1 Customs & Trade Partnership Against Terrorism (C TPAT) Bristol Myers Squibb Company Customs & Trade & Corporate Security Departments
2 As a result of the events of September 11, 2001, the United States Customs and Border Protection (Customs) introduced several new security initiatives, one of which is the Customs Trade Partnership Against Terrorism (C TPAT). This program is a joint government business initiative focusing on strengthening supply chain and border security. Bristol Myers Squibb (BMS) is an active certified and validated participant in this program. BMS is a strong advocate of the C TPAT program. Our commitment to C TPAT continues with our request that your company as a key business partner be actively engaged in this undertaking with us. Your cooperation is essential to the success of BMS participation in C TPAT. As a key business partner, you are requested to ensure the integrity of your security practices by meeting the criteria set forth by C TPAT and to establish procedures to support those security practices on an ongoing basis. Our goal is to enhance and maintain effective security processes and safeguards throughout the global supply chain to ensure the timely delivery of incoming cargo. As a valued supplier to BMS, your support of and participation in the C TPAT program is critical. Better security and safeguards for our products and supplies is an ongoing effort. Your participation and/or membership in this program are a necessity so we therefore request our domestic service providers (carriers, freight forwarders, and brokers) to join C TPAT and request to the extent possible our foreign suppliers and service providers participate in similar security programs sponsored by your respective government agencies. C TPAT Security Criteria BMS expects its suppliers and service providers to evaluate, scrutinize, and develop sufficient security measures within their own supply chain. It is expected that each of our suppliers will notify their plants, offices, and subsidiaries of the C TPAT program and of BMS s participation in it and assess themselves against security criteria established by C TPAT (provided in Appendix I) as well as share these criteria with these other parties. BMS encourages its suppliers to utilize C TPAT assessments, and review procedures with their own suppliers so that there is a trickle down affect of these best practices. Memorandum of Understanding To Our International Business Partners and Service Providers: An executed Memorandum of Understanding (MOU) between BMS and your company is requested (see Appendix II.) If your company has not signed a MOU with BMS with regards to C TPAT, please review and sign the MOU and electronically scan/ it to BMS primary designates for C TPAT: Frank Biviano Director, Corporate Security Kaye Mortensen Director, Custom & Trade
3 Supply Chain Security Questionnaire As an integral part of BMS international supply chain, we are asking that you complete the Supply Chain Security Questionnaire (see Appendix III) that is based upon Customs' current security recommendations for C TPAT. We request you complete the questionnaire for each facility shipping product to BMS or BMS designated location(s) in the U.S. If your facility has not previously filled out and submitted a response to BMS Supply Chain Security Questionnaire, please do so. We would appreciate your questionnaire response electronically. Please return it to Frank and Kaye at the above e mail addresses. Your input will be consolidated with that of the rest of the BMS supply chain to form the BMS supply chain security profile to be submitted to Customs. Please note that the questions asked require simple yes/no responses. All existing written documentation supporting your current procedures and your responses should be available upon request. BMS C TPAT Team comprised of Corporate Security and Customs & Trade may visit your site in the future to validate the responses provided. This information regarding the C TPAT program is provided as part of the Company s efforts to provide timely and effective information concerning the program and our supports our efforts to strengthen our International Supply Chain Security. Please see below the names, addresses, and contact telephone numbers for BMS personnel who are the Company leads for this initiative. Please feel free to contact these individuals to discuss any of the criteria set forth by C TPAT. BMS C TPAT Contacts Frank Biviano Daniel Beaudette Director, Corporate Security Regional Manager, Corporate Security Kaye Mortensen Ann Marie Macchia Director, Custom & Trade Associate Director, Customs & Trade
4 Appendix I C TPAT Security Criteria Business Partner Requirement Security procedures Business partners eligible for C TPAT certification (domestic carriers, ports, terminals, brokers, consolidators, etc.) should provide documentation (e.g., C TPAT certificate, SVI number, etc.) indicating whether they are or are not C TPAT certified to BMS. Point of Origin Business partners should develop security processes and procedures consistent with the C TPAT security criteria to enhance the integrity of the shipment at point of origin. Participation / Certification in Foreign Customs Administrations Supply Chain Security Programs Business partners who have obtained a certification in a supply chain security program being administered by foreign Customs Administration should provide their status of participation to BMS. Container Security Container integrity must be maintained to protect against the introduction of unauthorized material and/or persons. At point of stuffing, procedures must be in place to properly seal and maintain the integrity of the shipping containers. A high security seal must be affixed to all loaded containers bound for the U.S. All seals must meet or exceed the current PAS ISO standards for high security seals. Container Inspection Procedures must be in place to verify the physical integrity of the container structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. A seven point inspection process is recommended for all containers: Front wall Left side Right side Floor Ceiling/Roof Inside/outside doors Outside/Undercarriage Container Seals Written procedures must stipulate how seals are to be controlled and affixed to loaded containers to include procedures for recognizing and reporting compromised seals and/or containers to US Customs and Border Protection or the appropriate foreign authority. Only designated employees should distribute container seals for integrity purposes. Container Storage Containers must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas.
