Supply Chain

 

 

https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspxSupply Chain StrategiesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-02-01T05:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx, Holly Gilbert Stowell<p>​Take almost any product you have purchased in a store or used at home or work in the last week. Chances are, that object moved thousands of miles from where it was originally manufactured to the place where it was ultimately purchased or delivered to you. Organizations have intricate supply chain networks that are constantly moving every day around the world, and having an efficient supply chain security program ensures that movement of goods is not interrupted or compromised. </p><p>Security professionals must take a detailed look at the vendors who supply their assets and understand how those goods will be handled and ultimately implemented into their company’s operations or services. Following is a look at how a children’s hospital in Alabama applied supply chain security best practices to weather an unexpected storm, as well as provide for day-to-day operations. In addition, supply chain experts discuss lessons learned from their own experience of conducting risk assessments, following standards, and vetting suppliers and transporters to better protect company property. ​</p><h4>Alabama Children’s </h4><p>When a snowstorm hit Birmingham, Alabama, on January 28, 2014, the city was caught unawares. The snowfall, which quickly turned to ice, left thousands stranded on highways or in their offices. Children were stuck at school, their parents unable to pick them up. The event became known as “Snowpocalypse,” and news service AL.com called it “the winter storm that brought Birmingham to its knees.” </p><p>Hospitals were affected by the storm as well, including Children’s of Alabama. The pediatric center encountered vulnerabilities in its supply chain during that event it hadn’t previously considered, says Dennis Blass, CPP, PSP, director of safety and security at the hospital. </p><p><strong>Lessons learned. </strong>Every year the hospital conducts a hazards vulnerability assessment for its supply chain to find out where it can improve safety and security. “Once you identify your hazards and your vulnerabilities–the things that are dangerous to you or the things that you’re weak in–then you start peeling those back,” he says. “If we identify hazards that we need to correct, then we probably are going to create a management plan to correct those issues.” </p><p>Many displaced people in the community turned to the hospital for shelter when they had nowhere else to go. “We have a very prominent position in the Birmingham skyline, so if things look bad, the hospital looks like a place to go and get help–as it is,” Blass says. There were also clinic patients who had come to the hospital that morning for a routine checkup, planning to leave; many of them were stuck because of the snowstorm, which began around 10:30 a.m. local time.</p><p>Instead of being filled to the normal capacity of 300 people—the number of beds in the hospital—there were roughly  about 600 people who spent about 48 hours at the facility to ride out the storm.</p><p>The number of people at the hospital exposed one unforeseen vulnerability—obtaining clean linens from its supplier, which is separated from the hospital by a chain of mountains. “The supplier can wash the linens, but they can’t deliver them to us…we ended up making it, but that was a close call,” says Blass.</p><p>“We could handle supplies for patients, but we had a lot of people who just came to the hospital because it was a warm place to be,” according to Blass. “That had impacts on the amount of food that got consumed, and it had impacts on the amount of linens we went through. Just things that people need, supplies like toilet paper, things you don’t think a lot of.” </p><p>For those who weren’t patients, the hospital served smaller meals than normal; “sandwiches and soup, as opposed to meat and potatoes,” Blass says, to stretch resources. </p><p>The main drug supplier for the hospital is located in the same region, so obtaining critical medicine was not a concern during the storm. The hospital also has plenty of diesel fuel tanks, and can go for days without restocking. Only the insufficient linens, which must be sent off to a facility for proper sanitation before being returned to the hospital, turned out to be an issue.</p><p>“We did an after-action report on that experience, so we…put it in our emergency management plans for the future,” he notes.