Post on 14-Dec-2015
transcript
®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Securing the High-Tech Supply Chain
Steve LundDirector of Corporate Security
Intel Corporation
December 5th, 2002 Steve Lund – Intel Corporation
2®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Agenda
• Intel’s Supply Chain Security model
• Creation and Evolution of TAPA
• Using standards and TAPA models to meet new threats of terrorism
• U.S. Customs Trade Partnership Against Terrorism (C-TPAT)
• Intel’s Threat Response and Emergency Management Program
• Drilling for Success
December 5th, 2002 Steve Lund – Intel Corporation
3®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Why Develop Freight Security Requirements?
December 5th, 2002 Steve Lund – Intel Corporation
4®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Intel’s Transportation Supplier Management Model
• For more than 10 years, Intel has embedded security requirements in freight transport contracts– Physical security of premises and equipment (e.g. trucks)– Procedural security (e.g. background investigations)– Contractually obligated, with established metrics and periodic
performance evaluation
• With the introduction of the Pentium® product line, this program was further refined to achieve door to door security– Zero losses of Pentium® product in first quarter of shipping
• Intel’s model gained notice among other high-tech companies experiencing freight theft, which led to the formation of the Technology Asset Protection Association
December 5th, 2002 Steve Lund – Intel Corporation
5®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION What is TAPA?
The Technology Asset Protection Association is an non-profit forum of security, insurance and logistics professionals representing high technology companies who have organized for the purpose of addressing the emerging cargo security threats common to the technology industry.
www.tapaonline.org
December 5th, 2002 Steve Lund – Intel Corporation
6®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION WHAT TAPA IS NOT
• Forum for “blacklisting” of suppliers– Information sharing is done on standards and BKM’s, not
on any supplier performance issues
• Forum for comparison of industry/supplier losses– All discussion under NDA--$ = “don’t ask / don’t tell”
• Guarantor of business– Supplier compliance to standards gauged independently– Certified suppliers to be listed on limited access website--
non-certified locations not listed
• Unreasonable or cost-prohibitive
www.tapaonline.org
December 5th, 2002 Steve Lund – Intel Corporation
7®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Evolution of TAPA• 1997: Security professionals meet to address problem of high tech theft:
– Global problem -- no one exempt from cargo theft– Demand for product peaking– Highly liquid components and demand on grey and black markets– Conclusion: Establish a forum dedicated to development of best known protective measures, benchmarking and
global implementation – “A rising tide lifts all boats”
• 1998-2000: Development of Standards– Audit Criteria– Contractual Security T&C’s in form of Freight Security Requirements– Scoring Matrix– RFQ for Independent Auditors
• 1999: TAPA EMEA formed• 2000: TAPA Asia formed, TAPA Worldwide Council developed• 2001: Independent Audit program proliferated
– Audit companies trained, three day course - Certification process begins– eTAPS developed in Europe
• 2002: Worldwide membership exceeds 450– Benchmarked as best in class by Technology and Terrorism Committee, U.S. Senate– Pharmaceutical membership extended– Over 200 audits scheduled worldwide
www.tapaonline.org
December 5th, 2002 Steve Lund – Intel Corporation
8®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Partnership = Leverage• 450+ worldwide members• Active organizations in Americas, Asia, EMEA• Market Capitalization of member companies > $1.25 Trillion
– In 2000, was $3.0 Trillion…
• Annual Sales of member companies > $750 Billion• Uniform approach to problematic locations versus fragmented efforts• Support of law enforcement investigations
– Product, equipment, packaging, information
• Industry contacts worldwide - strong communication infrastructure• Information and training on products and vulnerabilities• Access to TAPA quarterly meetings
– Presentation, Participation, Networking
www.tapaonline.org
December 5th, 2002 Steve Lund – Intel Corporation
9®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Putting the Right Security Measures in Place
• Classification of facilities in 3 categories (A, B, C) depending on level of threat– Threat calculated by environmental and historical data
and risk aversion level for individual company– Highest level classification requires highest level of
security
• Applied to trucking operations as well as air operations
• Assessment protocol using 0 - 2 qualitative score--no weighting
www.tapaonline.org
December 5th, 2002 Steve Lund – Intel Corporation
11®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Freight Security Model
Con
trac
tual
Lan
guag
eStandard A
ssessment Protocol
Freight Security Requirements
Investigations
Training
Consequences
www.tapaonline.org
December 5th, 2002 Steve Lund – Intel Corporation
12®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
H. PACKARD
ACER
AMD
AMDAHL
AMGEN
ASPEN SYS.