5 Physical Access Controls Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry. Employees An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. Visitors Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification. Deliveries (including mail) Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated. Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized/unidentified persons. Personnel Security Processes must be in place to screen prospective employees and to periodically check current employees. Pre Employment Verification Application information, such as employment history and references must be verified prior to employment. Background checks / investigations Consistent with foreign, federal, state, and local regulations, background checks and investigations should be conducted for prospective employees. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employee s position. Personnel Termination Procedures Companies must have procedures in place to remove identification, facility, and system access for terminated employees. Procedural Security Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain. Documentation Processing Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information.
6 Manifesting Procedures To help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information received from business partners is reported accurately and timely. Shipping & Receiving Arriving cargo should be reconciled against information on the cargo manifest. The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Departing cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released. Cargo Discrepancies All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. Customs and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities are detected as appropriate. Security Training and Threat Awareness A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address a situation and how to report it. Additional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mail. Additionally, specific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies, and protecting access controls. These programs should offer incentives for active employee participation. Physical Security Cargo handling and storage facilities in domestic and foreign locations must have physical barriers and deterrents that guard against unauthorized access. Importers should incorporate the following C TPAT physical security criteria throughout their supply chains as applicable. Fencing Perimeter fencing should enclose the areas around cargo handling and storage facilities. Interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be regularly inspected for integrity and damage. Gates and Gate Houses Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. Parking Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas. Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. Locking Devices and Key Controls All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Lighting Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas.
7 Alarms Systems & Video Surveillance Cameras Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas. Information Technology Security Password Protection Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training. Accountability A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse.
8 Appendix II BRISTOL MYERS SQUIBB COMPANY CUSTOMS & TRADE PARTNERSHIP AGAINST TERRORISM (C TPAT) AGREEMENT BETWEEN BRISTOL MYERS SQUIBB COMPANY AND [INSERT BMS BUSINESS PARTNER NAME] TO VOLUNTARILY PARTICIPATE IN C TPAT This Agreement is made between [INSERT BMS BUSINESS PARTNER NAME] and Bristol Myers Squibb Company (hereinafter referred to as BMS ). This Agreement between [INSERT BMS BUSINESS PARTNER NAME] and BMS is intended to enhance the joint efforts of each of these entities to develop a more secure global supply chain environment by focusing on the physical security of the production, transportation, and importation of BMS merchandise. [INSERT BMS BUSINESS PARTNER NAME] and BMS recognize the need to address these security issues in order to maintain an efficient and compliant import and export process. [INSERT BMS BUSINESS PARTNER NAME] and BMS agree to review and identify necessary security enhancements, and to develop and implement a verifiable, documented program to maintain a secure global supply chain for BMS. Specifically, [INSERT BMS BUSINESS PARTNER NAME] agrees to: 1. Sign and return this agreement to BMS Corporate Security with copy to BMS Customs & Trade: Frank Biviano Director, Corporate Security Kaye Mortensen Director, Customs & Trade 2. Complete and electronically return to the above referenced individuals a completed and signed Confidential Security Profile Questionnaire within thirty (30) days of receipt. 3. Implement security and/or trade compliance improvement programs as determined by BMS and/or the U.S. Customs and Border Protection. [VP, Corporate Security] Bristol Myers Squibb Company [Name and Title] [Company Name] [Date] [Date]
9 Appendix III C TPAT Supply Chain Security Questionnaire 1.0 SECURITY PROCEDURES Yes No N/A 1.1 Point of Origin Does your facility utilize one of BMS's preferred freight forwarders (UTi or DHL/Danzas) for shipments to BMS or BMS' designated location in the US? If not, does your facility utilize a C TPAT certified freight forwarder, NVOCC or carrier to manage your shipments to BMS in the US? Does your facility have written security procedures? Do the written security procedures address how security problems are reported should they occur? Do the written security procedures address how security problems are corrected should they occur? 1.2 Participation/Certification in Foreign Customs Administrations Supply Chain Security Programs Does Customs or other regulatory agency in the country from which your facility ships goods to the United States support or sponsor any supply chain security or anti terrorism programs that your facility is eligible to participate in? [If yes, please type the name of the program and support or sponsor agency name in this space.] Is your facility certified in this program? 2.0 CONTAINER SECURITY 2.1 Container Inspection Does your facility ship full containers, trailers or rail car tanks to BMS or BMS's designated location in the United States? If "no," proceed to Section Do you ship full containers via ocean? Do you ship full truck loads via truck? Do you ship full tanker cars via rail?