</p><p>The hospital’s emergency plans help ease any supply chain shortages. The institution follows the hospital incident command system (HICS) which assigns temporary duties to leadership during an emergency. For example, during the snowstorm, the chief operating officer of the hospital assumes the role of incident commander; an information officer is assigned to keep the community informed of hospital activities; and the plan also incorporates a medical officer, logistics chief, and planning chief. </p><p>During the incident, this system helped ensure proper patient care and as few gaps in the supply chain as possible. “Food was getting tight,” Blass says, and the food warehouses are not located near the hospital. “Because of the command structure, leadership can say, ‘okay you have a company credit card, we’ll contact the bank and raise your limit from $500 to $5,000 or whatever you need.’”</p><p>The U.S. Joint Commission, which certifies and accredits healthcare bodies, requires that hospitals have a group with representatives from various divisions that evaluates the standard of care they are providing to patients. Alabama Children’s has an environment of care committee that meets once a month to complete this requirement. “Our environment of care committee looks at things like safety, security, and resource management,” says Blass. “We have to meet the Joint Commission’s standard, and it surveys us every three years.” </p><p>Representatives on the team at Alabama Children’s include staff from the pharmacy, medical team, facilities, human resources, dining services, and more. This team ensures that there aren’t any gaps in the supply chain that would interrupt the hospital’s daily operations. As a rule, Blass says that having enough supplies for 96 hours will allow the facility to continue operating smoothly and efficiently. This includes a variety of items that the environment of care team must carefully think through and document. “You’re talking about water, fuel, basic sanitary supplies, and then you start talking about medicine and those things necessary for a hospital to run,” he says. </p><p>And there can be more than one type of each supply, a detail that, if overlooked, could mean life or death. “We have pumps that pump air, we have pumps that pump blood, we have pumps that pump saline, we have pumps that do many different things. You have to have all the things needed to make those supplies work for 96 hours,” he notes. </p><p>Keeping track of inventory is critical to determine whether the hospital has a sufficient supply of each item. Blass says that the hospital is moving toward a perpetual inventory system, where a new item is ordered as soon as one is pulled off the shelf. </p><p>There is a downside to stocking too many items, which is why it’s a delicate balance between having 96 hours’ worth of supplies and more than enough. “Space is expensive. And if you want to have enough water for four days, how much water is that? Where do you put it? How do you keep it fresh?” He adds that the hospital must be thoughtful in its policies and procedures on maintaining its inventory to avoid any issues.  </p><p>Thankfully, Blass notes, t​he 2014 snowstorm only lasted 48 hours. “The size of the surge exceeded our plan, but the length of the surge was shorter than our plans, so it all worked out,” he says. </p><p>And not every element of securing the supply chain is tangible; the information and communication pieces are also critical. “Every day we’re getting blood supplies in, and other kinds of materials that must be treated very carefully,” he says. Special instructions need to be followed in many cases. For example, there may be medicine that must be stored at a precise temperature until 30 minutes before it’s dispensed. That information must be communicated from the pharmacist to the supplier, and sometimes to security, who can give special access to the supplier when it delivers the drugs. </p><p>Blass is a member of the ASIS International Supply Chain and Transportation Security Council. He helped develop an American National Standards Institute (ANSI)/ASIS standard for supply chain security, Supply Chain Risk Management: A Compilation of Best Practices Standard (SCRM), which was released in July 2014. The standard provides supply chain security guidelines for companies, and has illustrations of what exemplary supply chain models look like.</p><p><strong>Best practices.