Rx-360 Supply Chain Security Template -- Requirements for Third Party Logistics Providers 6 June 2012 This template is a tool that was developed In order to assist manufacturer clients with the application of the concepts in the Rx-360 Supply Chain Security White Paper: Audits and Assessments of Third Party Warehousing and Distribution Facilities. This template requirements document is formatted so that it can quickly be edited and included as an addendum to a contract or can be used as a points-to-consider document in formulating a standard in supply chain security in the warehousing and distribution segment of the supply chain.
Supply Chain Security Requirements - Table of Contents 1 Supply Chain Security Requirements...3 1.1 Document Scope...3 1.1.1 Sub-contractor Compliance... 3 1.2 General Requirements...3 1.2.1 Statement of Confidentiality... 3 1.2.2 Restrictions for the Purchase, Sale and Shipment of <COMPANY NAME>... 3 1.2.3 Sourcing of Components Required for <COMPANY NAME> Products... 3 1.2.4 National Cargo Security Program Requirements... 3 1.2.5 Sub-contractor Approval... 3 1.2.6 External Security Providers... 3 1.3 Physical Security...4 1.3.1 Site Security Personnel... 4 1.3.2 Employee Searches... 4 1.3.3 Construction... 4 1.3.4 Secured Points of Entry... 4 1.3.5 Facility Inspections... 4 1.3.6 Lighting... 4 1.3.7 Video Surveillance and Monitoring Systems... 4 1.3.8 Communication... 5 1.3.9 Alarm System... 5 1.3.10 Auxiliary Power System... 5 1.3.1 Perimeter Barrier... 5 1.3.2 Perimeter Fencing... 5 1.3.3 Private Vehicle Control... 5 1.3.4 <COMPANY NAME> Internal Storage Area Requirements... 6 1.4 Access Control...6 1.4.1 Visitor Identification... 6 1.4.2 Visitor Chaperoning... 6 1.4.3 Identification Badges... 6 1.4.4 Verification of Identity... 6 1.5 Records and Logs...6 1.5.1 Security Records... 6 1.5.2 Employee Records... 6 1.5.3 Video Surveillance Logs... 6 1.5.4 Computer System Logs... 6 1.5.5 Site Access Records and Logs... 7 1.5.6 Driver and Vehicle Information Required for Transport... 7 1.5.7 Tracking Records... 7 1.5.8 Scrap and Destroy Records... 7 1.5.9 Inventory and Use Records of <Company Name> Goods... 7 1.5.10 Inventory Records of Cargo Shipments... 7 1.6 Procedural Security...8 1.6.1 Data Access Policy and Procedures... 8 1.6.2 Disaster Recovery Plan... 8 1.6.3 Business Continuity Plan... 8 1.6.4 Security Incident Procedures... 8 1.6.5 User Account Procedures... 8 1.6.6 Internal Access Control Procedures... 8 1.6.7 Cargo Security Standards... 8 Page 1
1.7 Personnel Security...9 1.7.1 Employees Handling <COMPANY NAME> Product or Intellectual Property... 9 1.7.2 Retention of Training Records... 9 1.8 Cargo Security... 10 1.8.1 On-site Cargo Security... 10 1.8.2 Controlling Access to Cargo... 11 1.9 Control of <COMPANY NAME> Goods in the Facility... 11 1.9.1 Storage of <COMPANY NAME> Goods... 11 1.9.2 Access to <COMPANY NAME> Goods... 11 1.10 Returned and Rejected Product... 12 1.10.1 Mandatory Scrap and Destruction... 12 1.10.2 Destruction of Scrap and Returns... 12 1.11 Reporting and Notification... 13 1.11.1 Good Distribution Practices Violations... 13 1.11.2 Supply Chain Security Requirements Violations... 13 1.11.3 Notification of Damage or Loss... 13 1.11.4 Firewall Access Violations... 13 1.11.5 After-hours Alarm Notification List... 13 1.11.6 Scrap Recycling List... 13 1.11.7 Employee Background Issues... 13 1.11.8 Use of Sub-contracted Individuals or Equipment... 13 1.11.9 Security Incidents... 13 1.11.10 Solicitations by Unauthorized Sellers... 13 1.11.11 Unusual Discrepancies in Sales or Orders... 13 1.11.12 Reporting Violations of Government Regulations... 14 1.11.13 Reporting Revisions of this Document... 14 1.12 Information Protection... 14 1.12.1 Information Security Management... 14 1.12.2 Protected Access to <COMPANY NAME> Confidential Information... 14 1.12.3 Environmental Controls... 14 1.12.4 Fire Suppression... 14 2 Appendices... 15 Page 2
1 Supply Chain Security Requirements In performing services hereunder, Vendor shall comply with <COMPANY NAME> s Supply Chain Security (SCS) requirements (this document) which may be amended from time to time by <COMPANY NAME> in its sole discretion. Vendor shall use its best efforts, which shall in no event be less than generally accepted industry standards, to ensure the safety and security of <COMPANY NAME> products while such products are in the possession and control of vendor or its <COMPANY NAME>-approved subcontractor pursuant to this Agreement. Vendor shall report any loss of or damage to any <COMPANY NAME> product or its packaging, and any violation of the SCS Requirements, within twenty-four (24) hours of becoming aware of such loss, damage or violation. 