10 2.1.2 Does your facility have written procedures that require verification of the container's physical integrity before it is loaded? Does your facility perform a seven point inspection process for all incoming and outbound containers before unloading or loading? (front wall, left side, right side, ceiling, inside/outside doors, outside/undercarriage) Does your facility have written procedures that require the verification of the reliability of the locking mechanisms of the doors of outbound containers? 2.2 Container Seals Does your facility have written procedures that address the sealing of containers, trailers or rail cars (hereinafter "containers")? Do the procedures address affixing seals to the container? Do the procedures address replacing container seals? Do the procedures address recording seals? Do the procedures address the tracking of the seals? Do the procedures address reporting of compromised seals to the appropriate authorities? Do the procedures require the seals exceed the PAS ISO high security seal standards? Do the procedures limit the employees who can distribute container seals? 2.3 Container Storage Does your facility have written procedures that address how empty and loaded containers are to be stored on your facility? Do the procedures address reporting of compromised containers to the appropriate authorities? 3.0 PHYSICAL ACCESS CONTROLS 3.1 Employees Are there restricted access locations on your facility? Is access to offices restricted?
11 Is access to warehouses restricted? (Answer "n/a" if your facility does not have a warehouse.) Is access to manufacturing restricted? (Answer "n/a" if your facility does not have manufacturing facilities.) Does your facility have procedures that require all personnel on the premises to be positively identified? Are facility employees required to wear identification badges? Are contractors required to wear identification badges identifying the individual as a contractor? Does your facility have written procedures for the issuance, removal and changing of access devices (e.g. badge access cards, etc)? 3.2 Visitor Controls Are visitors required to present photo identification upon arrival? Are visitors required to wear identification badges identifying the individuals as visitors? Are visitors required to sign in upon entering the facility? Are visitors required to sign out upon leaving the facility? Are visitors required to be escorted while at the facility? 3.3 Deliveries (including mail) Does your facility have written procedures that address how incoming and outgoing cargo is to be protected from unauthorized access? Does your facility have written procedures that restrict unauthorized persons from accessing the facility's premises? Does your facility have procedures that require proper vendor ID and or photo identification for deliveries? Does your facility have procedures that require vehicles to check in when accessing the premises? Does your facility record vehicles' entrance times? Does your facilty record vehicles' exit times?
12 3.3.4 Does your facility direct delivery vehicles through entrances and exits that separate from the primary entrance(s) and exit(s) used by employees, contractors and visitors? May vehicles be searched upon entering the premises? May vehicles be searched upon exiting the premises? Does your facility periodically screen arriving packages and mail before distribution? Does your facility x ray incoming mail? 3.4 Challenging and Removing Unauthorized Persons Does your facility have written procedures in place to identify, challenge and address unauthorized/undentified persons on the premises? Does your facility have written procedures requiring employees to report unauthorized persons to Company officials? 4.0 PERSONNEL SECURITY 4.1 Pre Employment Verification Are written procedures in place that direct how prospective employees will be screened? Is application information such as employment history and references verified prior to employment? 4.2 Background Checks / Investigations Are background checks permitted in your country? Are background checks conducted on potential employees? Are background checks conducted on current employees for cause and/or sensitivity of employees position? Are employees required to account for their attendance? Does your facility have an internal code of conduct for employee behavior? Does your facility have written procedures for reporting and managing employee security issues? 4.3 Personnel Termination Procedures
13 4.3.1 Identification badges and access devices Are written procedures in place that control the issuance and retrieval of identification badges and access devices upon hire, termination and change in job position? 4.4 Computer System Access Are written procedures in place that control the issuance and revocation of access to your facilities computer systems upon hire, termination and change in job position? 5.0 PROCEDURAL SECURITY 5.1 Manifesting Procedures Does your Shipping department receive an advance notice of what will be shipped each day from your facility? Does your facility provide BMS, BMS' designated location, the foreign carrier or freight forwarder copies of shipping documentation (e.g, invoices, packing lists) as prior notice at least twenty four hours in advance of the freight shipping from your facility? 5.2 Shipping & Receiving Are written procedures in place to ensure that the correct cargo is shipped to BMS or BMS's designated location? Do the procedures require verification that the product shipped matches the description(s) on the shipping documents? Do the procedures require verification that the quantities shipped match the quantities on the shipping documents? 5.3 Cargo Discrepancies Are written procedures in place that direct, as appropriate, your facility to notify the customs broker, carrier, shipper or law enforcement of any discrepancies between what was shipped and what is received by BMS or BMS's designated location? 6.0 SECURITY TRAINING AND THREAT AWARENESS 6.1 Does your facility provide security training and threat awareness training for employees? If "no," proceed to Section 7.0.