</strong> Marc Siegel, former chair of the ASIS Global Standards Initiative, also participated in the creation of the ANSI/ASIS standard, which provides explanations of how to look at managing risk in the supply chain. “It’s based on the experiences of companies that have very sophisticated supply chain operations,” he tells Security Management. “The companies that put it together were really looking at having a document that they could give to their suppliers, to help them look at themselves and think of things that they should be doing and preparing for.” </p><p>Siegel is now director of security and resilience projects for the homeland security graduate program at San Diego State University. He promotes supply chain mapping, which takes a risk management–based approach to supply chain security. “Traditionally, a lot of security people have looked at supply chain as logistics security,” he says, “whereas companies with major supply chain considerations have been moving more into an enterprise risk management perspective.” These organizations take an across-the-board look at risks that could create a disruption in the supply chain, asking themselves what the specific things are that could interrupt or prevent them from manufacturing or delivering their product. </p><p>Siegel says there is a disproportionate focus on bad actors and intentional acts as threats to the supply chain, when more often it’s a natural disaster or accident that causes the most significant disruptions. “The broader risk management perspective is also looking at, ‘Is there a potential for a storm, is there a potential for political disorder, or instability in a region, that can cause a delay in processing?’” Only then, he says, are companies efficiently mapping out all the factors that could introduce uncertainty.</p><p>Maintaining a broader perspective will keep organizations from fixating on two of the most common hangups in supply chain security. “You have people who fixate on ‘everything is a threat,’ and you have people who fixate on ‘everything is a vulnerability,’ and if you only fixate on those two things you’re going to miss a lot of stuff,” Siegel says.</p><p>Blass agrees. “When we start that annual hazards vulnerability assessment, I’m going to look through the standard and notes I’ve written myself to make sure I’ve got everything covered,” he notes. “You can never rest and say, ‘well, we’re safe and secure and we don’t have to do anything else,’ because the threats keep changing.”   ​</p><p>--</p><h4>Sidebar: assess risk<br></h4><p> </p><div>​For the co​rporation that produces the F-35 fighter jet and other advanced technologies for the U.S. government, supply chain security is of utmost importance. “The threats that we face are universal in nature due to the size and the complexity of our supply chain,” says Vicki Nichols, supply chain security lead for Lockheed Martin’s Aeronautics business. </div><div><br> </div><div>Lockheed Martin Aeronautics assesses the supply chain in a number of categories, but Nichols works most closely with cargo security. “The threats there are cargo disruption, unmanifested cargo, and anti-Western terrorism,” she notes. </div><div><br> </div><div>The division conducts a risk assessment of its international suppliers. “We look at what type of products they provide us and how vulnerable that product is to manipulation or intellectual property theft, and we look at country risk,” she says.  </div><div><br> </div><div>The company sends a questionnaire to its suppliers, and comes up with an overall score for each of them based on 10 criteria, including country risk and transportation mode. In many cases, it also sends field personnel to evaluate the supplier’s facility. “If we know we have eyes and ears going in and out of the facility, and those people are trained to recognize red flags, then we know we have a lower threat because of our presence,” she says. </div><div><br> </div><div>After one such site check at a facility in Italy, Lockheed Martin Aeronautics determined that the use of technology was warranted to further enhance security. “The concern was that the area was known for introduction of unmanifested cargo—weapons, cargo disruption,” she notes. “We began to look at tamper-evident technologies, and track-and-trace devices that would allow us to know if someone had opened or tampered with the freight.”  </div><div><br> </div><div>Lockheed Martin has a corporate supply chain security council that meets at least once a month to provide updates and discuss any issues that arise. Representatives from the company include human resources, personnel security, physical security, and counterintelligence. Stakeholders from major partner organizations are also invited to participate.</div><div><br> </div><div>Lockheed Martin Aeronautics also works closely with law enforcement and federal intelligence sources who disseminate relevant information to the company. “We subscribe to some intelligence data that is cargo-specific, so we issue a spotlight report about three times a week just to keep people engaged and aware of the threats in the supply chain,” she notes. </div><div><br> </div><div>Supplier engagement is also critical, Nichols says, so the company stays in touch with about 120 suppliers internationally. </div><div><br> </div><div>Sometime in 2017, Lockheed Martin Aeronautics plans to purchase a software management tool that will release supplier questionnaires in the native language for countries it does business with. It will tap existing resources such as “Supplier Wire” to offer training to the supply base. “This will be another evolution on how we can engage, rather than just sending them to a website,” Nichols says. “I think it’s important for our supply base to see how seriously we take security, so they will take it seriously as well.”