1.1 Document Scope Except where noted, the following requirements apply to all packagers, manufacturers, suppliers, contracted carriers, testing laboratories, customs brokerages and distributors ( Vendors ) of <COMPANY NAME> product, whether in finished or unfinished, packaged or unpackaged form, including the handling of any components of said finished or unfinished products and including but not limited to API, excipients, packaging, package inserts, labels, and any raw materials required to produce same (collectively, <COMPANY NAME> Goods ). 1.1.1 Sub-contractor Compliance The requirements set forth herein also apply to any <COMPANY NAME> approved sub-contractors used by vendors engaged in any aspect of handling <COMPANY NAME> Goods to the same extent that they apply to vendors. It is the responsibility of all vendors to ensure that their own sub-contractors fully comply with the provisions of this document. 1.2 General Requirements 1.2.1 Statement of Confidentiality Vendor must have appropriate confidentiality agreements on file. 1.2.2 Restrictions for the Purchase, Sale and Shipment of <COMPANY NAME> Segregation of duties must apply in all instances when such activities occur (i.e., the person ordering goods cannot be the person receiving goods). Orders and receipts are also to be tracked. 1.2.3 Sourcing of Components Required for <COMPANY NAME> Products Vendor may only source components required for <COMPANY NAME> products from suppliers authorized by <COMPANY NAME>. 1.2.4 National Cargo Security Program Requirements Vendor is either a participant in the C-TPAT program or the applicable foreign equivalent National Cargo Security program (PIP, AEO, etc), or at a minimum, satisfies <Company Name> s minimum Supply Chain Security requirements. Vendor is already an approved member of the applicable National Cargo Security program or has signed a memorandum of understanding ( MOU ) with <Company Name> guaranteeing vendor compliance with <Company Name>'s specified minimum security criteria. Vendor has completed <Company Name> s Security Profile Questionnaire. 1.2.5 Sub-contractor Approval All sub-contractors used by vendors to handle <COMPANY NAME> Goods must be approved by <COMPANY NAME> before any work is performed. 1.2.6 External Security Providers In the event that an external firm is retained to provide security for facilities that house <COMPANY NAME> Goods or IP, said firm must be licensed to the full extent required under applicable laws, and have no business connection with any firm providing temporary staff to the authorized supplier. Page 3
1.3 Physical Security Facilities shall include the following security features. 1.3.1 Site Security Personnel One point of contact for site security is required. This point of contact must develop relationships with the local law enforcement agencies in order to encourage timely response to incidents at the LSP site, facilitate receipt of crime trends and other intelligence received by local law enforcement that potentially affects the site s risk assessment, and allow for the exchange of information with neighboring entities. For staffed points of entry, a guard must be present to allow site access during working hours. 1.3.2 Employee Searches To detect or deter internal theft, a bag/pocket check should take place at the beginning and end of each shift, or as employees enter and leave the premises. 1.3.3 Construction Material construction of the facility, including doors, windows, skylights and all potential points of entry, must be suitable to withstand forced entry. 1.3.4 Secured Points of Entry Locking devices are required on all potential points of entry, including visitor access, shipping and receiving access, fire exits and roof hatches. All points of entry must be closed and locked except as necessary for normal operations. All windows and skylights must have security screens. Warehouse exit doors and dock doors must resist forced entry. Dock and warehouse door hinges must be pinned or welded. 1.3.4.1 Unstaffed Points of Entry Unstaffed access points must be: Locked Covered by security screens Alarmed 1.3.5 Facility Inspections Structures and fencing must undergo regular inspections. 1.3.6 Lighting Lighting must be adequate to identify all persons entering and exiting facility and parking areas using the video monitoring system. Lighting must be constantly on, twenty-four (24) hours per day. 1.3.7 Video Surveillance and Monitoring Systems The resolution of live and recorded surveillance images must be good enough to clearly recognize individuals. Video surveillance must be maintained 24 hours per day, and must cover all sides of the facility and all potential points of entry. Video must be both monitored in real time and recorded. The surveillance system must include continuous date and time-stamping. Video recording must be on digital media rather than analog tape. 1.3.7.1 Maintenance and Inspection The surveillance system must be inspected and tested no less than monthly. Repairs and adjustments must be made immediately upon detection of damage, malfunction or misalignment. Procedures must be in place for manual testing of systems or equipment. Page 4