AMS
AVNET
BAY NETWKS
BERNES GP
CELESTICA
CISCO
COMARK
COMPAQ
CYRIX/NSM
DELL
DIGITAL
ENTEX
FAIRCHILD
GATEWAY
HITACHI
INACOM
INGRAM
INTEL
IBM
LEXMARK
MATSUSHITA
MAXTOR
MERISEL
MICROAGE
MICRON
MOTOROLA
NORRED
PNY
PACKARD BELL
PHILIPS
QUANTUM
SAMSUNG
SEAGATE
SED INT.
SILICON GR.
SOLECTRON
SMITH ASSOC.
SONY
SUN MICRO.
TECH DATA
TEXAS INST.
TOSHIBA
3COM
WESTERN DIG.
FREIGHT CARRIER /
FORWARDER
FREIGHT CARRIER /
FORWARDER
TAPA AUTHORIZED
AUDITOR
Independent Auditors:
Move From This…
…To This
December 5th, 2002 Steve Lund – Intel Corporation
13®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION TAPA Sub-Teams
• Insurance Team: – Leverage insurance industry influence on mandatory
standards– Insurance premium analysis– Program proliferation
• Waiver Committee: – Review body for all supplier waivers
• Integrator/3rd Party Logistics: – Standards development for inventoried
product/outsourced warehousing– Work with Integrator market on program certification
and standards
www.tapaonline.org
®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Post - 9/11 Threats
Leveraging Existing Programs and Creating Models to Meet New
Challenges
December 5th, 2002 Steve Lund – Intel Corporation
15®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION Positioned for Emerging Threats
• September 11, 2001 re-focused attention on the threat of terrorism to all operations, including supply chain– Employee safety and security – home, office, travel– Airline grounding in aftermath of attacks – alternative shipping
lanes, managing product backlog– Contingency plans for design, manufacturing, distribution– Upstream and downstream impacts of direct attack or collateral
impact – are suppliers and customers prepared?– Communications infrastructure vulnerabilities– Scarcity or unavailability of insurance
• The comprehensive nature of the supply-chain security measures established and proliferated through TAPA have shown ancillary benefits to anti-terrorism efforts
December 5th, 2002 Steve Lund – Intel Corporation
16®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION Customs Trade Partnership
Against Terrorism (C-TPAT)
• Establishes Supply Chain Security requirements: Factory, Warehouse, Docks, Forwarder/Integrator Facilities
• Shared FSR’s, Audit Protocol, and Scoring Matrix with program management, best known methods to date
• USC agreement that TAPA security requirements fulfill supplier and manufacturer obligation if C-TPAT certified
• Several companies have been C-TPAT certified by implementing TAPA supply chain model– Intel certified September, 2002
December 5th, 2002 Steve Lund – Intel Corporation
17®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION C-TPAT Focus Areas
“Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company’s size and structure and may not be applicable to all.”
Required Locations
• Supply Chain
–Importer
–Broker
• Manufacturer
• Warehouse
• Air / Sea /Land Carriers
Required Elements• Procedural Security• Personnel Security • Physical Security• Education and Training• Conveyance Security• Access Controls• Manifest Procedures
December 5th, 2002 Steve Lund – Intel Corporation
18®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION C-TPAT Membership Benefits
• A reduced number of inspections– Avoids delays in shipment and negative impact to customers
• More secure supply chain for employees, suppliers and customers
• Account Based Processing (bi-monthly/monthly submission of duties)
• Self policing and assessment• Partnership with government against terrorism • Membership in first worldwide supply chain wide security
initiative• Account Manager will be assigned
• Access to the list of other C-TPAT members
December 5th, 2002 Steve Lund – Intel Corporation
19®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Threat Management • Internal focus after 9/11/01 and anthrax mailings on
emergency preparedness and business recovery / continuity– Developed a Security and Safety Task Force comprised of all
major business groups• Corporate Business Continuity program office an outgrowth of effort
– Operational risk assessments to identify single points of failure and critical assets, with specific action plans to mitigate vulnerabilities
• Clear deliverables, timelines, and continuous review of progress
– Response plans for various major or catastrophic scenarios• Loss of facility • Loss of supplier capability (equipment, transportation, services)• Anthrax or other biohazard introduced into environment
– Creation of a Corporate Emergency Operations Center to ensure an mechanism for top-level management of crises, enable effective communication and coordination of site responses
December 5th, 2002 Steve Lund – Intel Corporation
20®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
ArizonaNew Mexico
Folsom
DupontOregon
Santa Clara
Colorado Hudson
India
Ireland
IsraelJapan
MalaysiaPhilippines
China
Costa Rica
Utah
Blue font = location of Site and Corporate EOC’s
Intel Site Emergency Operations Centers (EOC’s) and Corporate Emergency Operations Centers
(CEOC’s)
England
December 5th, 2002 Steve Lund – Intel Corporation
21®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Site EOC’s• Located at each major site worldwide • Locally managed, with EOC director from major business group,