​</div><div><br> </div><h4>sidebar: consult standards<br></h4><p> </p><p>​Laura Hains, CPP, operations manager, supply chain security and consulting at Pinkerton, member of the ASIS International Supply Chain and​ Transportation Security Council, says that companies should research whether their partners and suppliers are following major supply chain security protocols, like those put out by ASIS, and others such as the Transported Asset Protection Association (TAPA) standards for trucking companies. “TAPA is one of the big authorities on trucking, so if a company says they are TAPA certified, that to me says that they follow protocol,” she says. </p><p>Other standards include the National Strategy for Global Supply Chain Security which U.S. President Barack Obama signed in 2012 and was designed to enhance public-private partnerships. Arthur Arway, CPP, author of Supply Chain Security: A Comprehensive Approach, says the framework seeks to combine input from government and industry on protecting the transport of goods to and from the United States. “I think the government is far more willing to seek out subject matter experts and all the different modes and companies that may transport goods into the United States for their help,” he says. Arway adds the document is relatively recent, and that it could take a while before it is widely adopted. </p><p>Though terrorism is an uncommon threat to the supply chain, it must always be a consideration. Hains gives the example of vehicular attacks. In Nice, France, on July 14, 2016, Tunisia native Mohamed Lahouaiej Bouhlel drove a 19-ton cargo truck into a crowd of Bastille Day festival-goers. That attack killed 86 people and injured more than 400. New York police also warned of possible vehicular terrorism against the 2016 Macy’s Thanksgiving Day Parade. “A small company truck—that could be a target,” notes Hains. “So everybody has to think about terrorism because it’s out there.”</p><p>Another standard at the national level seeking to combat terrorism within the supply chain is the U.S. Customs Trade Partnership Against Terrorism (C-TPAT). The program is voluntary for private industry, but Arway says the national standards as a whole are seeing global adoption.​</p><p>“Standards have come a long way in how they’ve been able to incorporate security into the movement of goods,” he notes. “Many countries have accepted these programs into their own supply chain security programs.”​</p>

Supply Chain

 

 

https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspx2017-02-01T05:00:00ZSupply Chain Strategies
https://sm.asisonline.org/Pages/The-Usual-Suspects.aspx2016-08-01T04:00:00ZThe Usual Suspects
https://sm.asisonline.org/Pages/Book-Review---Diamond-Mine-Security.aspx2016-07-29T04:00:00ZBook Review: Diamond Mine Security
https://sm.asisonline.org/Pages/In-the-Public-Interest.aspx2016-05-01T04:00:00ZIn the Public Interest
https://sm.asisonline.org/Pages/Slavery-in-the-Supply-Chain.aspx2015-12-17T05:00:00ZSlavery in the Supply Chain
https://sm.asisonline.org/Pages/Port-Protection.aspx2015-02-01T05:00:00ZPort Protection
https://sm.asisonline.org/Pages/Strategic-Shrink-Reduction.aspx2015-02-01T05:00:00ZStrategic Shrink Reduction
https://sm.asisonline.org/Pages/Linking-Crime-and-Terrorism.aspx2015-01-01T05:00:00ZLinking Crime and Terrorism
https://sm.asisonline.org/Pages/Supply-Chain-Security.aspx2014-10-01T04:00:00ZSupply Chain Security: A Comprehensive Approach
https://sm.asisonline.org/Pages/Protecting-Food-Imports.aspx2014-07-01T04:00:00ZProtecting Food Imports
https://sm.asisonline.org/Pages/Supply-Chain-Resources.aspx2014-06-01T04:00:00ZSupply Chain Resources
https://sm.asisonline.org/Pages/security-and-loss-prevention-introduction-sixth-edition-0013394.aspx2014-05-01T04:00:00ZSecurity and Loss Prevention: An Introduction, Sixth Edition
https://sm.asisonline.org/Pages/asset-tracking-trends-0013104.aspx2014-02-01T05:00:00ZAsset Tracking Trends
https://sm.asisonline.org/Pages/Getting-the-Goods.aspx2013-09-01T04:00:00ZGetting the Goods
https://sm.asisonline.org/Pages/loss-prevention-0012628.aspx2013-08-01T04:00:00ZGlobal Retail Crime and Loss Prevention Trends
https://sm.asisonline.org/Pages/digital-edition-cover-story-uncovering-art_E2_80_99s-dark-past-0012457.aspx2013-02-01T05:00:00ZDigital Edition Cover Story: Uncovering Art’s Dark Past
https://sm.asisonline.org/Pages/The-Fight-Against-Food-Fraud.aspx2012-12-01T05:00:00ZThe Fight Against Food Fraud
https://sm.asisonline.org/Pages/report-billions-dollars-worth-smartphones-lost-annually-009733.aspx2012-03-23T04:00:00ZReport: Billions of Dollars Worth of Smartphones Lost Annually