Video and audio surveillance media must be stored for a minimum of 30 days from the time of their recording, unless they document an event. Audio and video media documenting an event must be retained indefinitely. An event is defined as any breach of security or deviation from this addendum s inclusions. 1.3.7.2 Location Cameras must be installed: At a height sufficient to prevent tampering In an environmentally protective housing With conduit to protect cabling into and out of the cameras Video surveillance equipment and media must be kept in a secure location. Video media must be stored in a secure internal location separate from the recording equipment. 1.3.8 Communication Facility must have internal and external communications systems that connect to internal security and local police. 1.3.9 Alarm System The alarm system must be physically wired and include motion-detection sensors. Glass-break detectors must be used wherever necessary, particularly on ground floor windows or other windows that can be easily accessed. The alarm control system must be placed in a secure location. 1.3.9.1 Maintenance and Inspection The alarm system must be inspected and tested regularly. Repairs and adjustments must be made immediately upon detection of damage, malfunction or misalignment. Procedures must be in place for manual testing of systems or equipment. 1.3.10 Auxiliary Power System There is a back-up power system for alarm systems and video surveillance equipment. 1.3.1 Perimeter Barrier A perimeter barrier which defines site boundaries while deterring and delaying intruders from entering the site anywhere other than at designated entry points is required. The focus of the first layer of security will be the perimeter barrier, i.e. a fence, wall, or combination thereof. 1.3.2 Perimeter Fencing Facility perimeter is fenced. Perimeter fencing and fence topper must be free of vegetation and in a good state of repair. Fencing must be far enough from adjacent structures to prevent site access from them. Perimeter fencing must be at least 8 feet high, not including height of the fence topper. Perimeter fencing has a four-strand or five-strand barbed wire or razor wire fence topper. If the fence topper is barbed wire, it must be angled at 45 degrees out of the facility. Perimeter fencing must completely enclose the facility, penetrated only at designated access points. Vegetation must be cleared for ten meters on both sides of the perimeter fencing. There can be no view blocks (outbuildings, vehicles, etc.) along the perimeter fencing. Camera and guard views along the perimeter fencing and cleared adjacent space cannot be obstructed. Perimeter fencing must be patrolled by Security and adequate CCTV coverage should be installed. 1.3.3 Private Vehicle Control Private vehicles must be parked in a fenced parking area that is physically separate from facilities housing <COMPANY NAME> Goods or IP. The vendor must also institute a registration system for all vehicles permitted access to said parking area. In no event will private vehicles be permitted in or next Page 5
to cargo handling locations. The fenced private parking area should be outside of the vendor s facility. No private vehicles are permitted to enter the facility unless they are searched on entry and exit. 1.3.4 <COMPANY NAME> Internal Storage Area Requirements <COMPANY NAME> storage areas must be located within the confines of the facility and must be kept closed and locked. 1.4 Access Control 1.4.1 Visitor Identification The identity of all visitors must be verified against government-issue photographic identification before they are granted access to facilities housing <COMPANY NAME> Goods or IP. 1.4.2 Visitor Chaperoning Visitors must be accompanied at all times by an authorized employee when in facilities housing <COMPANY NAME> Goods or devices containing <COMPANY NAME> IP. Visitors and vendors accessing secure internal locations housing <COMPANY NAME> Goods or devices containing <COMPANY NAME> IP must be accompanied by an authorized employee. Vendor shall maintain an electronic visitor log and retain all visitor records for 12 months 1.4.3 Identification Badges Photo or serialized ID badges must be provided to all personnel and visitors. Access to the card issuance system must be controlled. 1.4.4 Verification of Identity Identification of all personnel or visitors granted access to the facility must be verified by electronic means or directly by staff security. 1.5 Records and Logs This section addresses the records and logs required of all vendors and sub-contractors, as applicable. 1.5.1 Security Records Records of Security personnel are to be kept indefinitely unless and until instructed to the contrary by <COMPANY NAME>. Personnel records must be kept for external Security personnel. 