C-TPAT Membership Security Model Summary

Report generated by: Hugo Medrano

Report generated at: Mon May 03 18:54:01 EDT 2021

C-TPAT Membership Security Model Summary

Business Type Information

Security Model Name HTP de Mexico, S.A. de C.V. - Foreign Manufacturer
Business Type Foreign Manufacturer Status Applicant CTPAT Account # 98967748

Business Entity Information

Foreign Manufacturer
MID
MXHTPDE1490TIJ
Dun and Bradstreet Number

Addresses
Primary Address Secondary Mailing Address Type Address Line 1 Address Line 2 City Postal Code Country State
Y N Y Main Office Cerrada Baja Calfornia 4550 - 4-A Col. Gas y Anexas, La Mesa Tijuana 22115 Mexico Baja California

Contacts
Primary
Officer Employee Consultant User Email Last Name First Name Initial Title Phone Number
Contact
N N N Y angel@vieyra-ce.com Vieyra Angel Consultant 01152664-2108555
N N N Y andrea@vieyra-ce.com Munoz Andrea Consultant 6642108555
Y Y N N glopez@hi-tech-products.com Lopez Gilberto Import-Export Manager 6649720154
N N Y N atoro@hi-tech-products.com Toro Alberto Import-Export Analyst 6649720154
N N Y N hmedrano@hi-tech-products.com Medrano Hugo D Security Analyst 6645794083

International
Mutual Recognition Agreement Agreed
Mutual Recognition Programs
Mexico

Security Profile
Upper Management Responsibility : Corporate Wide Security Measures
Have representatives from all of the relevant departments been incorporated into a cross-functional team to build a robust Supply Chain Security Program? Have these new security measures been incorporated into existing
company procedures to create a more sustainable structure that emphasizes that supply chain security is everyone’s responsibility?
Partner Response:
The company has a committee called "Management Supervision Team", it is composed of at least:
a) President or Senior Executive
b) Import-Export Manager (acting as POC)
c) Human Resources Coordinator (Personnel and training responsibilities)
d) Computer Engineer (Cybersecurity responsibilities)
e) Security Analyst (Physical security and Supply Chain Program Coordinator)
g) Warehouse Coordinator (Warehouse and shipping responsibilities.
SCSS Comment :
none

Upper Management Responsibility : Audit Program

Is the supply chain security program designed with, supported by, and implemented by an appropriate written review component? The purpose of this review component is to document that a system is in place whereby personnel
are held accountable for their responsibilities and all security procedures outlined by the security program are being carried out as designed. This is a requirement.
Partner Response:
The company has implemented an “Internal Audit” procedure, which aims to establish the Internal Audit process of the components of the Supply Chain Security and analyze the documents and evidence of the internal processes
in order to verify their correct application and operation and compliance with the responsibilities of the personnel involved. It establishes the steps to follow for this: a) the components to be audited, b) internal auditor profile, c)
audit modalities, d) review process, e) findings and final reports, f) follow-up, as well as the annexes to use in it.
SCSS Comment :
Please upload audit documentation to support your response (security audit reports, completed audit checklists, etc.).

Upper Management Responsibility : Updating Audit Program

Is the review plan updated as needed based on pertinent changes in your organization’s operations and level of risk? This is a requirement.
Partner Response:
The audit process is coordinated by the Supply Chain Security Coordinator on an annual basis, likewise the procedure must be reviewed and updated each year.
SCSS Comment :
none

Upper Management Responsibility : Updates to Management

The role of a company’s upper management in CTPAT is to provide support and oversight to ensure the creation and maintenance of the company’s Supply Chain Security Program. To this end, do the CTPAT point(s) of contact
(POC) provide regular updates regarding the progress or outcomes of any audits, exercises, or validations?
Partner Response:
Yes, The President of the Company is also the head of the "Management Supervision Team", he is brief about any incident, activity or issue related to the Supply Chain Security Program by either POC or SCP Coordinator).
SCSS Comment :
none

Upper Management Responsibility : POC Requirements

Are the POCs knowledgeable about CTPAT’s program requirements? This is a requirement.
Partner Response:
Company POC is the Import-Export Manager, he has previous knowledge of C-TPAT and OEA (Mexican Supply Chain Security Program), since the implemnetation of CTPAT in the company he has been reading materiales from
CBP and other sources, also, he is supported by a external consulting firm that have experience in CTPAT implementation and managment.
SCSS Comment :
none
Upper Management Responsibility : Statement of Support
In promoting a culture of security, is commitment to supply chain security and the CTPAT program demonstrated through a statement of support? Is the statement signed by a senior company official and displayed in appropriate
company locations?
Partner Response:
Company has a statement of support called "Supply Chain Security Policy" that have been approved the company's President, and it is published in visible areas of the company as: entrance, cafeteria, warehouse and other main
areas. Also, the policy is included in the C-TPAT General training that receives the employees annually. Copy of the statement and pictures (HTP-CTPAT-001 Evidence.pdf) are uploaded in the Portal.
SCSS Comment :
none

Risk Assessment : Conduct Risk Assessment

Is the amount of risk in supply chains documented? Has an overall risk assessment (RA) been conducted to identify where security vulnerabilities may exist? Does the RA identify threats, assess risks, and incorporate sustainable
measures to mitigate vulnerabilities. Are CTPAT requirements specific to the role in supply chain taken into account? These are requirements.
Partner Response:
Our Risk Assessment Procedures is based in the suggested C-TPAT 5 Step Risk Assessment, considers treats, vulnerabilities, findings of internal audit an plan to mitigate findings and risks.
SCSS Comment :
none

Risk Assessment : Map Supply Chain

Does the international portion of the risk assessment document or map the movement of cargo throughout the supply chain from the point of origin to the distribution center? Does the mapping include all business partners
involved both directly and indirectly in the exportation/movement of the goods? As applicable, does mapping include documenting how cargo moves in and out of transport facilities/cargo hubs and noting if the cargo is “at rest” at
one of these locations for an extended period of time? Cargo is more vulnerable when “at rest,” waiting to move to the next leg of its journey.
Partner Response:
Yes, the Supply Chain Map includes our business partners since the point in which materials are purchased until are deliver to our distribution center.
SCSS Comment :
none

Risk Assessment : Annual Review of RA

Are risk assessments reviewed annually, or more frequently as risk factors dictate? This is a requirement.
Partner Response:
Risk Assessment process should be conducted every year.
SCSS Comment :
none

Risk Assessment : Business Resumption

Are written procedures in place that address crisis management, business continuity, security recovery plans, and business resumption?
Partner Response:
Company is in process to develop a Business Continuity Plan, until this moment we do not have an implemented one.
SCSS Comment :
none

Business Partners : Written Screening Process

Is a written, risk based process in place for screening new business partners and for monitoring current partners? This is a requirement.
Partner Response:
The company has a business partner selection procedure where the requirements to be met are established according two categories: 1) for partners in general, and 2) for partners related to security in the supply chain.
There is also a business partners review procedure, which establishes the monitoring of compliance with security requirements, as well as annual reviews to determine the degree of risk of each of them.
SCSS Comment :
none

Business Partners : MRA

Does the business partner screening process take into account whether a partner is a CTPAT Member or a member in an approved Authorized Economic Operator (AEO) program with a Mutual Recognition Arrangement (MRA)
with the United States (or an approved MRA)? Certification in either CTPAT or an approved AEO is acceptable proof for meeting program requirements for business partners. Is evidence of the certification obtained and are
business partners continuously monitored to ensure they maintain their certification? These are requirements.
Partner Response:
The company requires all those commercial partners certified as C-TPAT or OEA (Mexican Program for Security in the Supply Chain with mutual recognition with the United States), to demonstrate it by presenting: a printscreen
of the C-TPAT portal screen and accept be monitored by the company in the C-TPAT Portal, through the SVI of each company. Certificates as AEO must present a copy of the official letter where they are authorized as AEO
certified company along with a signed letter by their legal representative where the current stutus of the certification is stated.
SCSS Comment :
none

Business Partners : Partners Must Meet Criteria

Where a CTPAT Member outsources or contracts elements of its supply chain, is due diligence exercised (via visits, questionnaires, etc.) to ensure these business partners have security measures in place that meet or exceed
CTPAT’s Minimum Security Criteria (MSC). This is a requirement.
Partner Response:
The company has a "Business Partner Review" procedure in which it is specified how to verify that the security criteria are met, for this, questionnaires are sent which are rated with a degree of risk, for those who represent a high
risk, a visit is made in order to verify what is stated in the questionnaire, this verification will be annually.
SCSS Comment :
If you conduct on-site visits to your clients and/or request them to complete a security questionnaire to verify the security measures they have in place, please upload documentation to support your response. Please upload a
copy of a security questionnaire completed by your business partner (highway carrier).