https://sm.asisonline.org/Pages/Planning-for-Disaster.aspx2012-03-01T05:00:00ZPlanning for Disaster
https://sm.asisonline.org/Pages/flash-mobs-emerging-threat-retailers-008891.aspx2011-08-11T04:00:00ZFlash Mobs: An Emerging Threat to Retailers

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspxSupply Chain Strategies<p>​Take almost any product you have purchased in a store or used at home or work in the last week. Chances are, that object moved thousands of miles from where it was originally manufactured to the place where it was ultimately purchased or delivered to you. Organizations have intricate supply chain networks that are constantly moving every day around the world, and having an efficient supply chain security program ensures that movement of goods is not interrupted or compromised. </p><p>Security professionals must take a detailed look at the vendors who supply their assets and understand how those goods will be handled and ultimately implemented into their company’s operations or services. Following is a look at how a children’s hospital in Alabama applied supply chain security best practices to weather an unexpected storm, as well as provide for day-to-day operations. In addition, supply chain experts discuss lessons learned from their own experience of conducting risk assessments, following standards, and vetting suppliers and transporters to better protect company property. ​</p><h4>Alabama Children’s </h4><p>When a snowstorm hit Birmingham, Alabama, on January 28, 2014, the city was caught unawares. The snowfall, which quickly turned to ice, left thousands stranded on highways or in their offices. Children were stuck at school, their parents unable to pick them up. The event became known as “Snowpocalypse,” and news service AL.com called it “the winter storm that brought Birmingham to its knees.” </p><p>Hospitals were affected by the storm as well, including Children’s of Alabama. The pediatric center encountered vulnerabilities in its supply chain during that event it hadn’t previously considered, says Dennis Blass, CPP, PSP, director of safety and security at the hospital. </p><p><strong>Lessons learned. </strong>Every year the hospital conducts a hazards vulnerability assessment for its supply chain to find out where it can improve safety and security. “Once you identify your hazards and your vulnerabilities–the things that are dangerous to you or the things that you’re weak in–then you start peeling those back,” he says. “If we identify hazards that we need to correct, then we probably are going to create a management plan to correct those issues.” </p><p>Many displaced people in the community turned to the hospital for shelter when they had nowhere else to go. “We have a very prominent position in the Birmingham skyline, so if things look bad, the hospital looks like a place to go and get help–as it is,” Blass says. There were also clinic patients who had come to the hospital that morning for a routine checkup, planning to leave; many of them were stuck because of the snowstorm, which began around 10:30 a.m. local time.</p><p>Instead of being filled to the normal capacity of 300 people—the number of beds in the hospital—there were roughly  about 600 people who spent about 48 hours at the facility to ride out the storm.</p><p>The number of people at the hospital exposed one unforeseen vulnerability—obtaining clean linens from its supplier, which is separated from the hospital by a chain of mountains. “The supplier can wash the linens, but they can’t deliver them to us…we ended up making it, but that was a close call,” says Blass.</p><p>“We could handle supplies for patients, but we had a lot of people who just came to the hospital because it was a warm place to be,” according to Blass. “That had impacts on the amount of food that got consumed, and it had impacts on the amount of linens we went through. Just things that people need, supplies like toilet paper, things you don’t think a lot of.” </p><p>For those who weren’t patients, the hospital served smaller meals than normal; “sandwiches and soup, as opposed to meat and potatoes,” Blass says, to stretch resources. </p><p>The main drug supplier for the hospital is located in the same region, so obtaining critical medicine was not a concern during the storm. The hospital also has plenty of diesel fuel tanks, and can go for days without restocking. Only the insufficient linens, which must be sent off to a facility for proper sanitation before being returned to the hospital, turned out to be an issue.</p><p>“We did an after-action report on that experience, so we…put it in our emergency management plans for the future,” he notes.