1.5.2 Employee Records The following records must be kept for both vendor and sub-contractor employees: Employee Terminations Employees Ordering <COMPANY NAME> Goods or <COMPANY NAME> IP Employees Receiving Goods Employees Shipping Goods Training Records 1.5.3 Video Surveillance Logs Video surveillance equipment maintenance and testing is recorded in a log. Each camera must have an operational specification written on it, and the officers must audit each camera no less than monthly to ensure that it is performing as required. 1.5.4 Computer System Logs All computer systems containing <COMPANY NAME> IP, and the critical computing resources on which they depend, must be logged and tracked in accordance with applicable laws and regulations. Access Control Logs must be reviewed every 60 days to verify that only users with valid business reasons and existing management approval have access to systems containing <COMPANY NAME> IP. Page 6
Computer log files must be retained for at least 60 days. 1.5.5 Site Access Records and Logs 1.5.5.1 Site Visitor Log A Site Visitor log documenting all visitors and vendors is required. All visitor records must be retained for a period of 12 months. 1.5.5.2 Controlled Access Records and Logs The following controlled access records and logs are required: Access Code Logging Access Code/ Key Possession Records Controlled Access Log Digital Access Log Controlled Access records must be reviewed for irregularities every 12 months and updated for every change of access. Digital Access Logs must be reviewed every 60 days. 1.5.6 Driver and Vehicle Information Required for Transport The following records must be kept for each shipment of <COMPANY NAME> Goods: Driver Name and License Records Vehicle License Record Cargo Seal Serial Number Log Date and Time of Cargo Pick-up 1.5.7 Tracking Records The following records must be kept for each shipment of <COMPANY NAME> Goods: GPS Tracking Records must be kept for a period of 12 months. 1.5.8 Scrap and Destroy Records The following applicable records must be kept for scrapped <COMPANY NAME> Goods or IP: Scrapped <COMPANY NAME> Goods Records Scrapped <COMPANY NAME> IP Records 1.5.9 Inventory and Use Records of <Company Name> Goods Vendors shall regularly reconcile physical inventories of the following against inventory records and report any discrepancies to <COMPANY NAME> as security incidents. 1.5.10 Inventory Records of Cargo Shipments Vendors shall keep records of each cargo shipment including at a minimum: Name of shipper/consignee Description of shipment Weight of shipment Number of units shipped Shortages/overages, if any Dates (shipment and receipt) Accompanying documentation Customs manifests, if any In addition: Seals must be tracked and verified Each shipment must be compared to its shipment manifest Page 7
1.6 Procedural Security All vendors must create written plans, standards or procedures addressing each of the following topics, as applicable. All such written documentation must be submitted to the attention of the Vendor s <COMPANY NAME> account manager within sixty (60) days of receipt of this contract for <COMPANY NAME>'s approval. 1.6.1 Data Access Policy and Procedures The data access policy must require password protection of systems. Procedures must ensure that user accounts and passwords used to access these systems are not posted, otherwise distributed, or shared by more than one person. Procedures that establish and maintain the authorization mechanisms which control data access are required. 1.6.2 Disaster Recovery Plan Disaster Recovery Plans must include: Details of all physical systems Details of information systems Details of network security processes and requirements A list of all persons to be contacted whenever a disaster or other business-affecting event necessitates it. The contact list must be updated whenever changes occur and reviewed for accuracy every three months. Disaster Recovery Plans must be printed out and stored in secure on- and off-site locations. 1.6.3 Business Continuity Plan The Business Continuity Plan meets the requirements specified in the SCS Contract. 1.6.4 Security Incident Procedures Security incident documentation must include: Provisions to escalate incidents Emergency contact information for both <COMPANY NAME> and the vendor Security Incident report, including a management review of said report 1.6.5 User Account Procedures Procedures to create, maintain and terminate user accounts must be included in the vendor s Network Security document. 1.6.6 Internal Access Control Procedures Internal access control procedures must address: Site access Visitor control Video surveillance & monitoring Alarm and access control systems monitoring and response 1.6.7 Cargo Security Standards Cargo security documentation must include: Procedures for the use and verification of high security seals Procedures for verifying the physical integrity of trucks, trailers, containers, rail cars, and aircraft Procedures for verifying the reliability of locking mechanisms on all transportation Procedures to ensure that: All outbound shipments are destined to an authorized location Page 8