14 6.1.1 Indicate which of the following topics are included in the program: Internal conspiracies? Product integrity? Unauthorized access to the premises? Are all new employees required to attend the program? Are current employees required to attend ongoing security awareness training? Are attendance records maintained for employees that attended the training? 7.0 PHYSICAL SECURITY 7.1 Fencing Does your facility have perimeter fencing which at the minimum encloses the areas around cargo handling and storage facilities? Does your facility have interior fencing within the cargo handling structure used to segregate domestic, international, high value and hazardous cargo? Is the fencing regularly inspected for integrity and damage? 7.2 Gates and Gate Houses Does your facility have gates which restrict vehicle and/or personnel access to the premises? Are the gates manned and/or monitored by cameras? hours per day? During operational hours? During non operational hours? 7.3 Parking Does the facility have designated parking areas for visitors that is separate from employee parking? Are the parking areas separate from any place where cargo may be: Stored?
15 Staged? Loaded? Unloaded? 7.4 Building Structure Are your facility buildings constructed of materials that resist unlawful entry? Is the integrity of your structures maintained by periodic inspection and repair? 7.5 Locking Devices and Key Controls Are all external and internal windows, gates and fences secured with locking devices? Is the issuance of all locks and keys controlled by management or security personnel? 7.6 Lighting Do all buildings have adequate lighting? Do all building premises (e.g., entrances, exits, cargo handling and storage areas, fence lines, parking areas) have adequate lighting? 7.7 Alarm Systems & Video Surveillance Cameras Does the facility have alarms? Do the alarms secure: Doors? Windows? Docks? Vaults? Other? When activated, do the alarms: Emit an audible alarm?
16 Directly alert security (e.g., via pager)? Electronically notify a monitoring station that may dispatch appropriate law enforcement? Directly notify law enforcement? Does the site have security cameras? Do the cameras cover the following areas: Entrances & exits? Cargo storage areas? Loading & unloading docks? Parking areas? Fence lines? Do the cameras record? Are the recordings maintained for a preset period of time? 8.0 INFORMATION TECHNOLOGY SECURITY 8.1 Password Protection Does your facility have written policies, procedures and standards to manage information technology security? Do your procedures require periodic password changes for individually assigned system access accounts? Is information technology security training provided to employees? 8.2 Accountability Does your facility have a system in place to identify the abuse of IT including improper access, tampering ot the altering of business data? Are systems violators subject to appropriate disciplinary actions for abuse? Physical Address of Manufacturing and Shipping Locations
17 Please provide the physical address of your manufacturing locations and shipping locations in the following spaces: (name and address) Manufacturing Site: (name and address, if different from above) Shipping Location: Comments: Please provide any additional information you feel will clarify your facility's responses to this questionnaire in the following space: [Please type comments here.] Name: Title: Phone #: E mail Address: Date: Primary Contact and Date Please provide the name and contact information for the individual who can best answer any questions BMS might have regarding your facility responses to this questionnaire and today's date: I AFFIRM THAT THE INFORMATION CONTAINED HEREIN IS COMPLETE AND TRUE TO THE BEST OF MY KNOWLEDGE AND BELIEF. Signature
18 Print Name Title Date Company Name Site Name Street Address City State/Province Country Zip Code