反恐整改方案20141008(REFERENCE).xls

Corrective Action Plan Report Company XXYYZZ CO LTD Address China BV Reference 10142620871 Audit Date 29 929 9月月 14 14 Auditor s YYY Company Representative Acknowledgment Audit Standard THD SECURITY ASSESSMENT V3 Clause No Original Clause Requirement Levels of Non Conforman ce Audit Findings Corrective Action Plan to be completed by factory Implementation Steps and Documentation Needs to be completed by factory Responsib le Individual t o be completed by factory 1 Personnel Security 1 7 Written personnel termination procedures have been established and adhered to All access is prohibited for terminated employee and that all company security property is returned e g ID badge keys access cards and all accesses are terminated e g entrance codes or computer access I Prior to First Shipment It was noted that the factory did not establish the written personnel termination procedure 审 核发现工厂未建立书面的 员工离职管控程序 立即修修改改离离职职程程序序 增增加加员工 离职检查清单 1 修改离职程序增增加加检检查查列列表表 2 离职检查清单留存与纪录 YYY 1 2 Employees are informed and aware of a written company s code of conduct or policy that addresses security practices and violations interview at least 3 employees Within Six Months It was noted that 2 out of 6 interviewed employees did not know about the factory s security policy 审核发现2 6被访谈员工不 了解工厂的安全政策和程 序 立即对员工做安全政策培训计 划 1 制订员工培训计划 2 定期对员工进行安全培训与与员员 工工签签名名纪纪录录 YYY 1 6The company conducts periodic checks of current employees based on the cause and or the sensitivity of the employee s position bp Best PracticeIt was noted that the factory did not conduct periodic checks of current employees based on the cause and or the sensitivity of the employee s position 审核 发现工厂未对处于敏感岗 位的现有员工执行周期性 背景等安全信息情况调查 立即对仓库人员 包装人员 安保人员等等敏敏感感岗岗位位人人员员进行 安全信息调查 定期对公司仓库人员 包装人员 安保人员做调查与与纪纪录录 YYY 1 10The company conducts criminal background checks on employment screening of the prospective applicants bp Best PracticeIt was noted that the factory did not conduct criminal background checks on employment screening of the prospective applicants Remark The factory required all employees to issue written statement to self claim that there was no criminal record or other adverse records for themselves 审核发现工厂 未对敏感岗位的求职员工 进行背景调查 备注 工 厂要求每位员工出具书面 文件声明自身无犯罪前科 等不良记录 制制訂訂员员工工无无犯犯罪罪前前科科等等不不良良记记 录录书书面面文文件件声声明明 要要求求倉倉庫庫人人員員 包包裝裝人人員員 安安保保人人員員等等敏敏感感 岗岗位位人人员员簽簽署署 定期对公司仓库人员 包装人员 安保人员等等敏敏感感岗岗位位人人员员做做背背 景景调调查查与与纪纪录录 YYY 2 Physical Security 2 20Outgoing trucks trailers containers are subject to checking for contents and release criteria Any abnormalities found are reported to relevant personnel I Prior to Approval It was noted that no procedure and record was available to prove the factory conducted safety check for contents of outgoing trucks and trailers and reported related abnormalities to relevant personnel 审核发 现工厂无任何程序和记录 显示工厂对外出货车 拖 车进行内容安全检查以及 相关异常情况经对相关安 全部门汇报 1 立即增加貨車 卡車 貨櫃車 出厂内容安全檢查表 检查並 紀錄 1 成立综合安全部 2 建立人员和车辆进出厂内容安 全检查管理制度及異常通報處理 