Shipments are scheduled for delivery during normal business hours, unless a shipment has a specific receiving procedure in place prior to shipment 1.7 Personnel Security This section contains requirements for vendor and sub-contractor employees who may come into contact with <COMPANY NAME> Goods or IP. Sub-contractors and their employees must meet the same criteria set for <COMPANY NAME> vendors and their employees. 1.7.1 Employees Handling <COMPANY NAME> Product or Intellectual Property Vendor agrees to use proprietary, full-time employees, and to avoid using any sub-contracted individuals or equipment without first notifying a representative of <COMPANY NAME>. Vendor must verify that all employees have successfully passed a drug analysis test, as permitted by law, prior to commencing contracted employment with <COMPANY NAME>. 1.7.1.1 Background Investigations & Toxicology Screening If permitted by law, background investigations must be conducted on any individual or entity prior to hiring or assignment, and prior to granting access to <COMPANY NAME> Goods or IP. These background investigations must be documented and shall include at minimum: Verification of personal identity Criminal background checks for the previous five (5) years (to the extent permitted under local laws) Name search within check lists of known terrorist organizations Employment verification back to age 18, including any gaps of greater than thirty days Motor Vehicle Records (MVR) for those subjects driving company-owned vehicles, or driving on company business as a primary component of their job. Where applicable by law, ten-panel toxicology screening measures should be used on a preemployment, random and for-cause basis. Name search within government de-barred lists If the individual or entity is on any such list or has past criminal activity in their background investigation, <COMPANY NAME>'s account manager must be contacted and written approval obtained prior to allowing any such individual or entity access to <COMPANY NAME> Goods or IP. 1.7.1.2 Employee Terminations All terminations of employees and sub-contractor employees must be documented. If any employee is terminated - not eligible for rehire, the facts of their termination must be documented to the extent permitted by law. All such records must be retained indefinitely unless and until instructed to the contrary by <COMPANY NAME>. Access control devices (keys or cards) must be collected from every terminated employee and subcontractor employee immediately upon termination. Systems access permissions must be removed within 24 hours of termination. Employees not eligible for re-hire must be placed on a list. New applicants must be checked against the list prior to employment. 1.7.2 Retention of Training Records Detailed records must be kept of all personnel receiving <COMPANY NAME> training and updates to <COMPANY NAME> training. Page 9
1.8 Cargo Security 1.8.1 On-site Cargo Security All vendors must comply with the following cargo security requirements. 1.8.1.1 High Security Container Seals All trucks, trailers and containers ( Cargo Vehicles ) must be secured using high-security seals that comply with the standards of: The country of origin Applicable trans-shipment countries The country of destination Access to container seals must be limited, seals should be affixed either by shipping or security personnel (never by the driver) and seals must be destroyed upon removal. 1.8.1.2 Cargo Delivery, Loading and Unloading Trucks are permitted to enter and leave the facility through secured access points only. When unattended, containers, trucks, and trailers containing <COMPANY NAME> Goods must be: Parked in secure holding areas Monitored through video surveillance or directly by security personnel Cargo loading and unloading must be supervised by <COMPANY NAME>-authorized personnel. Full pallets, partial pallets, and single shipped master cartons must be weighed before shipment. The weight must be noted in the related shipping documentation. Delivery, loading and unloading should be scheduled in advance and must be during applicable business hours only. <COMPANY NAME> Goods cannot be pre-loaded into Cargo Vehicles except under preapproved conditions. When unloading cargo, cargo weight and carton count must be reconciled against the manifest documents while the cargo vehicle is still present. Damage or tampering must also be noted. Damaged or short shipments must be reported to <COMPANY NAME> within 48 hours of receipt. Before