Custom security: Supplemental security coverage and C-TPAT validation

Blending your security program with the Customs-Trade Partnership Against Terrorism to ensure a safe facility

by Bill Conley — Originally published in the July/August 2017 issue of FMJ

In the classic comic strip Peanuts, by Charles Schulz, Linus is often depicted with his trusty blanket.

There are disastrous consequences when it’s not in his hands and peaceful serenity when he has it. The term “security blanket” was popularized through its portrayal, and the concept has translated to the real world to describe items designed to protect people, places and things from risk. Linus’ blanket may not boast a 1,000-thread count, but it brings him comfort and satisfies his needs.

In other words, it doesn’t have to be perfect. It just has to work as desired.

Any blanket, though, can still be penetrated. It’s no different with workplace security, where there will be areas that can’t be covered regardless of precautions. No workplace — whether an office building, a construction site, a factory floor or a retail store — is immune from security threats.

It’s doubtful that a technically perfect security system exists. Cost, convenience and practicality all play roles in defining the extent of protection in the workplace. The trick is to make sure the most important parts of a facility have been considered and that protocols are customized to provide the best fit.

Facility managers cannot always go the whole nine yards, but supplemental coverage may be available.

Many corporations bridle at legislation and guidelines from the government sector and many senior managers feel their way of conducting business is best for their organization. Sometimes, though, mandates or assistance can actually save money, streamline efficiency and provide guidance.

Enter the Customs-Trade Partnership Against Terrorism (C-TPAT)

U.S. Customs and Border Protection (CBP) created the Customs-Trade Partnership Against Terrorism (C-TPAT) to help companies whose operations include importing material goods. It’s a voluntary program focused on improving the security of private companies’ supply chains with respect to terrorism. It was launched in November 2001 with seven participants – all large U.S. companies – and now has more than 11,000 members. The importers now enrolled account for approximately 54 percent of the value of all merchandise imported into the United States.

There are no fees associated with becoming a partner, but participating organizations must ensure they meet and maintain required standards. There will be costs from operational improvements needed to establish compliance, and standards start with security at the facility level and deal with local control and safeguarding of assets. Implementation and use of technology is necessary to maintain the integrity of imports, international transport and brokerage operations.

A C-TPAT validation, though, does not equate to a Customs Border Protection audit. Although Customs performs standard audits in trade compliance and North American Free Trade Agreement assessments, C-TPAT validations focus on voluntary and exemplary standards beyond basic compliance and have historically focused on imports into the United States.

C-TPAT certification is a three-step process:

  • Complete and document a security risk assessment. This evaluation will determine needs or verify compliance with C-TPAT requirements. It will also provide insight into vulnerabilities of a current system.
  • Once all proper security measures are in place, submit a basic application through the C-TPAT portal.
  • Complete a comprehensive supply chain security profile that describes how the company meets C-TPAT’s minimum security criteria.

Upon completion and submission of the application and security profile, the CBP reviews the materials and C-TPAT administrators have up to 90 days to certify the company for a three-year term or reject it.

Companies achieving certification must implement and maintain a documented process for determining and alleviating risk throughout their international supply chain. This allows companies to be considered low risk, resulting in expedited processing of their cargo and fewer Customs examinations.

C-TPAT members must conduct a yearly supply chain security risk assessment of their operations, supply chains, service providers and foreign suppliers. The assessment applies to facilities and workplaces supporting the distribution of product, and it’s where facility managers can benefit the most. Familiarity with government standards allows a facility manager to focus on what’s most important from a security perspective and tighten any frayed edges or loose ends.

Yamaha Motor Corporation is an international company certified as a member of C-TPAT. It deals with an ever-expanding product line that includes motorcycles, outboard motors, all-terrain vehicles, personal watercraft, snowmobiles, boats, outdoor power equipment, race kart engines, accessories and apparel. It’s also involved in import and sales of various types of products, development of tourist businesses, and management of leisure, recreational facilities and related services.

Yamaha has benefited substantially from its C-TPAT certification via a measurable increase in the speed of freight and a reduction of fees — thanks to the Free and Secure Trade (FAST) lanes at land borders, and the ability to move to the front of inspection lines. It’s also less likely to be subject to CBP examinations and is exempt from Stratified Exams, which leads to shorter wait times. The company also gets access to the C-TPAT Status Verification Interface, and a Customs advisor is assigned to assist with its supply chain.

Facility-Specific Security

Workplace security ensures the safety of employees, client files, assets and confidential documents, and it’s important because corporations, businesses and government offices are targets of sabotage, unlawful entry and theft. Threats endanger the confidentiality, integrity and security of the tangible workplace, as well as the virtual workplace and computer systems.

To address those areas, C-TPAT standards add more rigor to a security program.

Yamaha’s U.S. operations are based in Cypress, California, where its facility provides office and administration for headquarters staff, warehousing and stock for customers, and repair shops and staging for prototype development and support of the Yamaha racing team. Existing security measures are fairly comprehensive, but C-TPAT compliance and annual audits keep levels high, and annual security awareness training is mandatory for all employees.

