This document discusses physical security measures for cargo handling and storage facilities. It recommends perimeter fencing, gates that are manned or monitored, prohibiting private vehicles from parking near cargo areas, adequate lighting inside and outside facilities, use of electronic security technologies like alarms and cameras, and periodic random reviews of camera footage to verify proper security procedures are followed. It also covers physical access controls like positive identification of employees, visitors, and drivers, and maintaining logs of visits and cargo pickups.

5. 9. Physical Security

6. Cargo handling and storage facilities, Instruments of
International Traffic storage areas, and facilities where
import/export documentation is prepared in domestic
and foreign locations must have Physical Security
Measures which include, physical barriers and deterrents
that guard against unauthorized access.
Introduction

7. The need for physical security can vary greatly based on
the Member’s role in the SC, its business model, and level of
risk. The physical security criteria provides a number of
deterrents/obstacles that will help prevent unwarranted
access to cargo, sensitive equipment, and/or information.
Members should employ these security measures
throughout their SC to minimize RISK.

8. The following criteria and implementation guidance
shall facilitate the development of appropriate
procedural security measures in satisfying CTPAT
Minimum Security Criteria requirements.

9.  Perimeter Fencing: should enclose the areas around
cargo handling and storage facilities. Where necessary,
interior fencing should be used to secure cargo handling
areas.
Criteria & Implementation Guidance

10.  Based on risk, security reinforcing shall be carried
out with additional interior fencing to segregate
various types of cargo such as domestic,
international, high value, and/or hazardous materials.
Other acceptable barriers may be used instead of
fencing depending on the magnitutde of risk.

11.  Fencing should be regularly inspected for integrity and
damage by designated personnel. If damage is found in
the fencing, repairs should be made as soon as possible
and security order must be restored.

12.  Gates: where vehicles and/or personnel enter or exit
(as well as other points of egress) must be manned or
monitored. Individuals and vehicles may be subject to
search in accordance with regulatory requirements. It
is recommended that the number of gates be kept to
the minimum necessary for proper access and safety.

13.  Private Vehicles: should be prohibited from parking
in or adjacent to cargo handling and storage areas,
and conveyances. Locate parking areas outside of
fenced and/or operational areas - or at least at
substantial distances from cargo handling and
storage areas.

14.  Adequate Lighting: must be provided inside and outside
the facility including, as appropriate. For example, areas
such as: entrances and exits, cargo handling and
storage areas, fence lines, and parking areas. Besides,
automatic timers or light sensors that automatically
turn on appropriate security lights are useful additions
to lighting apparatus.

15.  Electronic Security Technology: should be used to monitor
premises and prevent unauthorized access to sensitive
areas shall include burglary alarm systems (perimeter and
interior) –these are also known as Intrusion Detection
Systems (IDS); Access Control Devices; and Video
Surveillance Systems (VSS) -including Closed Circuit
Television Cameras (CCTVs). These systems must
incorporate latest technology.

16. The use of Electronic Security Technology: must be
implemented with written policies and procedures governing
the use and protection of this technology.
The procedures shall cover the following:
• limit access authorization
• test/inspect the system on a regular basis
• verify system equipment are operationally effective.
• document the results of the inspections, testing
and maintenance for future audit purposes.

17.  General guidelines to follow when testing Security
Technology Systems after any service work, major repairs
or modifications to a building or facility including any major
changes to phone or internet services:
 make sure all video settings are restored
 make sure camera domes/lenses are clean and lenses
are focused
 make sure security cameras are positioned correctly and
remain in the proper position.

18.  Camera recordings of footage covering key import/export
processes after a security breach should be maintained on
monitored shipments for a sufficient time to allow an
investigation to be completed. It would be of paramount
importance in discovering where the SC may have been
compromised.
 For monitoring, the CTPAT program recommends allotting at
least 14 days after a shipment has arrived at its first point of
distribution. This is where the container is first opened after
clearing Customs.

19. All security technology infrastructure must be
physically secured from unauthorized access.These
systems should be configured with an alternative power
source that will allow the systems to continue to
operate in the event of an unexpected loss of direct
power. An alternative power source may be an auxiliary
power generation source or backup batteries.

20. Sensitive Area Cameras in a facility when deployed
should:
 cover key areas of facilities that pertain to the
import/export process
 monitor and deter unauthorized access.
 programmed to record at the highest picture quality
setting
 be available, and be set to record on a 24/7 basis
 have an alarm/notification feature.