的程序 YYY 2 1The main manufacturing and final storage buildings are of a solid structure to prevent unlawful access Prior to First Shipment It was noted that the factory used the lobby on the 1st floor of the office production and warehouse combined building as its finished product warehouse The lobby had only three sides of walls and the gate side of the lobby was not constructed with wall or fencing barrier 审 核发现工厂使用一栋三层 办公 生产和仓库综合楼 一楼的大厅作为成品仓库 该大厅只有3面墙体 进出方向无墙体或者栅栏 隔离防护 将将原原成成品品仓仓库库隔隔离离成成独独立立的的墙墙 体体隔隔离离仓仓库库 以以免免非非法法進進出出 1 1 完完善善成成品品仓仓库库安安全全設設施施制制度度以以 免免非非法法進進出出 2 2 检检查查與與稽稽核核相相关关纪纪录录 YYY 2 19Incoming trucks trailers containers are subject to checking for contents Any abnormalities found are reported to relevant personnel I Prior to First Shipment It was noted that no procedure and record was available to prove the factory conducted safety check for contents of incoming trucks and trailers and reported related abnormalities to relevant personnel 审核发 现工厂无任何程序和记录 显示工厂对到厂货车 拖 车进行内容安全检查以及 相关异常情况经对相关安 全部门汇报 1 1 增增加加货货车车 卡卡车车与与货货柜柜车车进进 厂厂内内容容安安全全检检查查表表与与检检查查 2 2 门门卫卫室室增增加加异异常常应应变变通通報報处处 理理程程序序 1 定定期期对对安安保保人人员员培培训训 2 检检查查與與稽稽核核相相关关纪纪录录 YYY 2 14 The company maintains recorded security tapes for a minimum of 30 days in a secure location with restricted access bp Best PracticeIt was noted that the factory only kept the security tape for the recent one day 审核发现 工厂仅保存最近一天的监 控录像 对监控设备进行升级 对对监监控控设设备备进进行行升升级级 升升级级为为能能 保保存存至至少少7 7天天以以上上的的录录像像 YYY 3 Physical Access Controls 3 9Visitors Vendors are positively identified upon arrival at the facility Prior to Approval It was noted that the security guards or safety officer did not identify the visitors vendors by checking their valid photo identifications prior to allowing their entries of the factory 审核发现工厂 安保人员在给来访者和供 应商人员进入放行前未检 查他们的有效证件 门门卫卫安安保保人人员员於於進進場場檢檢查查表表增增 加加核核對對来来访访人人员员相相關關證證件件的的檢檢 查查項項目目 1 定定期期對對安安保保人人員員培培訓訓 2 检检查查與與稽稽核核相相关关纪纪录录 YYY 3 10Visitors Vendors shall present photo identification Prior to Approval It was noted that the visitors vendors were not required to present photo identifications prior to entering the facility 审核 发现工厂安保人员未要求 来访者和供应商人员进厂 前出示他们的包含个人照 片的有效证件 门门卫卫安安保保人人员员於於進進場場檢檢查查表表增增 加加核核對對个个人人照照片片的的有有效效证证件件等等 相相關關證證件件的的檢檢查查項項目目 1 定定期期對對安安保保人人員員培培訓訓 2 检检查查相相关关纪纪录录效效果果確確認認 YYY 3 12Visitors Vendors shall wear a badge or similar identification Prior to Approval It was noted that the factory did not issue badge or similar identification to visitors and vendors and require them to wear the badges while in the factory 审核 发现工厂安保人员未给到 访的来访者和供应商人员 发放访客证 门门卫卫安安保保人人员员检检查查訪訪客客身身分分確確 認認無無誤誤后后 發發放放訪訪客客證證才才可可以以 進進廠廠 1 修修改改反反恐恐程程 安安全全程程序序文文件件 2 定定期期培培訓訓安安保保人人員員 YYY 3 19Where applicable access controls a b and or c are in place to prevent unauthorized access a Photo Identification badges for employees b Electronic proximity or Swipe card keys Passcode Fingerprint or other biometric identification c Security guard patrol checkpoints I