareness Question Yes No 5.1 Does your facility have a formal training program? 5.2 When is the training program administered to employees? Does the training program address the following areas? Recognizing internal conspiracies 5.3 Maintaining product integrity Discovering and addressing unauthorized access of the facility or information 5.4 Do you offer incentives for employees to participate in security controls (e.g., rewards for reporting wrongdoing)? 5.5 Do employees receive security training? 5.6 Is the security training documented and available for review? Comments: I have read this page: Date: Doc C Page 11

12 List all skus associated with the facility/factory in this survey. Sku# Model# Description I have read this page: Date: Doc C Page 12