21.  Based on risk, key sensitive areas or processes may include:
 cargo handling and storage
 shipping/receiving
 the cargo loading process
 the sealing process and seal storage
 conveyance arrival/exit
 IT servers
 container inspections (security and agricultural)
 any other areas that pertain to securing international
shipments.

22.  When camera systems are deployed: periodic, random
reviews of the camera footage must be conducted to
verify that cargo security procedures are being properly
followed in accordance with the law.
Results of the reviews must be summarized in writing to
include any corrective actions taken. The results must be
maintained for a sufficient time for audit purposes.

23.  Some key processes that may be focused for random
review are:
 cargo handling activities
 container inspections
 the loading process
 sealing process
 conveyance arrival/exit
 cargo departure, etc.

24.  Purpose of the review: to evaluate the effectiveness of
established security processes, identify gaps and
prescribe corrective actions. Based on potential risk and
past security compromises, the Member may target a
review periodically and include the following contents in
the review summary:
 the date of the review
 date of the footage that was reviewed
 which camera/area was the recording from
 brief description of any findings
 if warranted, corrective actions.

25. 10. Physical Access
Control

26. Physical Access Controls prevent unauthorized access
into facilities/areas, help maintain control of employees
and visitors, and protect company assets. Access
controls include the positive identification of all
employees, visitors, service providers, and vendors at all
points of entry by implementing appropriate procedures.
Introduction

27. The following criteria and enforcement guidance shall
facilitate the development of appropriate procedural
security measures in satisfying CTPAT Minimum
Security Criteria requirements.

28. Criteria & Implementation Guidance
 Personnel identification System: positive identification
and access control of EMPLOYEES to sensitive areas must
be restricted based on job description or assigned
duties. Removal of access devices must take place when
the employees separate from the company. When
employees are separated from a company, the use of exit
checklists help ensure that all access devices have been
returned and/or deactivated.

29.  External Stakeholders Identification: Visitors, vendors,
and service providers must present photo
identification upon arrival, and a log must be
maintained that records the details of the visit. All
visitors should be escorted. In addition, all visitors and
service providers should be issued temporary
identification. If temporary identification is used, it
must be visibly displayed at all times during the visit.

30.  The registration log must include the following:
• date of the visit
• visitor's name
• verification of photo identification (type verified
such as license or national ID card).
• time of arrival
• company point of contact
• time of departure.

31.  Cargo Driver Identification: drivers must be positively
identified with government-issued photo identification
(NRIC) for gaining access before cargo is received or
released. Alternatively the facility employee may accept
a recognizable form of photo identification issued by the
carrier company that employs the driver picking up the
cargo.

32.  Cargo Pickup Log: must be kept to register drivers and
record the details of their conveyances when picking up
cargo. It should contain the:
 driver's name
 date and time of arrival
 employer
 truck number
 trailer number
 time of departure
 seal number affixed to the shipment.

33.  Fictitious pick-ups: are criminal schemes that result in
the theft of cargo by deception that includes truck
drivers using fake IDs and/or fictitious businesses set
up for the purpose of cargo theft.

34.  Avoid Fictitious Pickup: Prior to arrival, the carrier should
notify the facility of the estimated time of arrival for the
scheduled pick up, the name of the driver, and truck
number. Where operationally feasible, CTPAT Members
should allow deliveries and pickups by appointment only
in order to avoid fictitious pickup.

35.  Contraband Screeing: arriving packages and mail should
be effectively monitored and periodically screened for
contraband before being admitted . Examples of such
contraband include, but are not limited to, explosives,
illegal drugs, and currency.

36.  Work Instructions for Security Guard: must be
contained in written policies and procedures.
Management must periodically verify compliance and
appropriateness with these procedures through audits
and policy reviews.

37. 11. Personnel Security

38. Introduction
A company’s human resource force is one of its most critical
assets, but it may also be one of its weakest security links.
Employees engaged in an organization may pose inherent
risks if they are not screened and vetted properly before
being employed.
Hence due diligence process on every employee must be
carried out before employing him/her in sensitive positions
to ensure he/she is reliable and trustworthy.

39. The following criteria and enforcement guidance shall
facilitate the development of appropriate procedural
security measures in satisfying CTPAT Minimum
Security Criteria requirements.