Business Partners : Correcting Weaknesses

If weaknesses are identified during business partners’ security assessments, are they addressed as soon as possible and are corrections implemented in a timely manner? Is it confirmed that deficiencies have been mitigated via
documentary evidence? These are requirements.
Partner Response:
Once review the questionaries or visited visited, the business partner will be informed of the findings and corrective measures will be requested to be specified in a work plan, according the due dates, the supply chain security
coordinator will verify if corrective measure has been completed requesting evidence to backup the plan.
SCSS Comment :
Please upload documentation to support your response (ex. corrective action reports issued to supply chain business partners).
Business Partners : Update Partner Assessments
To ensure that business partners continue to comply with CTPAT’s security criteria, are security assessments of business partners updated on a regular basis, or as circumstances/risks dictate?
Partner Response:
"Business Partner Review" procedure require to complete the verification every year, howver, if there has been a secuirty breach involving a business parter, is required to complete te review as soon as posible after the incident.
SCSS Comment :
none

Business Partners : Subcontracted Carriers

For inbound shipments to the United States, if subcontracting transportation services to another highway carrier, is a CTPAT certified highway carrier used or a highway carrier that works directly for the member as delineated
through a written contract? Does the contract stipulate adherence to all minimum security criteria MSC) requirements? These are requirements.
Partner Response:
Business Partner Selection procedure specifies that it is an essential requirement that in the event that the carriers need to subcontract their transportation services, they can do so as long as the subcontracted carrier is certified
in C-TPAT and has been previously authorized by the company.
SCSS Comment :
none

Business Partners : Forced Labor

Is a documented social compliance program in place that, at a minimum, addresses how the company ensures goods imported into the United States were not mined, produced or manufactured, wholly or in part, with prohibited
forms of labor, e.g., forced, imprisoned, indentured, or indentured child labor?
Partner Response:
Business Partners are required to sign a "Statement of Prohibited Forms of Work", where they express their agremment to not participating in any of the prohibited forms and their recognition of them as unacceptable practices.
SCSS Comment :
none

Procedural Security : Information

Are procedures in place to ensure that all information used in the clearing of merchandise/cargo is legible, complete, accurate, protected against the exchange, loss, or introduction of erroneous information, and reported on time?
This is a requirement.
Partner Response:
All documentation is verified to ensure that the data is correct, from the moment the "export list" is delivered, which is the source document of the information, the other data such as transport and number of stamps are obtained
as needed, verifying that are correct, the information is sent to the carrier and customs agents via email, once the customs documents are received, they are again verified to ensure their accuracy.
SCSS Comment :
Please upload your written shipping document review procedures to ensure that all information used in the clearing of merchandise/cargo is legible, complete, accurate, and advance manifesting requirements and/or entry
clearance data are reported timely.

Procedural Security : Weight, and Piece Count

Are the weight and piece count accurate? This is a requirement.
Partner Response:
For receipts: the warehouseman compares the quantities recorded in the documents (packing list, purchase order or commercial invoice) against the quantities physically received, then records part numbers and quantities
received in a receipt format (N4-054) and input all the information in the plant system.
For shipments: the warehouseman, helped with the "shipping list", supplies the finished product and places it in the shipping area, a quality inspector verifies the product name, lot number, size and quantity, and if they match, it is
released the "shipping list" which is delivered to the import-export area for the customs documentation process.
SCSS Comment :
none

Procedural Security : Shipping Documents, Timely Filing

Does the shipper or its agent ensure that bill of ladings (BOLs) and/or manifests accurately reflect the information provided to the carrier, and do carriers exercise due diligence to ensure these documents are accurate? Are BOLs
and manifests filed with CBP in a timely manner? Does BOL information filed with CBP show the first foreign location/facility where the carrier takes possession of the cargo destined for the United States? These are
requirements.
Partner Response:
The information related to export shipments is provided to carriers and customs agents, once the customs and transport documentation has been prepared, the import-export analyst checks that the information shown in said
documents is correct, the document "ACE Electronic Manifest" and "Inward Cargo Manifest" indicating the shipment data and in the last the recipient of the merchandise in the United States.
SCSS Comment :
none

Procedural Security : Storing Forms

If paper is used, are forms and other import/export related documentation secured to prevent unauthorized use.
Partner Response:
All documents related to export shipments that contain customs and shipment specific information are handled confidentially and are only used when documentation is being prepared or a shipment is scheduled, they are kept
safely to prevent inappropriate use of them.
SCSS Comment :
none

Procedural Security : Staging Cargo Overnight

When cargo is staged overnight, or for an extended period of time, are measures taken to secure the cargo from unauthorized access? This is a requirement.
Partner Response:
The company does not keep conveyances in its facilities, they enter only the same day when there is an export shipment, it does not remain in the facilities for more than the time necessary for loading and documentation, it does
not remain overnight.
SCSS Comment :
none

Procedural Security : Supervise Stuffing

Is the loading/stuffing of cargo into containers/IIT supervised by a security officer/manager or other designated personnel?
Partner Response:
The loading of finished export product is carried out once the transport equipment has been inspected, both activities are supervised by the warehouse manager.
SCSS Comment :
none

Procedural Security : Reconciliation of Cargo and Documents

Is arriving cargo reconciled against information on the cargo manifest? Is departing cargo verified against purchase or delivery orders?
Partner Response:
Yes, receiving cargo is reconciled versus documentation: the warehouseman compares the quantities recorded in the documents (packing list, purchase order or commercial invoice) against the quantities physically received,
then records part numbers and quantities received in a receipt format (N4-054) and input all the information in the plant system.
SCSS Comment :
none

Procedural Security : Investigate Anomalies

Are all shortages, overages, and other significant discrepancies or anomalies investigated and resolved, as appropriate? This is a requirement.
Partner Response:
The warehouseman, if he finds discrepancies when verifying the physical quantities against those stated in the documentation, will inform the quality inspector (for his investigation) and the import-export area for follow-up and
correction.
SCSS Comment :
none

Procedural Security : Challenging

Are procedures in place to identify, challenge, and address unauthorized/unidentified persons? Do personnel know the protocol to challenge an unknown/unauthorized person, how to respond the situation and are they familiar
with the procedure for removing an unauthorized individual from the premises? These are requirements.
Partner Response:
The company has a procedure called "Suspicious Activities and Anomalies Reporting Procedure", which indicates the way in which company personnel must report unauthorized or unidentified people to their supervisor or
security for their investigation and confrontation. Likewise, how to identify suspicious persons (unauthorized / unidentified) is a topic included in the company's general C-TPAT training.
SCSS Comment :
Please upload your written procedures or other supporting documentation addressing unauthorized/unidentified persons entering your facility.

Procedural Security : Written Reporting Procedures

Are written procedures in place for reporting an incident to include a description of the facility’s internal escalation process? Is a notification protocol in place to report any suspicious activities or security incidents that may affect
the security of the member’s supply chain? As applicable, are incidents reported to the SCSS, the closest port of entry, any pertinent law enforcement agencies, and business partners that may be part of the affected supply
chain? Do notification procedures include the accurate contact information that lists the name(s) and phone number(s) of personnel requiring notification, as well as for law enforcement agencies? These are requirements.
Partner Response:
The company has a procedure called "Procedure for Reporting Anomalies and/or Suspicious Activities", which contemplates the way in which anomalies, suspicious activities and incidents related to Supply Chain Security are
reported, within this, It is considered that the POC reports the incident to the corresponding authorities (CBP, CTPAT or Police), thus it also considers that if the incident is related to or affects a business partner, it will notify you of
said situation.
SCSS Comment :
Please upload your written emergency reporting procedures to report security related incidents which include notification to assigned SCSS, local CBP port, and/or other law enforcement agency when necessary. Additionally,
please upload your company's emergency contact information and phone numbers for management personnel, local CBP port, CTPAT/SCSS and other law enforcement agency.

