300 likes | 507 Views
Securing the High-Tech Supply Chain. Steve Lund Director of Corporate Security Intel Corporation. Agenda . Intel’s Supply Chain Security model Creation and Evolution of TAPA Using standards and TAPA models to meet new threats of terrorism
E N D
Securing the High-Tech Supply Chain Steve Lund Director of Corporate Security Intel Corporation
Agenda • Intel’s Supply Chain Security model • Creation and Evolution of TAPA • Using standards and TAPA models to meet new threats of terrorism • U.S. Customs Trade Partnership Against Terrorism (C-TPAT) • Intel’s Threat Response and Emergency Management Program • Drilling for Success Steve Lund – Intel Corporation
Why Develop Freight Security Requirements? Steve Lund – Intel Corporation
Intel’s Transportation Supplier Management Model • For more than 10 years, Intel has embedded security requirements in freight transport contracts • Physical security of premises and equipment (e.g. trucks) • Procedural security (e.g. background investigations) • Contractually obligated, with established metrics and periodic performance evaluation • With the introduction of the Pentium® product line, this program was further refined to achieve door to door security • Zero losses of Pentium® product in first quarter of shipping • Intel’s model gained notice among other high-tech companies experiencing freight theft, which led to the formation of the Technology Asset Protection Association Steve Lund – Intel Corporation
What is TAPA? The Technology Asset Protection Association is an non-profit forum of security, insurance and logistics professionals representing high technology companies who have organized for the purpose of addressing the emerging cargo security threats common to the technology industry. www.tapaonline.org Steve Lund – Intel Corporation
WHAT TAPA IS NOT • Forum for “blacklisting” of suppliers • Information sharing is done on standards and BKM’s, not on any supplier performance issues • Forum for comparison of industry/supplier losses • All discussion under NDA--$ = “don’t ask / don’t tell” • Guarantor of business • Supplier compliance to standards gauged independently • Certified suppliers to be listed on limited access website--non-certified locations not listed • Unreasonable or cost-prohibitive www.tapaonline.org Steve Lund – Intel Corporation
Evolution of TAPA • 1997: Security professionals meet to address problem of high tech theft: • Global problem -- no one exempt from cargo theft • Demand for product peaking • Highly liquid components and demand on grey and black markets • Conclusion: Establish a forum dedicated to development of best known protective measures, benchmarking and global implementation – “A rising tide lifts all boats” • 1998-2000: Development of Standards • Audit Criteria • Contractual Security T&C’s in form of Freight Security Requirements • Scoring Matrix • RFQ for Independent Auditors • 1999: TAPA EMEA formed • 2000: TAPA Asia formed, TAPA Worldwide Council developed • 2001: Independent Audit program proliferated • Audit companies trained, three day course - Certification process begins • eTAPS developed in Europe • 2002: Worldwide membership exceeds 450 • Benchmarked as best in class by Technology and Terrorism Committee, U.S. Senate • Pharmaceutical membership extended • Over 200 audits scheduled worldwide www.tapaonline.org Steve Lund – Intel Corporation
Partnership = Leverage • 450+ worldwide members • Active organizations in Americas, Asia, EMEA • Market Capitalization of member companies > $1.25 Trillion • In 2000, was $3.0 Trillion… • Annual Sales of member companies > $750 Billion • Uniform approach to problematic locations versus fragmented efforts • Support of law enforcement investigations • Product, equipment, packaging, information • Industry contacts worldwide - strong communication infrastructure • Information and training on products and vulnerabilities • Access to TAPA quarterly meetings • Presentation, Participation, Networking www.tapaonline.org Steve Lund – Intel Corporation
Putting the Right Security Measures in Place • Classification of facilities in 3 categories (A, B, C) depending on level of threat • Threat calculated by environmental and historical data and risk aversion level for individual company • Highest level classification requires highest level of security • Applied to trucking operations as well as air operations • Assessment protocol using 0 - 2 qualitative score--no weighting www.tapaonline.org Steve Lund – Intel Corporation
V 3 PHILOSOPHY • VALUE • VOLUME • VULNERABILITY
Freight Security Model Training Contractual Language Standard Assessment Protocol Consequences Investigations Freight Security Requirements www.tapaonline.org Steve Lund – Intel Corporation