</p><p>The hospital’s emergency plans help ease any supply chain shortages. The institution follows the hospital incident command system (HICS) which assigns temporary duties to leadership during an emergency. For example, during the snowstorm, the chief operating officer of the hospital assumes the role of incident commander; an information officer is assigned to keep the community informed of hospital activities; and the plan also incorporates a medical officer, logistics chief, and planning chief. </p><p>During the incident, this system helped ensure proper patient care and as few gaps in the supply chain as possible. “Food was getting tight,” Blass says, and the food warehouses are not located near the hospital. “Because of the command structure, leadership can say, ‘okay you have a company credit card, we’ll contact the bank and raise your limit from $500 to $5,000 or whatever you need.’”</p><p>The U.S. Joint Commission, which certifies and accredits healthcare bodies, requires that hospitals have a group with representatives from various divisions that evaluates the standard of care they are providing to patients. Alabama Children’s has an environment of care committee that meets once a month to complete this requirement. “Our environment of care committee looks at things like safety, security, and resource management,” says Blass. “We have to meet the Joint Commission’s standard, and it surveys us every three years.” </p><p>Representatives on the team at Alabama Children’s include staff from the pharmacy, medical team, facilities, human resources, dining services, and more. This team ensures that there aren’t any gaps in the supply chain that would interrupt the hospital’s daily operations. As a rule, Blass says that having enough supplies for 96 hours will allow the facility to continue operating smoothly and efficiently. This includes a variety of items that the environment of care team must carefully think through and document. “You’re talking about water, fuel, basic sanitary supplies, and then you start talking about medicine and those things necessary for a hospital to run,” he says. </p><p>And there can be more than one type of each supply, a detail that, if overlooked, could mean life or death. “We have pumps that pump air, we have pumps that pump blood, we have pumps that pump saline, we have pumps that do many different things. You have to have all the things needed to make those supplies work for 96 hours,” he notes. </p><p>Keeping track of inventory is critical to determine whether the hospital has a sufficient supply of each item. Blass says that the hospital is moving toward a perpetual inventory system, where a new item is ordered as soon as one is pulled off the shelf. </p><p>There is a downside to stocking too many items, which is why it’s a delicate balance between having 96 hours’ worth of supplies and more than enough. “Space is expensive. And if you want to have enough water for four days, how much water is that? Where do you put it? How do you keep it fresh?” He adds that the hospital must be thoughtful in its policies and procedures on maintaining its inventory to avoid any issues.  </p><p>Thankfully, Blass notes, t​he 2014 snowstorm only lasted 48 hours. “The size of the surge exceeded our plan, but the length of the surge was shorter than our plans, so it all worked out,” he says. </p><p>And not every element of securing the supply chain is tangible; the information and communication pieces are also critical. “Every day we’re getting blood supplies in, and other kinds of materials that must be treated very carefully,” he says. Special instructions need to be followed in many cases. For example, there may be medicine that must be stored at a precise temperature until 30 minutes before it’s dispensed. That information must be communicated from the pharmacist to the supplier, and sometimes to security, who can give special access to the supplier when it delivers the drugs. </p><p>Blass is a member of the ASIS International Supply Chain and Transportation Security Council. He helped develop an American National Standards Institute (ANSI)/ASIS standard for supply chain security, Supply Chain Risk Management: A Compilation of Best Practices Standard (SCRM), which was released in July 2014. The standard provides supply chain security guidelines for companies, and has illustrations of what exemplary supply chain models look like.</p><p><strong>Best practices.