Prior to Approval The factory had established a written policy and issued photo identification badges to each employee for accessing to the facility However it was noted that about 30 of the present workers were not wearing his her badge during working hours on the audit day 审 核发现工厂以包含员工个 人照片的员工卡作为员工 进出控制的唯一手段 但 是 审核当天发现大约 30 工作员工未佩戴其员 工卡 立即给所有未佩戴员工卡的员 工发放员工证 將員工證與電子打卡結合一起 避 免員工未隨身攜帶 YYY 3 8Employees have limited access to finished products and storage areas Prior to First Shipment It was noted that the finished products stored in the lobby on the 1st floor of the office production and warehouse combined building were without physical separation and not monitored by security guards safety officers All personnel in the factory could access to the finished products freely without restricting Remark The management represented that they used this lobby as the finished products warehouse due to shortage of storing capacity They were planning to add walls separation and monitoring to the finished products storage area 审核发现工 厂成品堆放在办公 生产 和仓库综合楼一楼大厅无 物理隔离和安全人员管控 厂内人员能自由接触成 品 备注 工厂解释本厂 由于存储空间不够只能采 用综合楼一楼大厅为成品 仓库 目前工厂正在准备 给该成品仓库增加墙体隔 离和管控 将将原原成成品品仓仓库库隔隔离离成成独独立立的的墙墙 体体隔隔离离仓仓库库 以以免免非非法法進進出出 1 1 完完善善成成品品仓仓库库安安全全設設施施制制度度 以以免免非非法法進進出出 2 2 检检查查相相关关纪纪录录效效果果確確認認 YYY 3 6During extended absences the employee s access to the facility and information systems is temporarily suspended until his her return bp Best PracticeNo document was available to show that the employee s access to the facility and information systems is temporarily suspended until his her return during extended absences 工厂不能提供 相关证据证实当员工长期 外出时 其在本厂的进入 权限受到暂时中止 增增设设员员工工长长时时间间请请假假外外出出等等申申 请请单单与与审审批批 对于外出10天以上的人员的员工 证 上交到综合安全部暂存 YYY 3 7Employees entry and exit times are restricted according to their work schedule Attempts to access work areas outside normal hours are recorded and investigated bp Best PracticeIt was noted that the factory did not restrict employees entry and exit times according to their work schedule Furthermore the factory did not investigate employees attempts to access work areas outside normal hours 没有 程序和记录显示工厂对员 工在非上班时间出入工作 区域进行调查 安保人员於非上班时间針對出 入工作区域的員工进行盘查 增增設設非非上上班班日日的的員員工工進進出出單單留留存存 紀紀錄錄与与审审查查 YYY 3 17The company periodically conducts random searches of all persons and packages entering the facility bp Best PracticeNo policy or record was available to show that the factory periodically conducted random searches of all persons entering the facility 审核 发现工厂没有建立程序以 及不能提供相关记录显示 工厂周期性随机盘查厂内 人员以及存物 立立即即增增设设盘盘查查表表 由由安安保保人人员员 随随机机盘盘查查厂厂内内人人员员以以及及存存物物 1 1 培培訓訓安安保保人人员员 2 2 检检查查相相关关纪纪录录效效果果確確認認 YYY 3 24Screening of incoming packages and mails are conducted before distribution and an isolated area is designated for the purpose I bp Best PracticeIt was noted that the factory did not conduct the screening of incoming packages and mails and designate an isolated area for the purpose 审核 发现工厂未建立到厂包裹 信件的分发前排查检验 程序并指定专门的排查检 验地点执行该程序 