ACER ENTEX MICRON PACKARD BELL AMD HITACHI MERISEL PHILIPS MATSUSHITA AMDAHL INGRAM NORRED QUANTUM IBM SAMSUNG AMGEN GATEWAY ASPEN SYS. SEAGATE AMS SED INT. AVNET SILICON GR. FREIGHT CARRIER / FORWARDER BAY NETWKS SOLECTRON BERNES GP SMITH ASSOC. CELESTICA SONY CISCO SUN MICRO. COMARK TECH DATA TEXAS INST. COMPAQ H. PACKARD MICROAGE INTEL LEXMARK TOSHIBA CYRIX/NSM DELL INACOM MAXTOR MOTOROLA 3COM DIGITAL FAIRCHILD PNY WESTERN DIG. FREIGHT CARRIER /FORWARDER TAPA AUTHORIZED AUDITOR Independent Auditors: Move From This… …To This Steve Lund – Intel Corporation
TAPA Sub-Teams • Insurance Team: • Leverage insurance industry influence on mandatory standards • Insurance premium analysis • Program proliferation • Waiver Committee: • Review body for all supplier waivers • Integrator/3rd Party Logistics: • Standards development for inventoried product/outsourced warehousing • Work with Integrator market on program certification and standards www.tapaonline.org Steve Lund – Intel Corporation
Post - 9/11 Threats Leveraging Existing Programs and Creating Models to Meet New Challenges
Positioned for Emerging Threats • September 11, 2001 re-focused attention on the threat of terrorism to all operations, including supply chain • Employee safety and security – home, office, travel • Airline grounding in aftermath of attacks – alternative shipping lanes, managing product backlog • Contingency plans for design, manufacturing, distribution • Upstream and downstream impacts of direct attack or collateral impact – are suppliers and customers prepared? • Communications infrastructure vulnerabilities • Scarcity or unavailability of insurance • The comprehensive nature of the supply-chain security measures established and proliferated through TAPA have shown ancillary benefits to anti-terrorism efforts Steve Lund – Intel Corporation
Customs Trade Partnership Against Terrorism (C-TPAT) • Establishes Supply Chain Security requirements: Factory, Warehouse, Docks, Forwarder/Integrator Facilities • Shared FSR’s, Audit Protocol, and Scoring Matrix with program management, best known methods to date • USC agreement that TAPA security requirements fulfill supplier and manufacturer obligation if C-TPAT certified • Several companies have been C-TPAT certified by implementing TAPA supply chain model • Intel certified September, 2002 Steve Lund – Intel Corporation
C-TPAT Focus Areas “Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company’s size and structure and may not be applicable to all.” • Required Elements • Procedural Security • Personnel Security • Physical Security • Education and Training • Conveyance Security • Access Controls • Manifest Procedures • Required Locations • Supply Chain • Importer • Broker • Manufacturer • Warehouse • Air / Sea /Land Carriers Steve Lund – Intel Corporation
C-TPAT Membership Benefits • A reduced number of inspections • Avoids delays in shipment and negative impact to customers • More secure supply chain for employees, suppliers and customers • Account Based Processing (bi-monthly/monthly submission of duties) • Self policing and assessment • Partnership with government against terrorism • Membership in first worldwide supply chain wide security initiative • Account Manager will be assigned • Access to the list of other C-TPAT members Steve Lund – Intel Corporation
Threat Management • Internal focus after 9/11/01 and anthrax mailings on emergency preparedness and business recovery / continuity • Developed a Security and Safety Task Force comprised of all major business groups • Corporate Business Continuity program office an outgrowth of effort • Operational risk assessments to identify single points of failure and critical assets, with specific action plans to mitigate vulnerabilities • Clear deliverables, timelines, and continuous review of progress • Response plans for various major or catastrophic scenarios • Loss of facility • Loss of supplier capability (equipment, transportation, services) • Anthrax or other biohazard introduced into environment • Creation of a Corporate Emergency Operations Center to ensure an mechanism for top-level management of crises, enable effective communication and coordination of site responses Steve Lund – Intel Corporation
Intel Site Emergency Operations Centers (EOC’s) and Corporate Emergency Operations Centers (CEOC’s) Ireland England Dupont Oregon Hudson Colorado Japan Folsom China Israel Utah Santa Clara Malaysia New Mexico Philippines Arizona Costa Rica India Blue font = location of Site and Corporate EOC’s Steve Lund – Intel Corporation