</strong> Marc Siegel, former chair of the ASIS Global Standards Initiative, also participated in the creation of the ANSI/ASIS standard, which provides explanations of how to look at managing risk in the supply chain. “It’s based on the experiences of companies that have very sophisticated supply chain operations,” he tells Security Management. “The companies that put it together were really looking at having a document that they could give to their suppliers, to help them look at themselves and think of things that they should be doing and preparing for.” </p><p>Siegel is now director of security and resilience projects for the homeland security graduate program at San Diego State University. He promotes supply chain mapping, which takes a risk management–based approach to supply chain security. “Traditionally, a lot of security people have looked at supply chain as logistics security,” he says, “whereas companies with major supply chain considerations have been moving more into an enterprise risk management perspective.” These organizations take an across-the-board look at risks that could create a disruption in the supply chain, asking themselves what the specific things are that could interrupt or prevent them from manufacturing or delivering their product. </p><p>Siegel says there is a disproportionate focus on bad actors and intentional acts as threats to the supply chain, when more often it’s a natural disaster or accident that causes the most significant disruptions. “The broader risk management perspective is also looking at, ‘Is there a potential for a storm, is there a potential for political disorder, or instability in a region, that can cause a delay in processing?’” Only then, he says, are companies efficiently mapping out all the factors that could introduce uncertainty.</p><p>Maintaining a broader perspective will keep organizations from fixating on two of the most common hangups in supply chain security. “You have people who fixate on ‘everything is a threat,’ and you have people who fixate on ‘everything is a vulnerability,’ and if you only fixate on those two things you’re going to miss a lot of stuff,” Siegel says.</p><p>Blass agrees. “When we start that annual hazards vulnerability assessment, I’m going to look through the standard and notes I’ve written myself to make sure I’ve got everything covered,” he notes. “You can never rest and say, ‘well, we’re safe and secure and we don’t have to do anything else,’ because the threats keep changing.”   ​</p><p>--</p><h4>Sidebar: assess risk<br></h4><p> </p><div>​For the co​rporation that produces the F-35 fighter jet and other advanced technologies for the U.S. government, supply chain security is of utmost importance. “The threats that we face are universal in nature due to the size and the complexity of our supply chain,” says Vicki Nichols, supply chain security lead for Lockheed Martin’s Aeronautics business. </div><div><br> </div><div>Lockheed Martin Aeronautics assesses the supply chain in a number of categories, but Nichols works most closely with cargo security. “The threats there are cargo disruption, unmanifested cargo, and anti-Western terrorism,” she notes. </div><div><br> </div><div>The division conducts a risk assessment of its international suppliers. “We look at what type of products they provide us and how vulnerable that product is to manipulation or intellectual property theft, and we look at country risk,” she says.  </div><div><br> </div><div>The company sends a questionnaire to its suppliers, and comes up with an overall score for each of them based on 10 criteria, including country risk and transportation mode. In many cases, it also sends field personnel to evaluate the supplier’s facility. “If we know we have eyes and ears going in and out of the facility, and those people are trained to recognize red flags, then we know we have a lower threat because of our presence,” she says. </div><div><br> </div><div>After one such site check at a facility in Italy, Lockheed Martin Aeronautics determined that the use of technology was warranted to further enhance security. “The concern was that the area was known for introduction of unmanifested cargo—weapons, cargo disruption,” she notes. “We began to look at tamper-evident technologies, and track-and-trace devices that would allow us to know if someone had opened or tampered with the freight.”  </div><div><br> </div><div>Lockheed Martin has a corporate supply chain security council that meets at least once a month to provide updates and discuss any issues that arise. Representatives from the company include human resources, personnel security, physical security, and counterintelligence. Stakeholders from major partner organizations are also invited to participate.</div><div><br> </div><div>Lockheed Martin Aeronautics also works closely with law enforcement and federal intelligence sources who disseminate relevant information to the company. “We subscribe to some intelligence data that is cargo-specific, so we issue a spotlight report about three times a week just to keep people engaged and aware of the threats in the supply chain,” she notes. </div><div><br> </div><div>Supplier engagement is also critical, Nichols says, so the company stays in touch with about 120 suppliers internationally. </div><div><br> </div><div>Sometime in 2017, Lockheed Martin Aeronautics plans to purchase a software management tool that will release supplier questionnaires in the native language for countries it does business with. It will tap existing resources such as “Supplier Wire” to offer training to the supply base. “This will be another evolution on how we can engage, rather than just sending them to a website,” Nichols says. “I think it’s important for our supply base to see how seriously we take security, so they will take it seriously as well.”