設設立立門門卫卫室室為為包包裹裹 信信件件检检查查 站站 检检查查包包裹裹 信信件件分分发发前前確確保保 無無異異常常 1 培培訓訓门门卫卫安安保保人人员员 2 门门卫卫對對到到厂厂的的包包裹裹和和信信件件检检查查 登登記記 確確保保分分发发前前無無異異常常 YYY 3 25Employees are provided with lockers to keep their personal bags which are segregated from production and warehouse areas I bp Best PracticeIt was noted that the factory did not provide lockers which are segregated from production and warehouse areas to employees for their personal belongs storing 审核发现工厂未在生产和 仓库以外的区域给员工提 供柜子存放个人用品 在车间以外的区域設置柜子 存 放个人物品 1 1 在在车车间间以以外外的的区区域域設設置置柜柜子子 存存放放个个人人物物品品 2 2 培培訓訓員員工工 規規定定个个人人物物品品不不得得 带带入入到到车车间间 YYY 4 Procedural Security 4 2Procedures for identifying challenging and adressing unauthorized persons attempting to enter facilities are in place Prior to Approval It was noted that the factory did not establish the written procedure for identifying challenging and addressing unauthorized persons attempting to enter facilities 审核发现工厂未 建立非授权人员的识别 判断和处理程序 1 1 制制訂訂反反恐恐 安安全全程程序序包包含含非非 授授权权人人员员的的识识别别 判判断断和和处处理理 2 2 培培訓訓门门卫卫安安保保人人员员 落落實實非非授授权权人人员员的的识识别别 判判断断和和 处处理理與與紀紀錄錄 YYY 4 22An updated file of Corrective Action procedures for security issues is maintained and up to date Prior to First Shipment It was noted that the factory did not establish the corrective action procedure for security issues 审核发现工厂未建 立书面的安全事宜整改程 序 制制訂訂反反恐恐 安安全全事事宜宜的的糾糾正正改改善善 程程序序 培培訓訓相相關關人人员员與與紀紀錄錄 1 1 依依據據反反恐恐 安安全全事事宜宜糾糾正正改改善善 程程序序 執執行行與與紀紀錄錄 2 2 反反恐恐 安安全全事事宜宜審審查查與與改改善善 YYY 4 19The company conducts random documented security assessments on a regular basis Within Six Months It was noted that the factory did not conduct random documented security assessment on a regular basis before 审核 发现工厂未周期性做书面 的安全评估 1 1 制制訂訂书书面面的的反反恐恐 安安全全评评估估 檢檢查查表表 2 2 工工厂厂安安檢檢人人员员定定期期 隨隨機機对对 工工厂厂做做安安全全评评估估並並記記錄錄 1 1 培培訓訓工工厂厂反反恐恐 安安檢檢人人员员 2 2 落落實實定定期期 隨隨機機做做反反恐恐 安安全全评评 估估記記錄錄與與異異常常改改善善 YYY 5 Information Technology Security 5 2Individual accounts and passwords are created for users to access the system Prior to First Shipment It was noted that the factory did not create individual accounts and passwords for users to access the system 审核 发现工厂未给计算机使用 者建立个人帐号和密码 立刻建立计算机使用者個人帳 號與密碼 定期 3 個月更換使用者个人密码 確保安全無虞 YYY 5 3Passwords are changed periodically at least every 90 days Prior to First Shipment It was noted that the passwords were not required to be changed periodically at least every 90 days 审核发现 工厂未要求计算机密码者 至少每90天定期修改 立刻建立计算机使用者個人帳 號與密碼 定期 3 個月更換使用者个人密码 確保安全無虞 YYY 5 7The company has a contingency plan to protect its IT systems which include a full IT disaster recovery plan to prepare for any unforeseen incidents Within Six Months It was noted that the factory did not establish a contingency plan to protect its IT systems which included a full IT disaster recovery plan to prepare for any unforeseen incidents 审 核发现工厂未建立包括灾 难恢复计划在内的应急计 划保护本厂的IT系统 建建立立ITIT系系统统保保護護程程序序包包括括灾灾难难 恢恢复复计计划划在在内内的的應應急急計計劃劃保保護護 程程序序 建建立立工工廠廠個個人人電電腦腦不不斷斷電電電電源源系系 統統 與與備備份份個個人人 工工廠廠電電腦腦檔檔案案放放 置置於於工工廠廠外外部部安安全全區區域域 