Looking Beyond C-TPAT Procedures

Although C-TPAT guidelines help define measures around a facility, safety and security go far beyond those dictates. Making sure a facility is secure for all possibilities plays a major role in reducing workplace stress for the facilities team and the occupants.

Surveillance

At the Yamaha Cypress facility, the camera surveillance system means people entering and leaving the building are seen, and parking lot cameras give employees an added sense of security.

The facility also utilizes a badge system allowing only authorized personnel in at any time, which enables control of employees and visitors and protection of company assets. It is staffed 24/7 by security officers, whose tasks include monitoring cameras that cover the building’s exterior and major access/egress points. Yamaha’s warehouse has its own camera system for storage and material movement and the officers are also responsible for the card access system and visitor management.

Access and visitor management

Employees are only given access to secure areas connected to their duties. Egress is controlled by gates aligned with the card access system, and the facility manager and security personnel control the issuance and retrieval of employee, visitor and vendor identification badges.

Procedures for access badges and authority levels is documented in the security office and online in the security handbook.

Visitors must present photo identification and sign in upon arrival. Yamaha’s Cypress facility has a digital management system in which visitors and guests sign in at a front lobby kiosk or the security entrance. They can type in information or scan their driver’s licenses. Scanners read bar codes on government-issued IDs and sign people in, and the system can compare information against national and international databases to search for known offenders or suspect visitors.

Visitor logs show people who’ve signed in and what time they signed out. An archive shows a history of visitors, the companies with which they are affiliated and any assets they brought with them. The number of times a visitor has been onsite and the duration of their visits can also be tracked. Visitors can also be prescheduled for arrival, and documentation is kept for those expected to be in the facility but did not show up. All visitors are escorted and must display temporary picture badges upon entry.

All Yamaha employees know to look for proper identification and address unauthorized or unidentified persons. Employees are also reminded to recognize and report lone wanderers in the building.

Additionally, they’re required to take annual online cybersecurity classes to help maintain the integrity of information technology. IT security policies, procedures and standards mandate password protection and all automated systems use individually assigned accounts that require periodic password changes. A system is also in place to identify IT abuse, including improper access, tampering or altering of business data. System violators are subject to appropriate disciplinary actions.

A Blanket or a Quilt

Times have changed since trust was universal and strangers were met with smiles. Choices no longer revolve around whether security is needed, but rather, how much is appropriate.

Companies can go with a Linus-esque security blanket that’s comfortable but not able to withstand real stress. Or they can choose a more tailored approach that provides a thicker and more protective cover. Control and recognition of visitor protocols is extremely important for facility managers, and security measures around the property are just as vital.

Customs recently published requirements for U.S. exporters to participate in C-TPAT and it is collaborating with Mutual Recognition Arrangement countries to develop an export pilot program. The agency is receiving feedback but has not announced when the program will officially be open to exporters. Regardless, lessons in supply chain security are there for anyone to implement. It all depends on how heavy a security blanket must be for effective protection.

Bill ConleyBill Conley, CFM, SFP, FMP, LEED AP, IFMA Fellow, is facility manager at Yamaha Motor Corp. in Cypress, California, USA. Prior to that, he served as owner and chief sustainability officer of CFM2, a facility management and sustainability consulting company. Conley has more than 40 years of experience in the facility management profession and has been a proponent of sustainable operations for more than 20 years.

Conley has served on the IFMA board of directors, is a recipient of IFMA’s distinguished member of the year award and has received the association’s distinguished author award three times. He has been a regular contributor to FMJ for more than 20 years and has authored more than 60 FMJ articles.

FMJ, the official magazine of the International Facility Management Association (IFMA), is written by and for workplace professionals and is published six times a year. FMJ is the only magazine that draws on the collective knowledge of IFMA’s global network of thought leaders to provide insights on current and upcoming FM trends. For more information on FMJ, visit www.ifma.org/publications/fmj-magazine.

Articles in FMJ are the exclusive property of IFMA and are subject to all applicable copyright provisions. To view abstracts and articles not shown here, subscribe or order individual issues at www.ifma.org/publications/fmj-magazine/subscribe. Direct questions on contributing, as well as on permission to reprint, reproduce or use FMJ materials, to Editor-in-Chief Bobby Vasquez at Bobby.Vasquez@ifma.org.

IFMA, founded in 1980, is the world’s largest and most widely recognized association for facility management professionals, supporting 24,000 members in more than 100 countries. IFMA advances collective knowledge, value and growth for Facility Management professionals. IFMA certifies professionals in facility management, conducts research, provides educational programs, content and resources, and produces World Workplace, the largest series of facility management conferences and expositions. To join and follow IFMA’s social media outlets online, visit the association’s LinkedIn, Facebook, YouTube and Twitter pages. For more information, visit www.ifma.org.