® intel corporation securing the high-tech supply chain steve lund director of corporate security...

®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Securing the High-Tech Supply Chain

Steve LundDirector of Corporate Security

Intel Corporation

December 5th, 2002 Steve Lund – Intel Corporation

2®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Agenda

• Intel’s Supply Chain Security model

• Creation and Evolution of TAPA

• Using standards and TAPA models to meet new threats of terrorism

• U.S. Customs Trade Partnership Against Terrorism (C-TPAT)

• Intel’s Threat Response and Emergency Management Program

• Drilling for Success


3®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Why Develop Freight Security Requirements?


4®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Intel’s Transportation Supplier Management Model

• For more than 10 years, Intel has embedded security requirements in freight transport contracts– Physical security of premises and equipment (e.g. trucks)– Procedural security (e.g. background investigations)– Contractually obligated, with established metrics and periodic

performance evaluation

• With the introduction of the Pentium® product line, this program was further refined to achieve door to door security– Zero losses of Pentium® product in first quarter of shipping

• Intel’s model gained notice among other high-tech companies experiencing freight theft, which led to the formation of the Technology Asset Protection Association


5®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION What is TAPA?

The Technology Asset Protection Association is an non-profit forum of security, insurance and logistics professionals representing high technology companies who have organized for the purpose of addressing the emerging cargo security threats common to the technology industry.

www.tapaonline.org


6®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION WHAT TAPA IS NOT

• Forum for “blacklisting” of suppliers– Information sharing is done on standards and BKM’s, not

on any supplier performance issues

• Forum for comparison of industry/supplier losses– All discussion under NDA--$ = “don’t ask / don’t tell”

• Guarantor of business– Supplier compliance to standards gauged independently– Certified suppliers to be listed on limited access website--

non-certified locations not listed

• Unreasonable or cost-prohibitive

www.tapaonline.org


7®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Evolution of TAPA• 1997: Security professionals meet to address problem of high tech theft:

– Global problem -- no one exempt from cargo theft– Demand for product peaking– Highly liquid components and demand on grey and black markets– Conclusion: Establish a forum dedicated to development of best known protective measures, benchmarking and

global implementation – “A rising tide lifts all boats”

• 1998-2000: Development of Standards– Audit Criteria– Contractual Security T&C’s in form of Freight Security Requirements– Scoring Matrix– RFQ for Independent Auditors

• 1999: TAPA EMEA formed• 2000: TAPA Asia formed, TAPA Worldwide Council developed• 2001: Independent Audit program proliferated

– Audit companies trained, three day course - Certification process begins– eTAPS developed in Europe

• 2002: Worldwide membership exceeds 450– Benchmarked as best in class by Technology and Terrorism Committee, U.S. Senate– Pharmaceutical membership extended– Over 200 audits scheduled worldwide

www.tapaonline.org


8®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Partnership = Leverage• 450+ worldwide members• Active organizations in Americas, Asia, EMEA• Market Capitalization of member companies > $1.25 Trillion

– In 2000, was $3.0 Trillion…

• Annual Sales of member companies > $750 Billion• Uniform approach to problematic locations versus fragmented efforts• Support of law enforcement investigations

– Product, equipment, packaging, information

• Industry contacts worldwide - strong communication infrastructure• Information and training on products and vulnerabilities• Access to TAPA quarterly meetings

– Presentation, Participation, Networking

www.tapaonline.org


9®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Putting the Right Security Measures in Place

• Classification of facilities in 3 categories (A, B, C) depending on level of threat– Threat calculated by environmental and historical data

and risk aversion level for individual company– Highest level classification requires highest level of

security

• Applied to trucking operations as well as air operations

• Assessment protocol using 0 - 2 qualitative score--no weighting

www.tapaonline.org

• VALUEVALUE• VOLUMEVOLUME• VULNERABILITYVULNERABILITY

VV33

PHILOSOPHYPHILOSOPHY


11®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Freight Security Model

Con

trac

tual

Lan

guag

eStandard A

ssessment Protocol

Freight Security Requirements

Investigations

Training

Consequences

www.tapaonline.org


12®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

H. PACKARD

ACER

AMD

AMDAHL

AMGEN

ASPEN SYS.