loading cargo, the vendor must: Inspect the cargo vehicle for unauthorized or un-manifested materials Verify that all outbound shipments are destined to an authorized location Verify that shipments are scheduled for delivery during normal receiving business hours, unless a shipment has an alternate receiving procedure in place prior to shipment. Each alternate receiving procedure can apply to one specific shipment only 1.8.1.3 Segregation of Shipping and Receiving Functions One of the following methods must be used to ensure that <COMPANY NAME> Goods cannot be simultaneously loaded on and unloaded from the same truck, trailer or container: There must be a physical barrier between shipping and receiving facilities that prevents comingling of these activities, OR Shipping and receiving must be scheduled so they do not occur at the same docks at the same time. 1.8.1.4 Cargo Vehicle Inspections Cargo Vehicles must be physically secure, with working locking mechanisms that are inspected upon each loading of <COMPANY NAME> Goods or IP. Inspection logs must list the names of the person(s) conducting the inspections and their findings. Page 10
1.8.1.5 Protection of Shipment Information Information regarding incoming and outgoing shipments, including the routing of said shipments, is to be kept confidential and securely guarded. Vehicles must depart with approved and verified drivers directly from the protected loading area. Under no circumstances shall another person move a loaded vehicle. 1.8.2 Controlling Access to Cargo Uncontrolled access to shipping and loading docks, cargo areas, trailers, containers, or any other vehicle involved in the transport of <COMPANY NAME> Goods is prohibited. At a minimum, access must be controlled as follows: Access to such areas must be logged and records retained indefinitely unless and until instructed to the contrary by <COMPANY NAME>. Drivers must be accompanied by authorized personnel when in a shipping/receiving area for <COMPANY NAME> Goods, and otherwise must remain in their vehicle or be restricted to a designated area. Vendors must keep complete records of driver names, license number, vehicle license number and issuing governmental authority (tractor and trailer, if applicable), seal serial number, and the date and time of pick-up. 1.9 Control of <COMPANY NAME> Goods in the Facility 1.9.1 Storage of <COMPANY NAME> Goods <COMPANY NAME> Goods must be transferred upon reception to secure, access controlled internal location(s) by <COMPANY NAME> - authorized personnel. All <COMPANY NAME> storage locations must be within the facility. 1.9.2 Access to <COMPANY NAME> Goods The following access controls are required for <COMPANY NAME> Goods and <COMPANY NAME> storage areas. 1.9.2.1 Granting Access to <COMPANY NAME> Goods Access to <COMPANY NAME> Goods should be provided for established business needs only. 1.9.2.2 <COMPANY NAME> Storage Area Access Locations <COMPANY NAME> storage areas must be accessible from specific monitored locations only. 1.9.2.3 Code, Key or Card Access to <COMPANY NAME> Storage Areas Access to <COMPANY NAME> storage areas should be by assigned access code. However, if the facility cannot accommodate an access code system, keys or cards may be used to control access. 1.9.2.3.1 Access Code Requirements Access codes should be issued to authorized individuals only. Sharing codes is prohibited. Access codes must be changed at least once every three (3) months. Access codes are to be controlled and logged by authorized individuals only. Employee access changes must be reported to security immediately and their access privileges must be modified immediately. 1.9.2.3.2 Access Control Devices Access control devices (keys or cards) must be collected from every terminated employee immediately upon termination. Extra, unused or returned access keys or cards must be kept in a secure location. 1.9.2.3.3 Access Control Records Page 11
Electronic access logs that include the name of the authorized individual, the date of access, and the time of access must be maintained indefinitely unless and until instructed to the contrary by <COMPANY NAME>. Records identifying all persons in possession of keys, cards or access codes must be maintained indefinitely unless and until instructed to the contrary by <COMPANY NAME>. 1.9.2.4 Employee Identification The identity of each person seeking access to <COMPANY NAME> Goods must be verified in real time. Persons monitoring access must be trained in how to challenge persons seeking inappropriate access. Visibly displayed photo or serialized identification badges are to be used by all personnel provided access to <COMPANY NAME> Goods. 1.9.2.5 Visitor Access No visitors are to be allowed access to <COMPANY NAME> Goods without prior <COMPANY NAME> approval, a verified government-issued ID and a <COMPANY NAME>-authorized escort. 