​</div><div><br> </div><h4>sidebar: consult standards<br></h4><p> </p><p>​Laura Hains, CPP, operations manager, supply chain security and consulting at Pinkerton, member of the ASIS International Supply Chain and​ Transportation Security Council, says that companies should research whether their partners and suppliers are following major supply chain security protocols, like those put out by ASIS, and others such as the Transported Asset Protection Association (TAPA) standards for trucking companies. “TAPA is one of the big authorities on trucking, so if a company says they are TAPA certified, that to me says that they follow protocol,” she says. </p><p>Other standards include the National Strategy for Global Supply Chain Security which U.S. President Barack Obama signed in 2012 and was designed to enhance public-private partnerships. Arthur Arway, CPP, author of Supply Chain Security: A Comprehensive Approach, says the framework seeks to combine input from government and industry on protecting the transport of goods to and from the United States. “I think the government is far more willing to seek out subject matter experts and all the different modes and companies that may transport goods into the United States for their help,” he says. Arway adds the document is relatively recent, and that it could take a while before it is widely adopted. </p><p>Though terrorism is an uncommon threat to the supply chain, it must always be a consideration. Hains gives the example of vehicular attacks. In Nice, France, on July 14, 2016, Tunisia native Mohamed Lahouaiej Bouhlel drove a 19-ton cargo truck into a crowd of Bastille Day festival-goers. That attack killed 86 people and injured more than 400. New York police also warned of possible vehicular terrorism against the 2016 Macy’s Thanksgiving Day Parade. “A small company truck—that could be a target,” notes Hains. “So everybody has to think about terrorism because it’s out there.”</p><p>Another standard at the national level seeking to combat terrorism within the supply chain is the U.S. Customs Trade Partnership Against Terrorism (C-TPAT). The program is voluntary for private industry, but Arway says the national standards as a whole are seeing global adoption.​</p><p>“Standards have come a long way in how they’ve been able to incorporate security into the movement of goods,” he notes. “Many countries have accepted these programs into their own supply chain security programs.”​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Supply-Chain-Security.aspxSupply Chain Security: A Comprehensive Approach <p dir="ltr" style="text-align:left;">​<em>CRC Press; crcpress.com; 189 pages; $69.95.</em></p><p dir="ltr" style="text-align:left;">Author Arthur Arway brings the reader into the world of supply chain security by looking at the why, the what, and the how in Supply Chain Security: A Comprehensive Approach. He also demonstrates how important it is to instill a culture of security in and around the supply chain, showing how a weak link in the chain can bring the rest of it crashing down.</p><p dir="ltr" style="text-align:left;">One section of the book is devoted to the regulations and resources available to a security practitioner; this is especially valuable to people who are new to the field. Additional value is brought to the text by including sample documents such as plans and budgets that can be used in a supply chain security program. Lastly, the addition of real case studies helps to dem­onstrate the lessons taught by this book.</p><p dir="ltr" style="text-align:left;">Based on my own experience at the third-largest seaport in the United States, I can confirm that the enormity and complexity of the supply chain can become overwhelming, even to a seasoned security manager. This book certainly earns a place on the bookshelf of the security professional looking to explore the world of supply chain security, as well as the practitioner just starting in the field who needs a solid reference.</p><p dir="ltr" style="text-align:left;"><em><strong>Reviewer:</strong> Bill Crews, CPP, served as the director of port security and emergency operations at the Port of Houston Authority in Texas. He is a member of the ASIS International Houston Chapter.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Access-Under-Control.aspxAccess Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465