Procedural Security : Notifying CBP

Are notifications to CBP made as soon as feasibly possible and in advance of any conveyance or IIT crossing the border?
Partner Response:
The company, in its procedure called "Procedure for Reporting Anomalies and/or Suspicious Activities", consideres that POC must reports the incident to CBP and C-TPAT assigned specilist. There are a reporting flow, in whih
state the persons, numbers and e-mails to contact.
SCSS Comment :
none

Procedural Security : Review of Reporting Procedures

Are procedures periodically reviewed to ensure contact information is accurate? This is a requirement.
Partner Response:
The POC is in charge of reviewing the procedure at least every year, however, if a change happens the procedure must be review as soon as possible. 4.2The POC is in charge of reviewing the procedure at least every year,
however, if a change happens the procedure must be review as soon as possible. 4.2The POC is in charge of reviewing the procedure at least every year, however, if a change happens the procedure must be review as soon as
possible. 4.2
SCSS Comment :
none

Procedural Security : Anonymous Reporting

Has a mechanism been established to report security related issues anonymously? When an allegation is received, is it investigated, and if applicable, are corrective actions taken?
Partner Response:
Due to the size of the company (in terms of number of employees), the seriousness regarding the incident investigation and the values of the company, anonymous reports are not considered as the proper reporting mecanism,
even so there is a suggestion box where it is possible to make an anonymous report. There is no specific detailed procedure for anonymous reporting.
SCSS Comment :
none

Procedural Security : Internal Investigations

Are internal investigations performed immediately after an incident? Is the investigation documented? This is a requirement.
Partner Response:
Yes, any incident related to Supply Chain Security must be investigated immediately, for this the company has a procedure called "Incident Investigation procedure" which indicates the process to follow to carry out the
investigation, this being 1) Compilation of information, 2) Interviews with personnel related to the process, 3) Mapping of the logistics chain related to the process, 4) Analysis of the information and the incident, 5) Establishment of
corrective measures and action plan, 6) Incident Report, 7) Report to related Authorities, 8) Follow-up, and 9) Closing and filing of the case.
SCSS Comment :
How is the investigation documented/recorded (what form is used)? Please upload documentation to support your response (sample incident report form, incident log, etc.).

Conveyance and IIT : Secure Storage IIT

Are conveyances and Instruments of International Traffic (IIT) stored in a secure area to prevent unauthorized access, which could result in an alteration to the structure of an Instruments of International Traffic or (as applicable)
allow the seal/doors to be compromised? This is a requirement.
Partner Response:
The company does not keep conveyances in its facilities, they enter only the same day when there is an export shipment, it arrives and is inspected prior to loading, loaded and sealed, and it leaves as soon as possible. It does
not remain in the facilities for more than the time necessary for loading and documentation, it does not remain overnight.
SCSS Comment :
none
Conveyance and IIT : Written Inspection Procedures.
Are written procedures in place for both security and agricultural inspections of IIT? This is a requirement.
Partner Response:
The procedure of "Inspection of Transportation Equipment" includes the way in which said inspection should be carried out, detailing each point to be inspected and the key points in them. Likewise, it includes inspection points
related to the "agricultural inspection". More details about the inspection process are given in point 3 Inspections (58) of this section (Conveyance and ITT).
SCSS Comment :
Please readdress. Briefly explain how security and agricultural inspections are conducted on tractors, trailers, containers, and other conveyances. Also, please upload your written procedures relating to the security and
agricultural inspection conducted on tractors, trailers, containers, and other conveyances.

Conveyance and IIT : Inspections

Prior to loading/stuffing/packing, do all conveyances and empty IIT undergo CTPAT approved security and agricultural inspections to ensure their structures have not been modified to conceal contraband or have not been
contaminated with visible agricultural pests? Is a seven-point inspection on all empty containers and unit load devices (ULD), and an eight-point inspection on all empty refrigerated containers and ULDs conducted prior to
loading/stuffing to include: 1. Front wall; 2. Left side; 3. Right side; 4. Floor; 5. Ceiling/Roof; 6. Inside/outside doors, including the reliability of the locking mechanisms of the doors; 7. Outside/Undercarriage; 8. Fan housing on
refrigerated containers? Do these systematic inspections include: Tractors: 1. Bumper/tires/rims; 2. Doors, tool compartments and locking mechanisms; 3. Battery box; 4. Air breather; 5. Fuel tanks; 6. Interior cab
compartments/sleeper; 7. Faring/roof? Trailers: 1. Fifth wheel area - check natural compartment/skid plate; 2. Exterior - front/sides; 3. Rear - bumper/doors; 4. Front wall; 5. Left side; 6. Right side; 7. Floor; 8. Ceiling/roof; 9.
Inside/outside doors and locking mechanisms; 10. Outside/Undercarriage? These are requirements.
Partner Response:
The company has a procedure for "Inspection of Transportation Equipment" in which the types of transportation equipment used are indicated, the points that should be inspected in them (a total of 11 plus 2 related to agriculture),
at each point details are made regarding what should be reviewed as well as the key points in them. The equipment that the company uses to transport its goods is 20 'Straight Trucks, the inspection considers the following points:
1) Defense, 2) Engine compartment, 3) Tires, 4) Cabin floor, 5) Fuel tank , 6) Inside cabin, 7) Outside floor, 8) Box door, 9) Inside box floor, 10 and 12 Interior walls, and 11 Interior ceiling. Additionally, it is verified that it does not
contain residues, pests, fungi, soil or water. Box cleaning should be done prior to loading. When an anomaly is detected, a change of equipment is requested. The corresponding procedure is attached.
SCSS Comment :
none

Conveyance and IIT : Hardware

Are conveyances and IIT (as appropriate) equipped with external hardware that can reasonably withstand attempts to remove it? Are the doors, handles, rods, hasps, rivets, brackets, and all other parts of a container’s locking
mechanism fully inspected to detect tampering and any hardware inconsistencies prior to the attachment of any sealing device? These are requirements.
Partner Response:
During the "Inspection of Transportation Equipment", in the point referring to the Door (8), it is indicated that the closing mechanism should also be checked, verifying that it is complete, in working condition (without exposed
screws or loose parts for easy removal). Additionally, during the placement of the security seal, the closing mechanism is re-inspected.
SCSS Comment :
none

Conveyance and IIT : Clean if Pests Found

If visible pest contamination is found during the conveyance/IIT inspection, is washing/vacuuming carried out to remove such contamination? Is documentation retained for one year to demonstrate compliance with these
inspection requirements? These are requirements.
Partner Response:
The company asks its carrier to send only equipment that is clean, during the pre-loading inspection, if any form of light dirt is detected, the equipment is lightly cleaned (swept), if the equipment is not clean or the dirt is deeper, a
change of equipment is requested. When a cleaning is done it is recorded in the "Record of Cleaning of Transport Equipment" format (5.14/5.15)
SCSS Comment :
none
Conveyance and IIT : Inspections at Yards
Are inspections of conveyances and IIT systematic and are they conducted at conveyance storage yards? Where feasible, are inspections conducted upon entering and departing the storage yards and at the point of
loading/stuffing? These are requirements.
Partner Response:
The company does not keep transportation equipment in its facilities, only when there is an export shipment is equipment received, when it enters the plant it is inspected prior to loading, the inspection is carried out in a place
designated for it, because once loaded and dispatched the shipment goes directly to the export customs, no additional checks are made in other places.
SCSS Comment :
none

Conveyance and IIT : Inspections in Secure Area

Are security inspections performed in an area of controlled access and, if available, monitored via a CCTV system?
Partner Response:
The inspection of conveyance for export is carried out in an area designated for it, this area is covered by cameras of the CCTV system which allows the visibility of the inspection.
SCSS Comment :
none

Conveyance and IIT : Checklist

Is the inspection of all conveyances and IIT recorded on a checklist? Are the following elements documented on the checklist: container/trailer/instruments of international traffic number, date of inspection, time of inspection,
name of employee conducting the inspection, and specific areas of the instruments of international traffic that were inspected?
Partner Response:
Each time an inspection is made to the transport equipment, a record of it is made in the format "Inspection of Equipment of Transport and Verification of Seals", in which are indicated among others: inspection points, date, seal
number, truck number, driver's name, name and signature of the person conducting the inspection, and observations.
SCSS Comment :
Please upload a sample of a completed inspection checklist that record the tractor/trailer number, date of inspection, time of inspection, name of employee conducting the inspection, and specific areas inspected on the tractor
and trailer.