40.  Due Diligence Process: Written processes must be in
place to screen prospective employees and to
periodically check current employees. Application
information, such as background, employment history
and references, must be verified prior to employment,
to the extent possible and allowed under the law
before making hiring decision.

41.  Screening & Vetting Threshold: Besides full time
employees, based on the sensitivity of the position,
employee background screening and vetting
requirements should extend to temporary workforce
and contractors too. Once employed, periodic
reinvestigations should be performed based on
cause, and/or the sensitivity of the employee’s
position.

42.  Employee Code of Conduct: It helps companies develop
a professional image and establish a strong ethical
culture. CTPAT Members must have an Employee Code of
Conduct that includes expectations and defines
acceptable behaviors. Besides, penalties and
disciplinary procedures must be included in the Code of
Conduct too.

43.  Acknowledgement of Code of Conduct:
Employees/contractors must acknowledge that they
have read and understood the Code of Conduct by
signing it, and this acknowledgement must be kept
in the employee’s file for documentation.

44. 12. Education, Training
&
Awareness

45. Introduction
 Education, training and awareness in SC security cannot
be emphasized any further. CTPAT security program
conceptually is designed to provide stakeholders
layered security effect throughout the SC link. Hence it is
one step beyond the traditional focus of a security
program. It involves various departments and personnel
throughout the SC link.

46.  Thus educating and training employees on their
security role at their specific node in SC is important in
protecting the company’s SC governance and endurance
of a SC security program. Moreover, when employees are
aware and understand why security procedures are in
place and its ultimate outcome, they are much more
likely to adhere to them in a productive manner.

47. The following criteria and enforcement guidance shall
facilitate the development of appropriate procedural
security measures in satisfying CTPAT Minimum
Security Criteria requirements.

48.  Awareness Program: CTPAT members must establish
and maintain a security training and awareness
program to recognize and foster awareness of the
security threat and vulnerabilities to facilities,
conveyances, and cargo at each point in the SC, which
could be exploited by terrorists or contraband
smugglers.
Criteria & Implementation Guidance

49.  Training Contents & Methodology: Training topics may
include protecting access controls, recognizing
internal conspiracies, and reporting procedures for
suspicious activities and security incidents. To reap
good benefits from the training, various delivery
techniques must be used to ensure effective transfer of
knowledge and skill to the participants.

50.  Training Records: CTPAT members must retain
evidence of training such as training logs, attendance
sign in sheets (roster), or electronic training records.
Training records should include the date of the
training, names of attendees, the topics of the training
and assessment records to verify that the training
provided met all training objectives.

51.  Security Inspection Training: Drivers and other personnel
that conduct security and agricultural inspections of
empty conveyances and IIT must be trained to inspect
competently in the topics below.
 Signs of hidden compartments
 Concealed contraband in naturally occurring
compartments
 Signs of pest contamination.

52.  Refresher Training: must be conducted periodically, as
needed after an incident or security breach, or when
there are changes to company policies and procedures.

53.  Training Effectiveness Measurement Tool:
Understanding the training and being able to use that
training in one’s position (for sensitive employees) is
of paramount importance. Exams or quizzes, a
simulation exercise/drill, or regular audits of
procedures etc. are some of the measures that the
Member may implement to determine the
effectiveness of the training.

54.  Specialized Training: should be provided annually to
personnel those responsible for trade compliance,
security, procurement, finance, shipping, and receiving.
Members may take into account the CTPAT Warning
Indicators for Trade-Based Money Laundering and
Terrorism Financing Activities document.

55.  Focus on Cybersecurity Training: Employees must be
trained on the company's cybersecurity policies and
procedures to ensure effective use of operational cyber
tools. All trainings conducted must lay emphasis on
quality and must be done in a formal setting rather than
simply through an informal manner such as emails or
memos.

56.  Security Technology Systems Training: CTPAT members
must ensure, personnel operating and managing
security technology systems must receive operations
and maintenance training in their specific areas. Prior
experience with similar systems is acceptable and self-
training via operational manuals and other methods is
also acceptable.

57.  Incident Report Training: Personnel must be trained on
how to report security incidents and suspicious
activities as it is an extremely important aspect of a
security program. Specialized training modules (based
on job duties) may have more detailed training on
reporting procedures, including specifics on the
process, such as, what to report, to whom, how to report
the incident, and what to do after the report is
completed.