YYY 5 8 The company conducts system back ups daily that are stored in a safe and secure place Additional back ups are stored off site Within Six Months It was noted that the factory conducted system back ups every two weeks not daily 工厂 每半月进行系统备份 不 是每天 每台电脑使用者每天做安全备 份 備備份份個個人人 工工廠廠電電腦腦檔檔案案放放置置於於工工 廠廠外外部部安安全全區區域域 YYY 5 9The company regularly holds meeting that are attended by senior management to address information technology issues including system security bp Best PracticeIt was noted that no record was provided to demonstrate that the factory regularly held meetings that were attended by senior management to address information technology issues including system security 没有记录显示工 厂定期开展有高级管理人 员参与的以信息技术包括 系统安全为议题的会议 1 1 制制訂訂反反恐恐 安安全全 信信息息技技术术審審 批批程程序序 2 2 每每年年至至少少一一次次招招開開有有高高階階管管 理理人人员员参参与与的的反反恐恐 安安全全 信信息息 技技术术包包括括系系统统安安全全的的会会议议 與與 會會議議記記錄錄 落落實實反反恐恐 安安全全包包刮刮信信息息技技术术会会议议 記記錄錄與與追追蹤蹤改改善善 YYY 5 11The company shall establish an appropriate disciplinary action procedure for the employees abuse the IT system I Within Six Months It was noted that the factory did not establish an appropriate disciplinary action procedure for the employees abuse the IT system 审核发现工厂未建 立针对滥用IT系统员工的 相应纪律处分程序 建建立立计计算算机机操操作作人人员员管管理理制制度度 規規範範員員工工紀紀律律與與处处分分等等相相關關 規規定定 落落實實计计算算机机操操作作人人员员管管理理制制度度 員員 工工違違反反紀紀律律予予以以適適當當处处分分 防防止止再再 發發與與紀紀錄錄 YYY 6 Security Training AND Threat Awareness 6 1The company has integrated security training into its new employee orientation and periodic refresher training is provided to existing employees Within Six Months It was noted that the factory did not provide security training to new employee as part of orientation training and did not provide periodic refresher training to existing employees 审核 发现工厂未给新员工提供 入职前安全政策培训以及 未给现有员工做周期性的 补充培训 1 制訂反恐 安全包含信息技 術等程序 2 员工反恐 安全培训與再培 訓 1 落實反恐 安全等培训與再培 訓计划與紀錄 2 高階管理人员審查反恐 安全 等培训與再培訓成效與改善 YYY 6 10Employees are trained in information system security principles and data integrity Within Six Months It was noted that the factory did not provide the training about information system security principles and data integrity to employees 审核发现工厂 未给员工提供信息安全和 数据安全要求以及程序培 训 1 1 制制訂訂反反恐恐 安安全全包包含含信信息息安安 全全與與數數據據安安全全等等程程序序 2 2 员员工工反反恐恐 安安全全等等程程序序培培训训 與與再再培培訓訓 1 落落實實反反恐恐 安安全全包包含含信信息息安安全全 與與數數據據安安全全等等程程序序與與紀紀錄錄 2 高高階階管管理理人人员员審審查查培培训训與與再再培培 訓訓成成效效與與改改善善 YYY 6 15The security awareness program addresses security procedures facility security system unauthorized access theft prevention and security incident reporting Within Six Months It was noted that the factory did not establish the security awareness program addressing security procedures facility security system unauthorized access theft prevention and security incident reporting 审核发现工厂无 包含安全程序 安全系统 非授权进出权限控制 反盗窃系统和安全事件汇 报机制在内的安全意识培 训计划 1 1 制制訂訂反反恐恐 安安全全 非非授授权权进进出出 权权限限控控制制 反反盗盗窃窃系系统统和和安安全全事事 件件汇汇报报机机制制等等程程序序 2 2 制制訂訂员员工工反反恐恐 安安全全 非非授授权权 进进出出权权限限控控制制 反反盗盗窃窃系系统统和和安安 全全事事件件培培训训與與再再培培訓訓 3 3 培培训训與與再再培培訓訓员员工工反反恐恐 安安 全全 