Site EOC’s • Located at each major site worldwide • Locally managed, with EOC director from major business group, cross-functional participation: • Local business groups • Security • EHS • Public Affairs • Site Services • Established location on-site, with equipment and procedures as required by Corporate Emergency Management program, including: • Response templates for various scenarios • Multiple computer connections • Media connection (e.g. satellite TV news) • Redundant communications • PBX phone lines • Dedicated copper phone lines • Local channel radios • Satellite telephones • Ham Radio equipment / operators Steve Lund – Intel Corporation
EOC EOC EOC EOC EOC EOC EOC EOC CEOC EOC EOC EOC EOC EOC EOC EOC EOC EOC EOC Corporate EOC • Multiple locations for redundancy and efficiency • Membership at senior-level management • Core CEOC – Director, Coordinator, Security, EHS, Corporate Communications, CEOC Scribe • Extended CEOC – Legal, HR, Sales, Finance, other business groups • Established rooms, fitted with all site EOC elements • CEOC guidelines specific to CEOC operations • Controlled document, scheduled revisions • Activation linked to existing Security or EOC escalation actions, or at discretion of core team members Intent to enable response at site level, coordinate communication between sites and senior management, and enable informed and effective internal and external messages by Executive Staff Steve Lund – Intel Corporation
Drills • Corporate Emergency Management group, site EOC’s, and various business groups have historically utilized tabletop exercises and full drills – Corporate Drill Roadmap • After September 11th, some drill scenarios were added, and scope of drills increased to comprehend all operational elements • Anthrax response (based on existing plans) – included test kits, expanded communication, employee awareness (mail rooms) • Other biohazard scenarios • Aviation disaster response • Function-specific business recovery • CEOC and EOC emergency response capability • “Dirty bomb” scenario • Typically 10-12 separate drills per quarter • Designed and led by affected business group (IT, TMG, HR, etc.) • Site EOC and CEOC participation as warranted by scenario Steve Lund – Intel Corporation
Supply Chain Drills • Business unit drills designed to include all potentially impacted elements of that group • Clear and detailed drill scenarios outlined—including • Participants and their roles • Design of drill • Objectives of the exercise • In scope / Out of scope • Artificialities of the drill (assumptions) • Starting script • Drills involve accelerated timelines, role-playing, simulated supplier engagement • Key suppliers have been engaged in establishing Business Continuity and identifying gaps and focus areas • Supply network rebalance/reset has become a key aspect of drills Steve Lund – Intel Corporation
Q2 2002 Scenario involved loss of key manufacturing facility in the Philippines All immediate emergency response elements assumed to be under control Impact to employees – managing casualties and communication Explored transportation and warehousing capability in first 72 hours, at 3-7 days, and at 7+ days following the incident Impacts to other sites Internal and External communications Q4 2002 Scenario involved loss of production in Oregon due to massive earthquake All emergency response elements assumed under control Airport closure part of scenario Team worked through transportation and warehouse capabilities in first 24 hours, 24-72 hours, 3-7 days, 8-14 days, 30 days, and 45 days after incident Prioritizing shipments, identifying alternative transportation methods and routes Recent Drills Involving Supply Chain Steve Lund – Intel Corporation
Key Elements • Effective supply chain management program, door to door • By starting with focus on security, have infrastructure in place to influence or manage the entire process • Effective Risk Assessment protocol to identify single points of failure, critical focus areas, and mitigation strategies • Understand context of risks / threats, local flavors, key relationships with internal groups or suppliers, and how those relationships can be affected by a crisis • Senior Management and Business Group commitment • Corporate-level processes and coaching, but need each group to leverage their expertise and experience to their functional area • Integrated response capability • All business groups engaged in crisis management planning • Key service groups (Security, EM, EHS) linked to response and continuity efforts • Drill, Drill, Drill Steve Lund – Intel Corporation
Back Up Steve Lund – Intel Corporation
TAPA Partners • The Infrastructure Security Partnership: • Cargo Security • Risk/Threat Assessments in Supply Chain • Transportation Security Administration: • Partnership on development of FTL / LTL trailer load security requirements • TAPA Standards template for in transit cargo protection • National Cargo Security Council Steve Lund – Intel Corporation
TAPA Independent Audit Firms Steve Lund – Intel Corporation