Conveyance and IIT : Supervisor’s Signature

If the inspections are supervised, does the supervisor should also sign the checklist?
Partner Response:
Each time an inspection is made to the transport equipment, a record of it is made in the format "Inspection of Means of Transport and Verification of Stamps", in which are indicated among others: inspection points, date, truck
number, driver's name, name and signature of the person conducting the inspection, and observations.
SCSS Comment :
none

Conveyance and IIT : Checklist & Shipping Docs

Is the completed container/IIT inspection sheet part of the shipping documentation packet? Does the consignee receive the complete shipping documentation packet prior to receiving the merchandise?
Partner Response:
The document "Inspection of Transportation Equipment and Verification of Seals" where the inspection is evidenced is not included in the package of documents of the export shipment, this document is internal and is not sent to
the recipient unless specifically requested.
SCSS Comment :
none
Conveyance and IIT : Management Surprise Inspections
Based on risk, does management conduct random searches of conveyances after the transportation staff have conducted conveyance/IIT inspections? Are searches of the conveyance done periodically, with a higher frequency
based on risk? Are the searches conducted at random without warning, so they will not become predictable?
Partner Response:
Based on the low risk of export shipments due to their proximity to the exit customs, as well as their frequency (average of 1 per week), no additional or surprise inspection is carried out. Randomly, the import-export manager or
supply chain security coordinator oversees regular inspections within the plant.
SCSS Comment :
none

Conveyance and IIT : Location of Management Searches

Are inspections conducted at various locations where the conveyance is susceptible: the carrier yard, after the truck has been loaded, and en route to the United States border?
Partner Response:
No additional inspection is carried out due to the proximity to the exit customs facilities.
SCSS Comment :
none

Conveyance and IIT : Written Seal Procedures

Are written high security seal procedures in place that describe how seals are issued and controlled at the facility and during transit? Are procedures in place that provide the steps to take if a seal is found to be altered, tampered
with, or has the incorrect seal number to include documentation of the event, communication protocols to partners, and investigation of the incident? Are the findings from the investigation documented, and any corrective actions
implemented as quickly as possible? Do written seal controls include the following elements? Controlling access to seals: management of seals is restricted to authorized personnel, secure storage, inventory, distribution, &
tracking (seal log), recording the receipt of new seals, issuance of seals recorded in log, track seals via the log, and only trained, authorized personnel may affix seals to instruments of international traffic (IIT). Controlling seals in
transit: when picking up sealed IIT (or after stopping), verify the seal is intact with no signs of tampering, confirm the seal number matches what is noted on the shipping documents, Seals broken in transit: if load examined--
record replacement seal number, the driver must immediately notify dispatch when a seal is broken, indicate who broke it, and provide the new seal number; the carrier must immediately notify the shipper, broker, and importer of
the seal change, and the replacement seal number; and the shipper must note the replacement seal number in the seal log. Seal discrepancies: hold any seal discovered to be altered or tampered with to aid in the investigation,
Investigate the discrepancy, follow-up with corrective measures (if warranted), and as applicable, report compromised seals to CBP and the appropriate foreign government to aid in the investigation. These are requirements.
Partner Response:
The company has a procedure called "Seal Control", which specifies the way in which high security seals are: a) purchased and confirmed that it complies with the 17712 standard, b) receipt and control of seals, c) assignment of
seals for shipments, and d) report of lost, suspicious or altered seals. There is a seal control log, where the seals that arrive and those that are assigned to each export shipment are recorded.
SCSS Comment :
Please readdress and briefly explain how seals are controlled or stored (if seals are maintained at your facility), installation process, seal verification, and reporting procedures. Also, upload your documented seal security
procedures. Please upload your written seal control, issuance, installation, verification, and reporting procedures

Conveyance and IIT : Annual Review

Are procedures reviewed at least once a year and updated as necessary? This is a requirement.
Partner Response:
All the procedures that are part of the Suply Chain Security System (CTPAT), including the "Control of Seals", must be reviewed annually or updated when there is any change or specific requirement.
SCSS Comment :
none
Conveyance and IIT : Local Level, Procedures
Are written procedures maintained at the local, operating level so that they are easily accessible? This is a requirement.
Partner Response:
All procedures related to the supply chain security, and specifically those of control of seals are in charge of the supply chain security coordinator, and they are provided to the personnel who perform activities related, alos training
is provided to all personnel involved in such procedures.
SCSS Comment :
none

Conveyance and IIT : ISO Seals

Are all CTPAT shipments that can be sealed secured immediately after loading/stuffing/packing by the responsible party (e.g. the shipper or packer acting on the shippers behalf) with a high security seal that meets or exceeds
the most current International Standardization Organization (ISO) 17712 standard for high security seals? Qualifying cable and bolt seals are both acceptable. Are seals securely and properly affixed to IIT that are transporting
CTPAT members’ cargo to/from the United States? There are requirements.
Partner Response:
"Company uses 20' Straight Truck for most of its exports shipments, in a few occasions uses 40' Dry Van Trailers or Panels, all of them have locking mechanism to properly affix high security seal according our procedures.
The high security seal that our company are “high security bolt seals” ISO/PASS 17712 certified."
SCSS Comment :
none

Conveyance and IIT : VVTT

Is CTPAT’s seal verification process followed to ensure all high security seals (bolt/cable) have been affixed properly to IIT, and are operating as designed? The procedure is known as the VVTT process: V – View seal and
container locking mechanisms; ensure they are OK; V – Verify seal number against shipment documents for accuracy; T – Tug on seal to make sure it is affixed properly; T – Twist and turn the bolt seal to make sure its
components do not unscrew, separate from one another, or any part of the seal becomes loose. This is a requirement.
Partner Response:
The company has a "Seal Placement" procedure, which indicates how to place the seal in the means of transport using the VVTT method, as well as the verification of the hardware of the closing mechanism. This verification will
be recorded in the form "Inspection of Means of Transportation and Verification of Stamps".
SCSS Comment :
Please upload written seal verification procedures that indicates CTPAT VVTT seal verification process or specific training provided to employees relating to CTPAT VVTT seal verification process.

Conveyance and IIT : Document ISO Compliance

Is it documented that the high security seals either meet or exceed the most current ISO 17712 standard? This is a requirement.
Partner Response:
The purchasing area of the company requests the supplier the certificate of compliance with the ISO PAS 17712 standard, also attaching a declaration signed by the supplier that the seals supplied are covered by said certificate.
The company maintains the inventory of seals in a safe place and registered in a security seal control log.
SCSS Comment :
Please upload seal certification indicating that seals used meet or exceed the most current ISO 17712 standards.

Conveyance and IIT : Digital Photos

As documented evidence of the properly installed seal, are digital photographs taken at the point of stuffing?
Partner Response:
No photographs are taken of the shipment or the loading, inspection or sealing process, but video of the CCTV is available.
SCSS Comment :
none

Conveyance and IIT : Forward Photos

To the extent feasible, are these *images electronically forwarded to the destination for verification purposes? *photographs taken at the point of stuffing.
Partner Response:
No, the company do not have pictures of the hipment or the loading, inspection or sealing process.
SCSS Comment :
none

Conveyance and IIT : BOL & Seal Number

Are seal numbers electronically printed on the bill of lading or other shipping documents?
Partner Response:
The security seal number is printed on the export invoice, as well as on the following documents: Mexican Customs Process Operation Document (DODA), Mexican Customs Declaration (Pedimento), ACE Electronic Manifest,
and Inward Cargo Manifest (Entry).
SCSS Comment :
none

Conveyance and IIT : Transmit Seal Numbers to Consignee

Are seal numbers assigned to specific shipments transmitted to the consignee prior to departure?
Partner Response:
Yes, the Import-Export Analyst advises the corporate (receipts) of the shipment data, including the seal number used in the shipment.
SCSS Comment :
none

Conveyance and IIT : Seal Audits

If an inventory of seals is maintained, does company management or a security supervisor conduct audits of seals that includes periodic inventory of stored seals and reconciliation against seal inventory logs and shipping
documents? Are all audits documented? As part of the overall seal audit process, do dock supervisors and/or warehouse managers periodically verify seal numbers used on conveyances and IIT? These are requirements.
Partner Response:
The Import-Export Manager makes a quarterly review of the seals in existence against the "Security Seal Control Log", in order to verify that the inventory is correct and the log is properly filled out.
The Import-Export Manager performs every two months, in a random manner, a review of the security seal already placed on the means of transport against the documentation, in order to verify that the data is correct of the seal
number physically placed against the number of documented seal.
SCSS Comment :
Please upload supporting documentation relating to seal audits (audit log or report).
Conveyance and IIT : Members Tracking Conveyances
Is there a mechanism in place to work with transportation providers to track conveyances from origin to final destination point? Are specific requirements for tracking, reporting, and sharing of data incorporated within terms of
service agreements with service providers?
Partner Response:
It is the policy of the company to work with carriers certified in C-TPAT and that you have the ability to track their shipments by GPS, therefore, the carrier has granted access to their GPS and tracking process and from this, the
company developed its own procedure tracking shipments from origin to destination. The main responsibility for monitoring is the carrier, however the company makes a confirmation by following up on a shipment a week live,
noting everything in a confirmation log.
SCSS Comment :
none