AMS

AVNET

BAY NETWKS

BERNES GP

CELESTICA

CISCO

COMARK

COMPAQ

CYRIX/NSM

DELL

DIGITAL

ENTEX

FAIRCHILD

GATEWAY

HITACHI

INACOM

INGRAM

INTEL

IBM

LEXMARK

MATSUSHITA

MAXTOR

MERISEL

MICROAGE

MICRON

MOTOROLA

NORRED

PNY

PACKARD BELL

PHILIPS

QUANTUM

SAMSUNG

SEAGATE

SED INT.

SILICON GR.

SOLECTRON

SMITH ASSOC.

SONY

SUN MICRO.

TECH DATA

TEXAS INST.

TOSHIBA

3COM

WESTERN DIG.

FREIGHT CARRIER /

FORWARDER

FREIGHT CARRIER /

FORWARDER

TAPA AUTHORIZED

AUDITOR

Independent Auditors:

Move From This…

…To This


13®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION TAPA Sub-Teams

• Insurance Team: – Leverage insurance industry influence on mandatory

standards– Insurance premium analysis– Program proliferation

• Waiver Committee: – Review body for all supplier waivers

• Integrator/3rd Party Logistics: – Standards development for inventoried

product/outsourced warehousing– Work with Integrator market on program certification

and standards

www.tapaonline.org

®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Post - 9/11 Threats

Leveraging Existing Programs and Creating Models to Meet New

Challenges


15®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION Positioned for Emerging Threats

• September 11, 2001 re-focused attention on the threat of terrorism to all operations, including supply chain– Employee safety and security – home, office, travel– Airline grounding in aftermath of attacks – alternative shipping

lanes, managing product backlog– Contingency plans for design, manufacturing, distribution– Upstream and downstream impacts of direct attack or collateral

impact – are suppliers and customers prepared?– Communications infrastructure vulnerabilities– Scarcity or unavailability of insurance

• The comprehensive nature of the supply-chain security measures established and proliferated through TAPA have shown ancillary benefits to anti-terrorism efforts


16®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION Customs Trade Partnership

Against Terrorism (C-TPAT)

• Establishes Supply Chain Security requirements: Factory, Warehouse, Docks, Forwarder/Integrator Facilities

• Shared FSR’s, Audit Protocol, and Scoring Matrix with program management, best known methods to date

• USC agreement that TAPA security requirements fulfill supplier and manufacturer obligation if C-TPAT certified

• Several companies have been C-TPAT certified by implementing TAPA supply chain model– Intel certified September, 2002


17®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION C-TPAT Focus Areas

“Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company’s size and structure and may not be applicable to all.”

Required Locations

• Supply Chain

–Importer

–Broker

• Manufacturer

• Warehouse

• Air / Sea /Land Carriers

Required Elements• Procedural Security• Personnel Security • Physical Security• Education and Training• Conveyance Security• Access Controls• Manifest Procedures


18®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION C-TPAT Membership Benefits

• A reduced number of inspections– Avoids delays in shipment and negative impact to customers

• More secure supply chain for employees, suppliers and customers

• Account Based Processing (bi-monthly/monthly submission of duties)

• Self policing and assessment• Partnership with government against terrorism • Membership in first worldwide supply chain wide security

initiative• Account Manager will be assigned

• Access to the list of other C-TPAT members


19®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Threat Management • Internal focus after 9/11/01 and anthrax mailings on

emergency preparedness and business recovery / continuity– Developed a Security and Safety Task Force comprised of all

major business groups• Corporate Business Continuity program office an outgrowth of effort

– Operational risk assessments to identify single points of failure and critical assets, with specific action plans to mitigate vulnerabilities

• Clear deliverables, timelines, and continuous review of progress

– Response plans for various major or catastrophic scenarios• Loss of facility • Loss of supplier capability (equipment, transportation, services)• Anthrax or other biohazard introduced into environment

– Creation of a Corporate Emergency Operations Center to ensure an mechanism for top-level management of crises, enable effective communication and coordination of site responses


20®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

ArizonaNew Mexico

Folsom

DupontOregon

Santa Clara

Colorado Hudson

India

Ireland

IsraelJapan

MalaysiaPhilippines

China

Costa Rica

Utah

Blue font = location of Site and Corporate EOC’s

Intel Site Emergency Operations Centers (EOC’s) and Corporate Emergency Operations Centers

(CEOC’s)

England


21®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Site EOC’s• Located at each major site worldwide • Locally managed, with EOC director from major business group,

cross-functional participation:– Local business groups– Security– EHS– Public Affairs– Site Services

