Securing the High-Tech Supply Chain - PowerPoint PPT Presentation

About This Presentation
Title:

Securing the High-Tech Supply Chain

Description:

We would like to show you a description here but the site won t allow us. – PowerPoint PPT presentation

Number of Views:131
Avg rating:3.0/5.0
Slides: 31
Provided by: Stelling3
Learn more at: http://www.web.mit.edu
Category:

less

Transcript and Presenter's Notes

Title: Securing the High-Tech Supply Chain


1
Securing the High-Tech Supply Chain
  • Steve Lund
  • Director of Corporate Security
  • Intel Corporation

2
Agenda
  • Intels Supply Chain Security model
  • Creation and Evolution of TAPA
  • Using standards and TAPA models to meet new
    threats of terrorism
  • U.S. Customs Trade Partnership Against Terrorism
    (C-TPAT)
  • Intels Threat Response and Emergency Management
    Program
  • Drilling for Success

3
Why Develop Freight Security Requirements?
4
Intels Transportation Supplier Management Model
  • For more than 10 years, Intel has embedded
    security requirements in freight transport
    contracts
  • Physical security of premises and equipment (e.g.
    trucks)
  • Procedural security (e.g. background
    investigations)
  • Contractually obligated, with established metrics
    and periodic performance evaluation
  • With the introduction of the Pentium product
    line, this program was further refined to achieve
    door to door security
  • Zero losses of Pentium product in first quarter
    of shipping
  • Intels model gained notice among other high-tech
    companies experiencing freight theft, which led
    to the formation of the Technology Asset
    Protection Association

5
What is TAPA?
  • The Technology Asset Protection Association is
    an non-profit forum of security, insurance and
    logistics professionals representing high
    technology companies who have organized for the
    purpose of addressing the emerging cargo security
    threats common to the technology industry.

www.tapaonline.org
6
WHAT TAPA IS NOT
  • Forum for blacklisting of suppliers
  • Information sharing is done on standards and
    BKMs, not on any supplier performance issues
  • Forum for comparison of industry/supplier losses
  • All discussion under NDA-- dont ask / dont
    tell
  • Guarantor of business
  • Supplier compliance to standards gauged
    independently
  • Certified suppliers to be listed on limited
    access website--non-certified locations not
    listed
  • Unreasonable or cost-prohibitive

www.tapaonline.org
7
Evolution of TAPA
  • 1997 Security professionals meet to address
    problem of high tech theft
  • Global problem -- no one exempt from cargo theft
  • Demand for product peaking
  • Highly liquid components and demand on grey and
    black markets
  • Conclusion Establish a forum dedicated to
    development of best known protective measures,
    benchmarking and global implementation A
    rising tide lifts all boats
  • 1998-2000 Development of Standards
  • Audit Criteria
  • Contractual Security TCs in form of Freight
    Security Requirements
  • Scoring Matrix
  • RFQ for Independent Auditors
  • 1999 TAPA EMEA formed
  • 2000 TAPA Asia formed, TAPA Worldwide Council
    developed
  • 2001 Independent Audit program proliferated
  • Audit companies trained, three day course -
    Certification process begins
  • eTAPS developed in Europe
  • 2002 Worldwide membership exceeds 450
  • Benchmarked as best in class by Technology and
    Terrorism Committee, U.S. Senate
  • Pharmaceutical membership extended
  • Over 200 audits scheduled worldwide

www.tapaonline.org
8
Partnership Leverage
  • 450 worldwide members
  • Active organizations in Americas, Asia, EMEA
  • Market Capitalization of member companies gt 1.25
    Trillion
  • In 2000, was 3.0 Trillion
  • Annual Sales of member companies gt 750 Billion
  • Uniform approach to problematic locations versus
    fragmented efforts
  • Support of law enforcement investigations
  • Product, equipment, packaging, information
  • Industry contacts worldwide - strong
    communication infrastructure
  • Information and training on products and
    vulnerabilities
  • Access to TAPA quarterly meetings
  • Presentation, Participation, Networking

www.tapaonline.org
9
Putting the Right Security Measures in Place
  • Classification of facilities in 3 categories (A,
    B, C) depending on level of threat
  • Threat calculated by environmental and historical
    data and risk aversion level for individual
    company
  • Highest level classification requires highest
    level of security
  • Applied to trucking operations as well as air
    operations
  • Assessment protocol using 0 - 2 qualitative
    score--no weighting