cross-functional participation:– Local business groups– Security– EHS– Public Affairs– Site Services
• Established location on-site, with equipment and procedures as required by Corporate Emergency Management program, including:– Response templates for various scenarios– Multiple computer connections– Media connection (e.g. satellite TV news) – Redundant communications
• PBX phone lines• Dedicated copper phone lines• Local channel radios• Satellite telephones• Ham Radio equipment / operators
December 5th, 2002 Steve Lund – Intel Corporation
22®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Corporate EOC• Multiple locations for redundancy and efficiency• Membership at senior-level management
– Core CEOC – Director, Coordinator, Security, EHS, Corporate Communications, CEOC Scribe
– Extended CEOC – Legal, HR, Sales, Finance, other business groups
• Established rooms, fitted with all site EOC elements• CEOC guidelines specific to CEOC operations
– Controlled document, scheduled revisions
• Activation linked to existing Security or EOC escalation actions, or at discretion of core team members
EOC
EOC
EOC
EOCEOC
EOC
EOCEOCEOC
EOC
EOC EOC
EOC
EOC
EOCEOCEOC
CEOCEOC
Intent to enable response at site level, coordinate communication between sites and senior management, and enable informed and effective internal and external messages by Executive Staff
December 5th, 2002 Steve Lund – Intel Corporation
23®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Drills• Corporate Emergency Management group, site EOC’s, and
various business groups have historically utilized tabletop exercises and full drills – Corporate Drill Roadmap
• After September 11th, some drill scenarios were added, and scope of drills increased to comprehend all operational elements– Anthrax response (based on existing plans) – included test kits,
expanded communication, employee awareness (mail rooms)– Other biohazard scenarios– Aviation disaster response– Function-specific business recovery– CEOC and EOC emergency response capability– “Dirty bomb” scenario
• Typically 10-12 separate drills per quarter– Designed and led by affected business group (IT, TMG, HR, etc.)– Site EOC and CEOC participation as warranted by scenario
December 5th, 2002 Steve Lund – Intel Corporation
24®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Supply Chain Drills• Business unit drills designed to include all potentially
impacted elements of that group• Clear and detailed drill scenarios outlined—including
– Participants and their roles– Design of drill– Objectives of the exercise– In scope / Out of scope– Artificialities of the drill (assumptions)– Starting script
• Drills involve accelerated timelines, role-playing, simulated supplier engagement
• Key suppliers have been engaged in establishing Business Continuity and identifying gaps and focus areas
• Supply network rebalance/reset has become a key aspect of drills
December 5th, 2002 Steve Lund – Intel Corporation
25®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Recent Drills Involving Supply Chain
Q2 2002• Scenario involved loss of key
manufacturing facility in the Philippines
• All immediate emergency response elements assumed to be under control
• Impact to employees – managing casualties and communication
• Explored transportation and warehousing capability in first 72 hours, at 3-7 days, and at 7+ days following the incident
• Impacts to other sites• Internal and External
communications
Q4 2002• Scenario involved loss of
production in Oregon due to massive earthquake
• All emergency response elements assumed under control
• Airport closure part of scenario• Team worked through
transportation and warehouse capabilities in first 24 hours, 24-72 hours, 3-7 days, 8-14 days, 30 days, and 45 days after incident
• Prioritizing shipments, identifying alternative transportation methods and routes
December 5th, 2002 Steve Lund – Intel Corporation
26®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Key Elements• Effective supply chain management program, door to door
– By starting with focus on security, have infrastructure in place to influence or manage the entire process
• Effective Risk Assessment protocol to identify single points of failure, critical focus areas, and mitigation strategies– Understand context of risks / threats, local flavors, key relationships with internal
groups or suppliers, and how those relationships can be affected by a crisis
• Senior Management and Business Group commitment– Corporate-level processes and coaching, but need each group to leverage their
expertise and experience to their functional area
• Integrated response capability– All business groups engaged in crisis management planning– Key service groups (Security, EM, EHS) linked to response and continuity efforts
• Drill, Drill, Drill
December 5th, 2002 Steve Lund – Intel Corporation
28®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION
Back Up
December 5th, 2002 Steve Lund – Intel Corporation
29®
INT
EL
CO
RP
OR
AT
ION
INT
EL
CO
RP
OR
AT
ION TAPA Partners
• The Infrastructure Security Partnership:– Cargo Security– Risk/Threat Assessments in
Supply Chain
• Transportation Security Administration:– Partnership on development of
FTL / LTL trailer load security requirements
– TAPA Standards template for in transit cargo protection
• National Cargo Security Council