非非授授权权进进出出权权限限控控制制 反反盗盗 窃窃系系统统和和安安全全事事件件 1 1 落落實實反反恐恐 安安全全 非非授授权权进进出出权权 限限控控制制 反反盗盗窃窃系系统统和和安安全全事事件件汇汇 报报培培训训與與再再培培訓訓成成效效與與紀紀錄錄 2 2 高高階階管管理理人人员员審審查查培培训训與與再再培培 訓訓成成效效與與改改善善 YYY 6 16Additional security trainings addressing cargo packed product integrity and container security are provided to employees in shipping and receiving areas Within Six Months It was noted that the factory did not provide additional security trainings addressing cargo packed product integrity to the employees in shipping and receiving areas 审核发现工厂未给 收发区域员工提供成品 货物一致性相关的附加特 殊岗位专门培训 1 1 制制訂訂反反恐恐 安安全全包包括括成成品品 货货物物一一致致性性相相关关等等程程序序 2 2 培培训训收收发发区区域域员员工工反反恐恐 安安 全全包包括括成成品品 货货物物一一致致性性相相关关 等等安安全全事事項項 落落實實反反恐恐 安安全全包包括括成成品品 货货物物一一 致致性性相相关关等等程程序序與與紀紀錄錄 YYY 6 17Incentive program is established to encourage the employees to report security violations anomalies potential security issues and recommend the improvement measures Within Six Months It was noted that the factory did not establish incentive program to encourage the employees to report security violations anomalies potential security issues and recommend the improvement measures 审 核发现工厂未建立对汇报 安全事件 异常情况 潜 在安全事件和提供改善建 议的员工进行奖励的激励 机制 制制訂訂反反恐恐 安安全全包包括括安安全全事件 异异常常情情况况 潜潜在在安安全全事事件件和和提提 供供改改善善建建议议的的员员工工进进行行奖奖励励的的 激激励励机机制制程程序序 落實反恐 安全包括安全事件 异 常情况 潜在安全事件和提供改 善建议的员工进行奖励的激励机 制程序與紀錄 YYY 6 18Specific trainings are provided to assist employees in recognition of internal conspiracies maintaining product integrity and determining unauthorized access Within Six Months It was noted that the factory did not provide specific trainings to assist employees in recognition of internal conspiracies maintaining product integrity and determining unauthorized access 审 核发现工厂未给员工提供 关于内部阴谋识别 产品 一致性保存和非授权进出 识别的辅助性专项培训 制制訂訂反反恐恐 安安全全包包括括内内部部阴阴谋谋识识 别别 产产品品一一致致性性保保存存和和非非授授权权 进进出出识识别别程程序序與與培培訓訓 落落實實反反恐恐 安安全全包包括括内内部部阴阴谋谋识识别别 产产品品一一致致性性保保存存和和非非授授权权进进出出 识识别别培培訓訓與與紀紀錄錄 YYY 8 Business Partner Requirements 8 1The company has communicated written security policies procedures to business partners i e carriers product component material suppliers and other sub contractors I Prior to Approval It was noted that the factory did not communicate the written security policies procedures to business partners i e carriers product component material suppliers and other sub contractors 审核发现工厂未将书面的 安全政策和程序传达给商 业合作伙伴 1 1 制制訂訂反反恐恐 安安全全政政策策 程程序序 2 2 传传送送反反恐恐 安安全全政政策策 程程序序给给 商商业业合合作作伙伙伴伴 貨貨運運行行 原原料料廠廠 商商 外外協協廠廠商商 落落實實传传送送反反恐恐 安安全全政政策策 程程序序與與 合合作作伙伙伴伴回回簽簽確確認認紀紀錄錄 8 2The company has written procedure to select and evaluate business partners based on the compliance with C TPAT security criteria Prior to Approval It was noted that the factory did not establish a written procedure to select and evaluate business partners based on the compliance with C TPAT security criteria 审 核发现工厂未建立基于反 恐安全准则针对商业合作 伙伴的书面挑选和评估程 序 1 1 制制訂訂反反恐恐 安安全全政政策策 程程序序包包 含含挑挑选选和和评评估估商商业业合合作作伙伙伴伴 2 2 重重新新評評估估與與挑挑选选商商业业合合作作伙伙 伴伴並並記記錄錄 落落實實評評估估與與挑挑选选商商业业合合作作伙伙伴伴與與 記記錄