• Established location on-site, with equipment and procedures as required by Corporate Emergency Management program, including:– Response templates for various scenarios– Multiple computer connections– Media connection (e.g. satellite TV news) – Redundant communications

• PBX phone lines• Dedicated copper phone lines• Local channel radios• Satellite telephones• Ham Radio equipment / operators


22®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Corporate EOC• Multiple locations for redundancy and efficiency• Membership at senior-level management

– Core CEOC – Director, Coordinator, Security, EHS, Corporate Communications, CEOC Scribe

– Extended CEOC – Legal, HR, Sales, Finance, other business groups

• Established rooms, fitted with all site EOC elements• CEOC guidelines specific to CEOC operations

– Controlled document, scheduled revisions

• Activation linked to existing Security or EOC escalation actions, or at discretion of core team members

EOC

EOC

EOC

EOCEOC

EOC

EOCEOCEOC

EOC

EOC EOC

EOC

EOC

EOCEOCEOC

CEOCEOC

Intent to enable response at site level, coordinate communication between sites and senior management, and enable informed and effective internal and external messages by Executive Staff


23®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Drills• Corporate Emergency Management group, site EOC’s, and

various business groups have historically utilized tabletop exercises and full drills – Corporate Drill Roadmap

• After September 11th, some drill scenarios were added, and scope of drills increased to comprehend all operational elements– Anthrax response (based on existing plans) – included test kits,

expanded communication, employee awareness (mail rooms)– Other biohazard scenarios– Aviation disaster response– Function-specific business recovery– CEOC and EOC emergency response capability– “Dirty bomb” scenario

• Typically 10-12 separate drills per quarter– Designed and led by affected business group (IT, TMG, HR, etc.)– Site EOC and CEOC participation as warranted by scenario


24®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Supply Chain Drills• Business unit drills designed to include all potentially

impacted elements of that group• Clear and detailed drill scenarios outlined—including

– Participants and their roles– Design of drill– Objectives of the exercise– In scope / Out of scope– Artificialities of the drill (assumptions)– Starting script

• Drills involve accelerated timelines, role-playing, simulated supplier engagement

• Key suppliers have been engaged in establishing Business Continuity and identifying gaps and focus areas

• Supply network rebalance/reset has become a key aspect of drills


25®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Recent Drills Involving Supply Chain

Q2 2002• Scenario involved loss of key

manufacturing facility in the Philippines

• All immediate emergency response elements assumed to be under control

• Impact to employees – managing casualties and communication

• Explored transportation and warehousing capability in first 72 hours, at 3-7 days, and at 7+ days following the incident

• Impacts to other sites• Internal and External

communications

Q4 2002• Scenario involved loss of

production in Oregon due to massive earthquake

• All emergency response elements assumed under control

• Airport closure part of scenario• Team worked through

transportation and warehouse capabilities in first 24 hours, 24-72 hours, 3-7 days, 8-14 days, 30 days, and 45 days after incident

• Prioritizing shipments, identifying alternative transportation methods and routes


26®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Key Elements• Effective supply chain management program, door to door

– By starting with focus on security, have infrastructure in place to influence or manage the entire process

• Effective Risk Assessment protocol to identify single points of failure, critical focus areas, and mitigation strategies– Understand context of risks / threats, local flavors, key relationships with internal

groups or suppliers, and how those relationships can be affected by a crisis

• Senior Management and Business Group commitment– Corporate-level processes and coaching, but need each group to leverage their

expertise and experience to their functional area

• Integrated response capability– All business groups engaged in crisis management planning– Key service groups (Security, EM, EHS) linked to response and continuity efforts

• Drill, Drill, Drill

®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

QUESTIONS?


28®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

Back Up


29®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION TAPA Partners

• The Infrastructure Security Partnership:– Cargo Security– Risk/Threat Assessments in

Supply Chain

• Transportation Security Administration:– Partnership on development of

FTL / LTL trailer load security requirements

– TAPA Standards template for in transit cargo protection

• National Cargo Security Council


30®

INT

EL

CO

RP

OR

AT

ION

INT

EL

CO

RP

OR

AT

ION

TAPA Independent AuditFirms

® intel corporation securing the high-tech supply chain steve lund director of corporate security...

Documents

steve lund intel corporation

security professionals

door security

nonprofit forum of security

evolution of tapa

trucks procedural security

tapa asia

tapa models