1.9.2.6 Temporary Staff Temporary staff (for example, maintenance or cleaning crews) are to be supervised at all times by authorized personnel. 1.9.2.7 Personal Belongings in <COMPANY NAME> Storage Areas Bags, backpacks and personal cell phones must remain in the locker room and should not be allowed in the warehouse. 1.10 Returned and Rejected Product 1.10.1 Mandatory Scrap and Destruction Vendors must remove affected product, packaging labels, product inserts, and <COMPANY NAME> electronic files from their inventory, store these in a dedicated secure area on the premises, and document said <COMPANY NAME> Goods and/or IP as scrapped and destroyed within five (5) business days if any of the following events occur: Vendor in possession of <COMPANY NAME> Goods is no longer required by <COMPANY NAME> to fulfill contract/agreement with <COMPANY NAME> <COMPANY NAME> Goods are determined to be corrupted or unusable <COMPANY NAME> Goods are at end of life Vendor s agreement with <COMPANY NAME> is terminated or no further production, supply and/or distribution of <COMPANY NAME> Goods is authorized Determination of whether one of these events has occurred shall be at <COMPANY NAME>'s sole discretion. 1.10.2 Destruction of Scrap and Returns 1.10.2.1 <COMPANY NAME> Goods Goods scheduled for destruction (including seals) must be kept in a dedicated secure location. Destruction must be performed in the presence of an authorized <COMPANY NAME> representative, and must be certified. Certificates of destruction must be kept indefinitely, unless and until instructed otherwise by <COMPANY NAME>. Logs of all scrapped goods must record: Date of destruction Description and quantities of scrapped goods Identifying control numbers, if any Name of the person authorizing destruction Name(s) of the person(s) witnessing and destroying <COMPANY NAME> Goods. Page 12
1.10.2.2 Electronic Files Electronic files scheduled for destruction are to be securely deleted using procedures specified by <COMPANY NAME>, and said destruction must be documented. 1.11 Reporting and Notification 1.11.1 Good Distribution Practices Violations Vendor will notify <COMPANY NAME> within one (1) business day upon becoming aware of any violation of the GDP. 1.11.2 Supply Chain Security Requirements Violations Vendor shall notify <COMPANY NAME> within twenty-four (24) hours of becoming aware of any violation of the SCS Requirements. 1.11.3 Notification of Damage or Loss Vendor shall report any loss of or damage to any <COMPANY NAME> product or its packaging within twenty-four (24) hours of becoming aware of such loss or damage. 1.11.4 Firewall Access Violations Firewall access violations must be logged and periodically reviewed to identify potential intrusions. 1.11.5 After-hours Alarm Notification List An After-hours alarm notification list is required. This list must include multiple layers of redundancy to guarantee that a responder is always available. The list must be updated and tested once every six months. 1.11.6 Scrap Recycling List The vendor must maintain a list of companies or individuals that provide scrap recycling and provide this list to <COMPANY NAME>. 1.11.7 Employee Background Issues If the individual or entity being investigated is on lists of known terrorist organizations, government debarred lists, or has past criminal activity, <COMPANY NAME>'s account manager must be contacted and written approval obtained prior to allowing them access to <COMPANY NAME> Goods. 1.11.8 Use of Sub-contracted Individuals or Equipment Vendor must report their intent to use sub-contracted individuals or equipment to a representative of <COMPANY NAME> prior to use. 1.11.9 Security Incidents The <COMPANY NAME> Vendor must designate a local management contact to be telephoned in the event of a security incident. 1.11.10 Solicitations by Unauthorized Sellers Attempts to buy or sell <COMPANY NAME> Goods by unauthorized sellers must be reported to <COMPANY NAME> within 24 hours of the solicitation. The report should include as much detail as possible. 1.11.11 Unusual Discrepancies in Sales or Orders Unusual discrepancies in sales or orders from a given supplier or distributor must be reported to the appropriate <COMPANY NAME> account manager within 24 hours of discovery. ( Unusual is to be determined on an individual basis by the <COMPANY NAME> account manager for each <COMPANY NAME> Vendor and agreed upon in writing). Page 13