Conveyance and IIT : Access to GPS

Is there a mechanism in place to access the carrier’s GPS fleet monitoring system to track the movement of shipments?
Partner Response:
The carrier has granted the company access to the GPS system, therefore, you can enter it at any time to verify the movement of the company's loaded units, additionally, the import-export analyst must follow up on I live from
one shipment each week, recording all the tracking in a log, the shipment tracking procedure is based on information from both the carrier and the company.
SCSS Comment :
none

Conveyance and IIT : Notify Partners of Threat

If a credible (or detected) threat to the security of a shipment or conveyance is discovered, are business partners in the supply chain that may be affected and any law enforcement agencies alerted (as soon as feasibly possible),
as appropriate. This is a requirement.
Partner Response:
The company has a procedure called "Procedure for Reporting Anomalies and/or Suspicious Activities", which contemplates the way in which anomalies, suspicious activities and incidents related to Supply Chain Security are
reported, within this, It is considered that the POC reports the incident to the corresponding authorities (CBP, CTPAT or Police), thus it also considers that if the incident is related to or affects a business partner, it will notify you of
said situation.
SCSS Comment :
none

Conveyance and IIT : No Stop Policy

For land border shipments that are in proximity to the United States border, is a “no-stop” policy implemented with regard to unscheduled stops?
Partner Response:
The company in conjunction with the carrier has established transport routes which must be followed precisely by the operator, the procedure indicates that during the journey, unauthorized stops should not be made, in case of
emergency and that you have to stop, The operator must notify the carrier's office to notify and receive instructions according to the situation.
SCSS Comment :
none

Conveyance and IIT : Pre-border Inspection

In areas of high risk, and immediately prior to arrival at the border crossing, is a “last chance,” verification process incorporated for U.S. bound shipments for checking conveyances/IIT for signs of tampering to include visual
inspections of conveyances and the VVTT seal verification process? Do properly trained individuals conduct the inspections? V – View seal and container locking mechanisms; ensure they are OK; V – Verify seal number against
shipment documents for accuracy; T – Tug on seal to make sure it is affixed properly; T – Twist and turn the bolt seal to make sure its components do not unscrew, separate from one another, or any part of the seal becomes
loose.
Partner Response:
Due to their proximity to the exit customs no “last chance” verification is made.
SCSS Comment :
none

Agricultural Procedures : Written procedures

In accordance with the applicable business model, are there written procedures in place that are designed to prevent visible pest contamination to include compliance with Wood Packaging Materials (WPM) regulations? Do
measures regarding WPM meet the International Plant Protection Convention’s (IPPC) International Standards for Phytosanitary Measures No. 15 (ISPM 15)? This is a requirement.
Partner Response:
The company uses wooden pallets for its shipments, it is required to use only pallets certified with phytosanitary seal and certified in writing from the supplier.
SCSS Comment :
none

Agricultural Procedures : Implement Pest Prevention

Are visible pest prevention measures adhered to throughout the supply chain? This is a requirement.
Partner Response:
The purchase of wooden pallets is exclusively from suppliers that comply with the certification. The carriers are asked that the transport equipment they send is clean (otherwise a change of equipment is requested), both have
been explained that they are seeking to comply with the prevention measures for pests and agricultural contamination.
SCSS Comment :
none

Agricultural Procedures : Cargo Staging Areas Pest Inspection

Are cargo staging areas, and the immediate surrounding areas, inspected on a regular basis to ensure these areas remain free of visible pest contamination? This is a requirement.
Partner Response:
The company has a preparation area for outbound shipments, this area remains free when not in use, the area is fumigated (internal and external) to avoid pests and insects on a monthly basis, as well as cleaned on a regular
basis.
SCSS Comment :
none

Physical Security : Physical Deterrents

Are there physical barriers and/or deterrents in place to prevent unauthorized access to offices, trailer yards, cargo handling and storage facilities? This is a requirement.
Partner Response:
The company's facilities consist of a set of industrial buildings together without external corridors between them in two rows facing each other with a patio in the middle which is used as parking and loading and unloading
platforms, in front there is an access (which is the only one) with a metal fence with entrances for vehicles and pedestrians with a security booth controlled by a guard (7/24), in the background there is a fence built of concrete
blocks which does not allow access.
SCSS Comment :
none
Physical Security : Perimeter Fencing
Does perimeter fencing enclose the areas around cargo handling and storage facilities?
Partner Response:
Yes, cargo handling areas (reciving and shipping) are within the fenced area of the premises.
SCSS Comment :
none

Physical Security : Interior Fencing

If a facility handles cargo, is interior fencing used to secure cargo and cargo handling areas? Based on risk, does additional interior fencing segregate various types of cargo such as domestic, international, high value, and/or
hazardous materials?
Partner Response:
Due to the size of the warehouse as well as the size of the company products, no interior fence is in place. Do not have handling of valuable materials. Hazardous material are in small quantities and are stored in special cabinets.
SCSS Comment :
none

Physical Security : Inspecting Fencing

Is fencing regularly inspected for integrity and damage by designated personnel?
Partner Response:
The security guard (due to the proximity with the fence) notifies the maintenance department of any deterioration or necessary maintenance to the front fence of the company. The rear wall is verified by the administration of the
industrial park in which the plant is located.
SCSS Comment :
none

Physical Security : Repairing Fencing

If damage is found in the fencing, are repairs made as soon as possible?
Partner Response:
Once a damage or alteration is found, the security guard notifies the maintenance department for its repair, repair is made as soon as possible.
SCSS Comment :
none

Physical Security : Gates

Are gates where vehicles and/or personnel enter or exit (as well as other points of ingress/egress) manned or monitored? This is a requirement.
Partner Response:
Access to the facilities is through a vehicular gate and a pedestrian gate, both are permanently controlled by a security guard located in a booth. The accesses of employees and visitors are specified in the access procedures and
in the instructions for the security guards.
SCSS Comment :
none

Physical Security : Parking

Are private passenger vehicles prohibited from parking in or adjacent to cargo handling and storage areas, and conveyances?
Partner Response:
Due to space limitation of the premises, private vehicles are parked inside and close to the reciving and shipping docks, however, the company does not maintain any loaded or unloaded conveyance overnight, conveyance are
allowed only to deliver or pickup goods, shipping and receiving docks are cover by the CCTV system.
SCSS Comment :
none

Physical Security : Lighting

Is adequate lighting provided inside and outside the facility including, as appropriate, the following areas: entrances and exits, cargo handling and storage areas, fence lines, and parking areas? This is a requirement.
Partner Response:
The company has adequate internal and external lighting, such lighting allows adequate identification of people and vehicles at a sufficient distance mainly all in the areas of access, parking, warehouses and loading and
unloading platforms.
SCSS Comment :
none

Physical Security : Security Technology

Is Security Technology utilized to monitor the premises and prevent unauthorized access to sensitive areas?
Partner Response:
The company has an alarm system connected to an external monitoring center, as well as a closed circuit television (CCTV) system that covers the most critical areas of the company.
SCSS Comment :
none

Physical Security : Recommend cameras

Do cameras monitor the facility’s premises and sensitive areas to deter unauthorized access?
Partner Response:
The company's CCTV system consists of a 32-port digital video recorder (DVR) for wired connection and up to 30 extra cameras with IP connection. In operation there are 35 cameras (31 with cable and 4 with IP), there are 3
monitors where the images of the cameras are displayed, and 2 electrical power backup units.
SCSS Comment :
none

Physical Security : Recommend alarms

Are alarms used to alert unauthorized access into sensitive areas?
Partner Response:
The company has an alarm system, which is composed of door and window opening sensors, motion sensors, emergency levers, smoke detectors, and panic buttons, the system is connected to a monitoring center.
SCSS Comment :
none
Physical Security : Written Procedures, Cameras and Alarms
If relying on security technology for physical security, are there written policies and procedures governing the use, maintenance, and protection of this technology? At a minimum, do these policies and procedures stipulate: How
access to the locations where the technology is controlled/managed or where its hardware (control panels, video recording units, etc.) is kept, is limited to authorized personnel? The procedures that have been implemented to
test/inspect the technology on a regular basis? That the inspections include verifications that all of the equipment is working properly, and if applicable, that the equipment is positioned correctly? That the results of the inspections
and performance testing is documented? That if corrective actions are necessary, these are to be implemented as soon as possible and that the corrective actions taken are documented? That the documented results of these
inspections be maintained for a sufficient time for audit purposes? These are requirements.
Partner Response:
The security systems and their software are governed by the policies and procedures of the information technology area, these and policies and procedures are reviewed annually to ensure they are up to date.
SCSS Comment :
Please briefly address the following: Are access control panels, video recording units, etc. limited to authorized personnel? Are there written procedures that have been implemented to test/inspect security technology systems
(cameras, alarm systems, access control badge readers, etc.) on a regular basis? Do inspections include verifications that all of the equipment is working properly, and if applicable, that the equipment is positioned correctly? Are
results of the inspections and performance testing documented? If corrective actions are necessary, are they implemented as soon as possible? Are corrective actions taken documented? Are results of these inspections
maintained for a sufficient time for audit purposes? Please upload your written procedures, policies, and/or other supporting documentation relating to the use, maintenance, inspection, and protection of security technology
systems or equipment such as alarms, surveillance cameras, electronic access control devices, etc. (ex. maintenance logs conducted on video cameras, alarms, and other security technology; audit records maintained on security
equipment; operation procedures/manuals, etc.).