www.tapaonline.org
10
  • VALUE
  • VOLUME
  • VULNERABILITY

11
Freight Security Model
Training
Contractual Language
Standard Assessment Protocol
Investigations
Consequences
Freight Security Requirements
www.tapaonline.org
12
Independent Auditors Move From This
To This
13
TAPA Sub-Teams
  • Insurance Team
  • Leverage insurance industry influence on
    mandatory standards
  • Insurance premium analysis
  • Program proliferation
  • Waiver Committee
  • Review body for all supplier waivers
  • Integrator/3rd Party Logistics
  • Standards development for inventoried
    product/outsourced warehousing
  • Work with Integrator market on program
    certification and standards

www.tapaonline.org
14
Post - 9/11 Threats Leveraging Existing
Programs and Creating Models to Meet New
Challenges
15
Positioned for Emerging Threats
  • September 11, 2001 re-focused attention on the
    threat of terrorism to all operations, including
    supply chain
  • Employee safety and security home, office,
    travel
  • Airline grounding in aftermath of attacks
    alternative shipping lanes, managing product
    backlog
  • Contingency plans for design, manufacturing,
    distribution
  • Upstream and downstream impacts of direct attack
    or collateral impact are suppliers and
    customers prepared?
  • Communications infrastructure vulnerabilities
  • Scarcity or unavailability of insurance
  • The comprehensive nature of the supply-chain
    security measures established and proliferated
    through TAPA have shown ancillary benefits to
    anti-terrorism efforts

16
  • Customs Trade Partnership
  • Against Terrorism (C-TPAT)
  • Establishes Supply Chain Security requirements
    Factory, Warehouse, Docks, Forwarder/Integrator
    Facilities
  • Shared FSRs, Audit Protocol, and Scoring Matrix
    with program management, best known methods to
    date
  • USC agreement that TAPA security requirements
    fulfill supplier and manufacturer obligation if
    C-TPAT certified
  • Several companies have been C-TPAT certified by
    implementing TAPA supply chain model
  • Intel certified September, 2002

17
C-TPAT Focus Areas
  • Develop and implement a sound plan to enhance
    security
  • procedures. These are general recommendations
    that should
  • be followed on a case-by-case basis depending on
    the
  • companys size and structure and may not be
    applicable to all.
  • Required Locations
  • Supply Chain
  • Importer
  • Broker
  • Manufacturer
  • Warehouse
  • Air / Sea /Land Carriers
  • Required Elements
  • Procedural Security
  • Personnel Security
  • Physical Security
  • Education and Training
  • Conveyance Security
  • Access Controls
  • Manifest Procedures

18
C-TPAT Membership Benefits
  • A reduced number of inspections
  • Avoids delays in shipment and negative impact to
    customers
  • More secure supply chain for employees, suppliers
    and customers
  • Account Based Processing (bi-monthly/monthly
    submission of duties)
  • Self policing and assessment
  • Partnership with government against terrorism
  • Membership in first worldwide supply chain wide
    security initiative
  • Account Manager will be assigned
  • Access to the list of other C-TPAT members

19
Threat Management
  • Internal focus after 9/11/01 and anthrax mailings
    on emergency preparedness and business recovery /
    continuity
  • Developed a Security and Safety Task Force
    comprised of all major business groups
  • Corporate Business Continuity program office an
    outgrowth of effort
  • Operational risk assessments to identify single
    points of failure and critical assets, with
    specific action plans to mitigate vulnerabilities
  • Clear deliverables, timelines, and continuous
    review of progress
  • Response plans for various major or catastrophic
    scenarios
  • Loss of facility
  • Loss of supplier capability (equipment,
    transportation, services)
  • Anthrax or other biohazard introduced into
    environment
  • Creation of a Corporate Emergency Operations
    Center to ensure an mechanism for top-level
    management of crises, enable effective
    communication and coordination of site responses

20
Intel Site Emergency Operations Centers (EOCs)
and Corporate Emergency Operations Centers
(CEOCs)
Ireland
England
Dupont
Oregon
Hudson
Colorado
Japan
Folsom
China
Israel
Utah
Santa Clara
Malaysia
New Mexico
Philippines
Arizona
Costa Rica
India
Blue font location of Site and Corporate EOCs
21
Site EOCs
  • Located at each major site worldwide
  • Locally managed, with EOC director from major
    business group, cross-functional participation
  • Local business groups
  • Security
  • EHS
  • Public Affairs
  • Site Services
  • Established location on-site, with equipment and
    procedures as required by Corporate Emergency
    Management program, including
  • Response templates for various scenarios
  • Multiple computer connections
  • Media connection (e.g. satellite TV news)
  • Redundant communications
  • PBX phone lines
  • Dedicated copper phone lines
  • Local channel radios
  • Satellite telephones
  • Ham Radio equipment / operators

