6 Training and Procedures
6.1 Escalation Procedures
Procedures
6.1.1
Local documented procedures in place for handling Buyer’s assets including process for timely reporting of lost, missing or stolen Buyer’s assets. Incidents to be reported by the LSP/Applicant to the Buyer within 24 hours. Obvious thefts reported immediately. Process consistently followed
6.1.2
Emergency Buyer and LSP/Applicant facility management contacts for security incidents listed and available. Listing updated at 6 monthly intervals and includes law enforcement emergency contacts
6.2 Management Commitment
Procedures
6.2.1
The supplier must have a formally appointed person for security on site who is responsible for maintaining TAPA FSR and company supply chain security requirements. The supplier must also have a person (can be the same) responsible for monitoring the FSR program. This includes scheduling compliance checks, communications with AAs, recertification, changes to the FSR Standard, etc.
Note: These persons can be an employee or outsourced person under contract to perform this role
6.2.2
Management must develop, communicate, and maintain a documented security policy to ensure all relevant persons (i.e. employees and contractors) are clearly aware of the provider’s security expectations.
6.2.3
A facility Risk Assessment which recognizes the likelihood and impact of security related events must be conducted/updated at least annually. The Risk Assessment process must be documented and require management to make informed decisions about vulnerabilities and mitigation.
At a minimum, the following common internal/external events must be assessed: theft of cargo or information, unauthorized access to facilities or cargo, tampering with/destruction of security systems, fictitious pickups of cargo, security continuity during workforce shortages, or natural disasters, etc.
Additional events may be considered based on local/country risks.
6.3 Training
Training
6.3.1
Security / Threat Awareness training provided every 2 years to all members of the work force that includes both general, and any specific / unique local risks.
6.3.2
Information security awareness training focused on protecting Buyer’s electronic and physical shipping data provided to workforce having access to Buyer’s information
6.4 Access to Buyer’s Assets
Procedures
6.4.1
Documented procedure(s) in place to protect Buyer's assets (i.e. cargo) from unauthorized access by the workforce, visitors, etc.
6.5 Information Control
Procedures
6.5.1
Access to shipping documents and information on Buyer’s assets controlled based on “need to know.”
6.5.2
Access monitored and recorded.
6.5.3
Documents safeguarded until destruction.
6.6 Security Incident Reporting
Procedures
6.6.1
Security incident reporting and tracking system in place, used to implement proactive measures.
6.7 Maintenance Programs
Procedures
6.7.1
Documented maintenance programs in place for all technical (physical) security installations/systems to ensure functionality at all times (e.g. CCTV, Access Controls, Intruder Detection, and Lighting).
6.7.2
Preventative maintenance conducted once a year, or in accordance with manufacturer’s specifications.
6.7.3
Functionality verifications of all systems once per week and documented, unless system failure is immediately / automatically reported or alarmed.
6.7.4
A repair order must be initiated within 48 hours of when the fault is discovered. For any repairs expected to exceed 24 hours, alternative mitigations must be implemented.