Physical Security : Annual Policy Review

Are security technology policies and procedures reviewed and updated annually, or more frequently, as risk or circumstances dictate? This is a requirement.
Partner Response:
The security systems and their software are governed by the policies and procedures of the information technology area, these and policies and procedures are reviewed annually to ensure they are up to date.
SCSS Comment :
none

Physical Security : 3rd Party Monitoring, Written Procedures

If a third party central monitoring station (off-site) is utilized, does the CTPAT Member have written procedures stipulating critical systems functionality and authentication protocols such as (but not limited to) security code
changes, adding or subtracting authorized personnel, password revisions(s), and systems access or denial(s)?
Partner Response:
The alarm system of the company is monitored by an external security central, in case of any security alert, the central communicates with the police and with company executives, the security company follows normal
surveillance standards and report.
SCSS Comment :
none

Physical Security : Use Licensed Resources

Are licensed/certified resources utilized when considering the design and installation of security technology?
Partner Response:
All technology systems and equipment used in alarm and CCTV systems are purchased from authorized distributors and are duly covered by the corresponding licenses when applicable.
SCSS Comment :
none

Physical Security : Secure Equipment

Is all security technology infrastructure physically secured from unauthorized access? This is a requirement.
Partner Response:
The essential components of the CCTV system (recording center) are located in a special room, it is locked and has restricted access and is in charge of the information technology area.
SCSS Comment :
none

Physical Security : Alternate Power Source

Are security technology systems configured with an alternative power source that will allow the systems to continue to operate in the event of an unexpected loss of direct power?
Partner Response:
The company's CCTV system is backed by two alternating power units (UPS) that mainly protect when there is loss of normal power.
SCSS Comment :
none

Physical Security : Alarm Notification

If camera systems are deployed, do cameras have an alarm/notification feature, which would signal a “failure to operate/record” condition?
Partner Response:
The company has a CCTV system which has video cameras, the system does not specifically alert when a camera fails, however, it is very visible when a camera fails, since the image is lost on the monitoring screens.
SCSS Comment :
none

Physical Security : Positioning Cameras

If camera systems are deployed, are cameras positioned to cover key areas of facilities that pertain to the import/export process? This is a requirement.
Partner Response:
The CCTV system provides coverage with its cameras in the main areas of the company, specifically it covers the main access from the street to the plant, all access to the plants, covers the loading and unloading platforms, the
warehouse area, dining room, main corridors and production areas.
SCSS Comment :
none

Physical Security : Picture Quality

Are cameras programmed to record at the highest picture quality setting reasonably available, and be set to record on a 24/7 basis?
Partner Response:
The cameras of the CCTV system are configured to record at the maximum resolution they provide, the cameras record 24 hours continuously.
SCSS Comment :
none

Physical Security : Maintain Footage

If cameras are being used, are recordings of footage covering key import/export processes maintained for a sufficient time for a monitored shipment to allow an investigation to be completed?
Partner Response:
The digital video recorder (DVR) has enough capacity to keep recording for 30 days.
SCSS Comment :
none

Physical Security : Audit Footage

If camera systems are deployed, are periodic, random reviews of the camera footage conducted (by management, security, or other designated personnel) to verify that cargo security procedures are being properly followed in
accordance with law? Are results of the reviews summarized in writing to include any corrective actions taken? Are the results maintained for a sufficient time for audit purposes?
Partner Response:
The systems engineer, on a monthly and random basis, verifies the integrity of the video recordings, especially the recordings of accesses, warehouses and cargo areas are reviewed.
SCSS Comment :
none

Access Controls : ID badges

Are there written procedures governing how identification badges and access devices are granted, changed, and removed? This is a requirement.
Partner Response:
The company has a procedure called "Employee Identification", in which it has the guidelines for the correct identification of employees when accessing and staying at the facilities, indicating the areas in which they can have
access. As well as indicate the process to control the proper delivery and return of badges, access keys, etc., as well as their proper registration.
SCSS Comment :
Please briefly explain your answer. How are employee IDs and/or access devices issued? Please upload written procedures relating to how identification badges and access devices are granted, changed, and removed.

Access Controls : ID system

Where applicable, is a personnel identification system in place for positive identification and access control purposes? This is a requirement.
Partner Response:
The system that the company uses to identify employees is through badges that must be worn in plain sight.
SCSS Comment :
none

Access Controls : Restrict Access

Is access to sensitive areas restricted based on job description or assigned duties? This is a requirement.
Partner Response:
Within the facilities, all employees must wear their respective badge, regardless of whether they are temporary or permanent employees, restricted access areas are indicated visually and only employees who work there, or those
authorized to enter them are allowed access and stay, the area supervisor is in charge of maintaining control over it.
SCSS Comment :
none

Access Controls : Remove Access

Does removal of access devices take place upon the employee’s separation from the company? This is a requirement.
Partner Response:
When an employee resigns or is fired, the Human Resources department will withdraw badges, this will be recorded in the format "Return of Equipment".
SCSS Comment :
none

Access Controls : Subject to Search

Are individuals and vehicles subject to search in accordance with local and labor laws?
Partner Response:
El ingreso de vehículos al interior de la planta es controlado por el guardia de seguridad, el cual indica donde estacionarse y entrega un gafete de identificación al visitante, cuando la visita a concluido y el visitante sale, el
guardia de seguridad deberá inspeccionar la cajuela e interior del vehículo para asegurarse que no se esté extrayendo material o mercancía propiedad de la empresa, una vez revisado el vehículo la visita deberá regresar el
gafete que será canjeado por su identificación.
SCSS Comment :
none

Access Controls : Photo ID & Visitor Log

Do visitors, vendors and service providers present photo identification upon arrival? Is a log maintained that records the details of the visit? Does the registration log must include the following: date of the visit, visitor’s name,
verification of photo identification (type verified such as license or national ID card)? Frequent, well known visitors such as regular vendors may forego the photo identification, but are they still logged in and out of the facility,
including time of arrival, company point of contact and time of departure? These are requirements.
Partner Response:
Once the visitor's entry is authorized, they proceed to register in the access control log indicating the following: Name, Date, Reason for visit, Type of identification provided, Time of entry / Time of exit, and Signature of the visitor.
They must provide an official photo identification, and the security guard in exchange will give them a visitor's badge, requesting to wear it in a visible place. All visitors regardless of the frequency of visits they make to the
company must register each time.
SCSS Comment :
Please upload a copy of your visitor registration log or screenshot of your electronic visitor log (visitor management system).

Access Controls : Visitor ID

In addition, are all visitors and service providers issued temporary identification?
Partner Response:
Security Guard provide the visitors with a "Visitor Badge" in exchange for their official photo ID.
SCSS Comment :
none

Access Controls : Display Temp ID

If temporary identification is used, is it visibly displayed at all times during the visit? This is a requirement.
Partner Response:
All visitors and providers (as well as commercial drivers) are required to wear the "Visitor Badge" in a visible place while in the company premises.
SCSS Comment :
none
Access Controls : Escort Visitors
Are all visitors escorted?
Partner Response:
All visitors will be directed by the Security Guard the direction to meet its host, host will be with the visitor all time. Visitor can not go alone at any moment.
SCSS Comment :
none

Access Controls : Pick Ups by Appointments

Where operationally feasible, are deliveries and pickups allowed by appointment only?
Partner Response:
Import-Export department controls the transportation, due to the low volume of shipments, is well know by the import-export personnel when deliveries and pickups will be made, a heads up is given to the Security Guard to be
aware.
SCSS Comment :
none

Access Controls : Driver Pickup Details

Prior to arrival, does the carrier notify the facility of the estimated time of arrival for the scheduled pick up, the name of the driver, and truck number?
Partner Response:
No official prior notification from the carrier is required, how ever, as explained previously (in 148): "is well know by the import-export personnel when deliveries and pickups will be made, a heads up is given to the Security Guard
to be aware".
SCSS Comment :
none

Access Controls : Driver Identification

Are drivers delivering or receiving cargo positively identified before cargo is received or released? Do drivers present government-issued photo identification to the facility employee granting access to verify their identity? If
presenting a government-issued photo identification is not feasible, the facility employee may accept a recognizable form of photo identification issued by the highway carrier company that employs the driver picking up the load.
These are requirements.
Partner Response:
The drivers of transportation carriers undergo the visitor entry procedure, being required to present an official photo identification, identification of their company, and their entry is only authorized after confirmation with the import-
export department.
SCSS Comment :
none

Access Controls : Cargo Pickup Log

Is a cargo pickup log kept to register drivers and record the details of their conveyances when picking up cargo? When drivers arrive to pick up cargo at a facility, does a facility employee register them in the cargo pickup log?
Upon departure, are drivers logged out? Is the cargo log kept secured and are drivers not allowed access to it? These are requirements.
Partner Response:
The drivers of the commercial means of transport undergo the visitor entry procedure, they must provide an official photo ID and the Security Guard requests entry authorization, and is given a badge by the company.
SCSS Comment :
Does your company utilize a driver's log to record the details of their truck/trailer when picking up or dropping off cargo? If so, please indicate. Please upload a copy of your cargo pick up/delivery log where driver and cargo
information are recorded.