22
Corporate EOC
  • Multiple locations for redundancy and efficiency
  • Membership at senior-level management
  • Core CEOC Director, Coordinator, Security, EHS,
    Corporate Communications, CEOC Scribe
  • Extended CEOC Legal, HR, Sales, Finance, other
    business groups
  • Established rooms, fitted with all site EOC
    elements
  • CEOC guidelines specific to CEOC operations
  • Controlled document, scheduled revisions
  • Activation linked to existing Security or EOC
    escalation actions, or at discretion of core team
    members

Intent to enable response at site level,
coordinate communication between sites and senior
management, and enable informed and effective
internal and external messages by Executive Staff
23
Drills
  • Corporate Emergency Management group, site EOCs,
    and various business groups have historically
    utilized tabletop exercises and full drills
    Corporate Drill Roadmap
  • After September 11th, some drill scenarios were
    added, and scope of drills increased to
    comprehend all operational elements
  • Anthrax response (based on existing plans)
    included test kits, expanded communication,
    employee awareness (mail rooms)
  • Other biohazard scenarios
  • Aviation disaster response
  • Function-specific business recovery
  • CEOC and EOC emergency response capability
  • Dirty bomb scenario
  • Typically 10-12 separate drills per quarter
  • Designed and led by affected business group (IT,
    TMG, HR, etc.)
  • Site EOC and CEOC participation as warranted by
    scenario

24
Supply Chain Drills
  • Business unit drills designed to include all
    potentially impacted elements of that group
  • Clear and detailed drill scenarios
    outlinedincluding
  • Participants and their roles
  • Design of drill
  • Objectives of the exercise
  • In scope / Out of scope
  • Artificialities of the drill (assumptions)
  • Starting script
  • Drills involve accelerated timelines,
    role-playing, simulated supplier engagement
  • Key suppliers have been engaged in establishing
    Business Continuity and identifying gaps and
    focus areas
  • Supply network rebalance/reset has become a key
    aspect of drills

25
Recent Drills Involving Supply Chain
  • Q2 2002
  • Scenario involved loss of key manufacturing
    facility in the Philippines
  • All immediate emergency response elements assumed
    to be under control
  • Impact to employees managing casualties and
    communication
  • Explored transportation and warehousing
    capability in first 72 hours, at 3-7 days, and at
    7 days following the incident
  • Impacts to other sites
  • Internal and External communications
  • Q4 2002
  • Scenario involved loss of production in Oregon
    due to massive earthquake
  • All emergency response elements assumed under
    control
  • Airport closure part of scenario
  • Team worked through transportation and warehouse
    capabilities in first 24 hours, 24-72 hours, 3-7
    days, 8-14 days, 30 days, and 45 days after
    incident
  • Prioritizing shipments, identifying alternative
    transportation methods and routes

26
Key Elements
  • Effective supply chain management program, door
    to door
  • By starting with focus on security, have
    infrastructure in place to influence or manage
    the entire process
  • Effective Risk Assessment protocol to identify
    single points of failure, critical focus areas,
    and mitigation strategies
  • Understand context of risks / threats, local
    flavors, key relationships with internal groups
    or suppliers, and how those relationships can be
    affected by a crisis
  • Senior Management and Business Group commitment
  • Corporate-level processes and coaching, but need
    each group to leverage their expertise and
    experience to their functional area
  • Integrated response capability
  • All business groups engaged in crisis management
    planning
  • Key service groups (Security, EM, EHS) linked to
    response and continuity efforts
  • Drill, Drill, Drill

27
QUESTIONS?
28
Back Up
29
TAPA Partners
  • The Infrastructure Security Partnership
  • Cargo Security
  • Risk/Threat Assessments in Supply Chain
  • Transportation Security Administration
  • Partnership on development of FTL / LTL trailer
    load security requirements
  • TAPA Standards template for in transit cargo
    protection
  • National Cargo Security Council

30
TAPA Independent Audit Firms
Write a Comment
User Comments (0)
About PowerShow.com