1.11.12 Reporting Violations of Government Regulations Vendors shall report to <COMPANY NAME> any violation of government regulations that impact their ability to fulfill any contractual obligations to <COMPANY NAME>. Such reports must be made within 24 hours of the discovery of the violation. 1.11.13 Reporting Revisions of this Document Vendors will inform their <COMPANY NAME> approved sub-contractors of <COMPANY NAME> revision changes to this document within five (5) business days of receiving the changes. 1.12 Information Protection Vendors must implement the following measures to control access to, and protect the storage and transmission of, <COMPANY NAME> confidential electronic information. 1.12.1 Information Security Management The vendor s network and servers must be protected by an information security function that: Establishes information security management policies and controls Monitors compliance to established controls Assigns information security roles and responsibilities Assesses information risks and manages risk mitigation 1.12.2 Protected Access to <COMPANY NAME> Confidential Information <COMPANY NAME> Confidential Information: May only be stored on secure servers that are protected from general purpose computer networks by a dedicated firewall May not be stored on any internal drives to which external portable media recordable devices can be attached for the extraction of data 1.12.3 Environmental Controls All critical computer resources must be housed in accordance with equipment manufacturer s operating specifications for temperature ranges, humidity levels and particulate count. 1.12.4 Fire Suppression Data centers and computer rooms housing critical computer resources must be equipped with fire suppression systems. Page 14
2 Appendices 2.1 Document Review Schedule Note that all supply chain security documentation required by <COMPANY NAME> should be periodically reviewed for accuracy and revision. The following table is provided for vendor convenience, but may not address all review issues. Page # Documentation Review Cycle 8 Disaster Recovery Plan Annual 8 Business Continuity Plan Annual 8 Disaster Recovery Contact List 3 months 8 Business Continuity Contact List 3 months 6 Access Control Logs 60 days 7 Controlled Access Records Annual 13 Firewall Access Violation Logs Periodically 2.2 Record Retention List Note that all records, lists and logs required by <COMPANY NAME> should be periodically reviewed for accuracy and revision. The following table is provided for vendor convenience, but may not address all retention requirements. Page # Record, List or Log Retention Period 9 Employee Termination Records Indefinite 7 Computer Log Files At least 60 days 11 Cargo Access Records Indefinite 5 Uneventful Audio and Video Recordings 3 months following recording 5 Audio and Video Recordings Documenting an Event Indefinite 3 Orders of <COMPANY NAME> Product Indefinite 3 Receipts of <COMPANY NAME> Product Indefinite 11 Access Logs Indefinite 11 Key, card and access code records (as applicable) Indefinite 12 Certificates of destruction Indefinite Page 15
2.3 Key Terms Term Definition API Active Pharmaceutical Ingredient cgmp The current good manufacturing practices promulgated by the US Food and Drug Administration. C-TPAT The U.S. Customs and Border Protection program, Customs-Trade Partnership Against Terrorism. Excipients All inert ingredients (such as sugar) in a product s formulation GDP Good Distribution Practices Intrusion Detection This is very similar to anti-virus software. Both use signatures or Technology or Software identifying characteristics, to locate viruses. Anti-virus software searches the files on selected drives for these signatures. Intrusion detection software searches active packets of information transmitted on the network in the same manner. Other materials Coatings (such as wax), binders, casings, etc. PDMA The Prescription Drug Marketing Act of 1987. Pre-API A processed and/or controlled product used in the creation of an API. Pre-APIs have their own control systems. SCS Supply Chain Security. <COMPANY NAME> Confidential Information <COMPANY NAME> Goods <COMPANY NAME> IP Two-factor Authentication Vendor Sensitive information, including shipment details, pricing, labels, packaging, and <COMPANY NAME> technical information. <COMPANY NAME> product and product components, whether in finished or unfinished, packaged or unpackaged form, including the handling of any components of said finished or unfinished products and including but not limited to active pharmaceutical ingredients, excipients, packaging, package inserts, labels, any raw materials required to produce the preceding items, extra access devices, video surveillance recordings, and any other product or component specified by <COMPANY NAME>. <COMPANY NAME> patents, trade secrets, confidential information, copyrights and trademarks or other forms of <COMPANY NAME> intellectual property. In order to access a device protected by two-factor authentication, you must have something (like an RSA token) and know something (like your pin number). There are multiple forms of two-factor authentication described on the Internet. A packager, manufacturer, supplier, contracted carrier, testing laboratory, customs brokerage or distributor of <COMPANY NAME> product. Page 16