Access Controls : Cargo Pickup Log Details

Does the cargo pickup log have the following items recorded: driver’s name, date, time of arrival, employer, truck number, trailer number, time of departure, and the seal number affixed to the shipment at the time of departure?
Partner Response:
Access control log indicating the following: Name, Date, Reason for visit, Type of identification provided, Time of entry / Time of exit, and Signature of the driver.
SCSS Comment :
none

Access Controls : Packages

Are arriving packages and mail periodically screened for contraband before being admitted?
Partner Response:
"The company has a procedure that establishes the process for receiving and reviewing packages, as well as the identification, handling and reporting of suspicious packages.
Only packages are received from recognized companies, and the courier must identify himself with a company badge and official photo identification, it must be verified that the package does not present suspicious characteristics
(visual aid is available for this) and suspicious packages will be rejected and the authorities will be notified as appropriate.
Visual aid includes checking: Recipient (that the recipient belongs to the company), Condition of the package, Strange odors in the package, Check for moisture or liquid spillage in the package, General aspects of the package
and any other visible irregularities."
SCSS Comment :
none

Access Controls : Written Guard Policies

If security guards are used, are work instructions for security guards contained in written policies and procedures? This is a requirement.
Partner Response:
The company has a document called "HTP Instructions for Security Guard", which indicates the directives that the security guard must follow to carry out their duties. These directives include access control activities for both
employees and visitors, vehicle access control and surveillance in general.
SCSS Comment :
Please upload written work instructions and/or patrol orders for security guards.

Access Controls : Management Audits of Guards

Does management periodically verify compliance and appropriateness with these procedures through audits and policy reviews? This is a requirement.
Partner Response:
The Security Analyst of the company is in charge of the operation of the security guards, additionally a manager is the analyst's supervisor who performs random activities to verify the activities of both the analyst and the security
guards.
SCSS Comment :
none
Personnel Security : Applicant’s Information
What are the written procedures for screening prospective employees and for performing checks on current employees? Is application information, such as employment history and references, verified prior to employment, to the
extent possible and allowed under the law? This is a requirement.
Partner Response:
In the Human Resources procedure, it is indicated that for Administrative Positions and Sensitive Positions work references must be requested, the human resources assistant will make said verification, noting in the job
application or curriculum vitae the evidence of said references.
SCSS Comment :
Please upload your written employee hiring procedures.

Personnel Security : Background Checks

In accordance with applicable legal limitations, and the availability of criminal record databases, are employee background screenings conducted? Are results of background checks factored in, as permitted by local statutes, in
making hiring decisions? Does employee background screening include verification of the employee’s identity and criminal history that encompass city, state, provincial, and country databases? Background checks are not limited
to verification of identity and criminal records. In areas of greater risk, more in depth investigations may be warranted.
Partner Response:
Background checks are performed for the Positions that are related to the material and financial assets of the company, as well as for Sensitive Positions, a home visit must be made, requesting personal references, work letters,
and a non-criminal background letter. (HT-0012, 4.2.6, 5.4.2)
SCSS Comment :
none

Personnel Security : Contractors

Based on the sensitivity of the position, do employee vetting requirements extend to temporary workforce and contractors?
Partner Response:
The company only hires employees directly, it does not use outsourced personnel from other companies.
SCSS Comment :
none

Personnel Security : Reinvestigations

Once employed, are periodic reinvestigations performed based on cause, and/or the sensitivity of the employee’s position?
Partner Response:
Yes, for sensitive positions, a verification is made by requesting again to present a letter of no criminal record and a home visit.
SCSS Comment :
none

Personnel Security : Code of Conduct

Is there an Employee Code of Conduct that includes expectations and defines acceptable behaviors? Are employees and contractors required to acknowledge that they have read and understand the Code of Conduct? This is a
requirement.
Partner Response:
The company has internal work regulations that indicate the company's processes towards the employee, the expectations of employee behavior and benefits, among others. These regulations are made known to them during the
induction process to the company and the new employee must sign a document of receipt and understanding of said regulations.
SCSS Comment :
Please upload Employee Code of Conduct or other supporting documentation that stipulates company expectations and acceptable behavior for employees.
Education and Training : Overall Training Program
One of the key aspects of a security program is training. Is a security training and awareness program in place and maintained to recognize and foster awareness of the security vulnerabilities to facilities, conveyances, and cargo
at each point in the supply chain, which could be exploited by terrorists or contraband smugglers? This is a requirement.
Partner Response:
"The company has implemented a safety training program. The program iinclues the following elements: promotion, training and dissemination. Training is established at 3 levels: general training, specialized training, and
inspection training.
It consists of the diverse training of employees, it is carried out in three caps:
a) General, for all personnel regardless of their position. Its objective is to provide general information to all company personnel.
b) Special, specific training for personnel in sensitive areas related to security and which are:
- Receipts and shipments (1);
- Plant security (2);
- Import-Export (3);
- People with access to computer systems (4) must teach systems.
c) Inspection of means of transport, where personnel from the shipping area, drivers of the means of transport and security guards participate (5)."
SCSS Comment :
none

Education and Training : General Security Training

Employees who understand why security measures are in place are more likely to adhere to them. Is security training provided to employees, as required based on their functions and position, on a regular basis? Do newly hired
employees receive this training as part of their orientation/job skills training? Is the training program comprehensive and does it cover all of CTPAT’s security requirements? This is a requirement.
Partner Response:
All company personnel must take General training, additionally employees in positions determined as sensitive (Receipts and shipments, security, import-export and systems, must take more specialized training.
SCSS Comment :
Please upload specific training as it relates to supply chain security or CTPAT security requirements provided to employees.

Education and Training : Sensitive Positions

Do personnel in sensitive positions receive additional specialized training geared toward the responsibilities that the position holds? This is a requirement.
Partner Response:
For employees in sensitive positions, specialized training is provided for Receipts and Shipping, Security, Import-Export and Systems.
SCSS Comment :
none

Education and Training : Refresher Training

Is refresher training conducted periodically, as needed after an incident or security breach, or when there are changes to company procedures? This is a requirement.
Partner Response:
Training is provided when the employee is hired and on a regular basis each year.
SCSS Comment :
none
Education and Training : Training Records
Is training evidence retained, such as training logs, sign in sheets (roster), or electronic training records? This is a requirement.
Partner Response:
At each training session, there is an attendance list where participants register.
SCSS Comment :
Please upload completed training sign-in, attendance sheets, and/or a screenshot of your automated learning management system that records training received by employees.

Education and Training : Record Details

Do training records include the date of the training, names of attendees, and the topics of the training?
Partner Response:
The attendance list contains information regarding: course name, instructor name, date, employee name and number, department and signature.
SCSS Comment :
none

Education and Training : Testing Training

Are measures in place to verify that the training provided met all training objectives?
Partner Response:
Each training session requires that at the end of it, a small questionnaire be applied, in order to verify that the main aspects have been co-provided by the participant.
SCSS Comment :
none

Education and Training : Inspections

Are drivers and other personnel that conduct security and agricultural inspections of empty conveyances and IIT trained to inspect their conveyances/IIT for both security and agricultural purposes? Does inspection training include
the following topics: signs of hidden compartments, concealed contraband in naturally occurring compartments, and signs of pest contamination? These are requirements.
Partner Response:
The personnel of the security and shipping and receipts area is trained in the inspection of the means of transport, within it it is considered as inspecting them for the purpose of finding any contamination by pests, dirt, herbs or
residues, in no case is it receive dirty trucks or containers.
SCSS Comment :
Please upload a sample training material provided to employees as it relates to security and agricultural inspections conducted on tractors (if applicable), empty containers, trailers, or other conveyances, etc. Does inspection
training include the following topics: signs of hidden compartments, concealed contraband in naturally occurring compartments, and signs of pest contamination?

Education and Training : Security Incidents

Are employees trained on how to report security incidents and suspicious activities? This is a requirement.
Partner Response:
Within the general training (for all employees) they are told what suspicious activities and / or persons are, as well as how to report them.
SCSS Comment :
Please upload specific training as it relates to security incident reporting provided to employees.
Education and Training : Cybersecurity
As applicable based on their functions and/or positions, are employees trained on the company’s cybersecurity policies and procedures? Does this include the need for employees to protect passwords/passphrases and computer
access? This is a requirement.
Partner Response:
Information systems personnel carry out general training to users regarding the use and protection of information technology systems and equipment, these can be face-to-face, virtual or one by one.
SCSS Comment :
Please upload specific training as it relates to cybersecurity policies and procedures.

Education and Training : Security Technology

Have employees operating and managing security technology systems received training in their operation and maintenance? Prior experience with similar systems is acceptable. Self-training via operational manuals and other
methods is acceptable. This is a requirement.
Partner Response:
The system staff is trained by external agents according to the needs of the company. Training is received as soon as a new system or hardware is acquired, as well as annual retraining.
SCSS Comment :
Please upload specific training provided to designated employees as it relates to the operation and maintenance of security systems including surveillance cameras, alarm systems, GPS systems, etc. (as applicable).

Cybersecurity : Written Cybersecurity Policies

Are comprehensive written cybersecurity policies and/or procedures in place to protect information technology (IT) systems? Does the written IT security policy, at a minimum, cover all of the individual cybersecurity criteria?
These are requirements.
Partner Response:
The company has two basic documents related to cybersecurity, 1) Policies and Procedures Manual, and 2) Regulations for the Information Technology Area. They include the policies that govern the use of the company's
information technology resources, procedures such as assigning accounts and passwords, responsibilities, data backups, protection of systems, management of equipment and infrastructure, among others.
SCSS Comment :
Please upload your written IT security policy and procedures.

Cybersecurity : Annual Review IT Policies

Are cybersecurity policies and procedures reviewed annually, or more frequently, as risk or circumstances dictate? Following the review, are policies and procedures updated if necessary? These are requirements.
Partner Response:
According the company's "Manual of Policies, Procedures and Regulations of the Information Techonoly Area". In their Article 3 is inidcated that policies of the manual will be evaluated on an annual basis by a "HTPM" IT Assitant
Manager, also there is an additional evaluation by IT Department every six months.
SCSS Comment :
none

Cybersecurity : IT Disaster Plan

If a data breach occurs or an event results in the loss of data and/or equipment, do procedures include the recovery (or replacement) of IT systems and/or data? This is a requirement.
Partner Response:
Each user computer automatically receives an scheduled backup on the server each time they create a file or modify it. All of this is done in Windows GPO. The moment the user takes a new machine or other equipment and logs
in, he pulls all his documents up to the current date.
SCSS Comment :
none

Cybersecurity : Information Sharing Policies

Do cybersecurity policies address how information is shared on cybersecurity threats with the government and other business partners?
Partner Response:
The company, within its incident reporting procedure, has established the communication of information related to incidents that in any way relate to or affect business partners, this procedure is applicable to any type of incident,
including those related to technologies of information.
SCSS Comment :
none

Cybersecurity : Social Engineering

Are policies and procedures in place to prevent attacks via social engineering? This is a requirement.
Partner Response:
The company, in its information technology training, includes the subject of "social engineering", where the concept is explained to the staff, how to identify it and how to report to the information systems staff when they have such
a case. Additionally, when emails of the type of social engineering are identified, the systems area blocks the senders and their topics.
SCSS Comment :
Please upload your written IT security policy and procedures as it relates to preventing attacks via social engineering.

Cybersecurity : Counterfeit Software

Do cybersecurity policies and procedures include measures to prevent the use of counterfeit or improperly licensed technological products?
Partner Response:
The "Regulation for IT Centers", which is Annex 1 of the "Manual of Policies, Procedures and Regulations of the Information Techonoly Area". In their Article 8 indicates that "Inspecting, copying and storing software that violates
copyright law is strictly prohibited" an is subject to disiplinary actions its violation.
SCSS Comment :
none

Cybersecurity : Identifying IT Abuse

Is a system in place to identify unauthorized access of IT systems/data or abuse of policies and procedures including improper access of internal systems or external websites and tampering or altering of business data by
employees or contractors? This is a requirement.
Partner Response:
IT personnel will isolate any network server, notifying the company management, under the following conditions: a) If the services provided by the server involve additional traffic that prevents a good performance of the Network,
b) If the use of vulnerabilities that could compromise security on the Internet is detected. c) If the use of programs that alter the legality and/or consistency of the servers is detected. d) If unauthorized accesses are detected that
compromise the integrity of the information, e) If the server policies are violated, and f) If additional traffic is reported that compromises the company network.
SCSS Comment :
none

Cybersecurity : IT violations, Disciplinary Actions

Are all violators subject to appropriate disciplinary actions? This is a requirement.
Partner Response:
"The ""Regulation for IT Centers"", in Article 17 establish the sanctions to which users are subject for breach of their obligations and incurring the aforementioned restrictions, are the following:
a) Call for attention verbally or in writing.
b) Temporary suspension of Network services.
c) Definitive suspension of the services of the Network.
d) Replacement or payment of lost, destroyed or damaged goods."
SCSS Comment :
none

Cybersecurity : Security Software

To defend Information Technology (IT) systems against common cybersecurity threats, has sufficient software/hardware been installed for the protection from malware (viruses, spyware, worms, Trojans, etc.) and has an
internal/external intrusion detection system been installed (firewalls)? These are requirements.
Partner Response:
The company, in its ""Policies and Procedures Manual"", has a section called ""Computer Security Area"", in which it is established that the IT management is in charge of providing adequate security measures against intrusion or
damage to the information stored in the systems as well as the installation of any tool, device or software that reinforces computer security. Likewise, it is the only one authorized to constantly monitor the packet traffic on the
network, in order to detect and solve anomalies, record improper use or any failure that causes problems in the network services.
There is a physical firewall where all requests for attacks or external requests are blocked since there are no open ports. The Software of each of the computers has antivirus and all computers are under the Windows Server GPO
policy of not installing or removing software, only the administrator user can install and remove files.
SCSS Comment :
none

Cybersecurity : Updating Security Software

Is security software current and does it receive regular security updates? This is a requirement.
Partner Response:
All equipment from the server to the staff computers have antivirus and security software. The software is updated automatically since it is inside the OS Windows Windows Security, previously called Windows Defender. Every
time there is an update in its database, the software receives the update immediately.
SCSS Comment :
none

Cybersecurity : Test IT Systems

When utilizing network systems, is the security of the IT infrastructure regularly tested? If vulnerabilities are found, are corrective actions implemented as soon as feasible? These are requirements.
Partner Response:
An external test of open ports is made to verify that the server or any of the equipment does not have unsolicited open ports, that test is log in a document called "Network Security Analysis".
SCSS Comment :
none

Cybersecurity : Data Backups

Is data backed up once a week or as appropriate? Is all sensitive and confidential data stored in an encrypted format?
Partner Response:
"Manual of Policies, Procedures and Regulations of the Information Techonoly Area", has Data Backup direction, and establishes that ""HTP"" Databases will be periodically backed up automatically and manually, according to
the procedures generated for this purpose. Information in servers must be backed up according to the following criteria, as a minimum:
a) Daily critical information.
b) Weekly, emails and web documents.
c) Monthly, server configuration and logs.
Backups should be stored in a safe place and remote location from the company site.
SCSS Comment :
none

Cybersecurity : Regular IT Inventories

Are all media, hardware, or other IT equipment that contains sensitive information regarding the import/export process accounted for through regular inventories? This is a requirement.
Partner Response:
The "Policies and Procedures Manual" indicates that the Maintenance Department is in charge of the physical inventory of IT equipment, safekeeping firms for loans, and dedicated uses of information technology equipment. Each
piece of equipment is registered in the inventory of control of computer equipment and network of the company.
SCSS Comment :
none

Cybersecurity : Disposal of IT Equipment

When disposed, are they properly sanitized and/or destroyed in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization or other appropriate industry guidelines? This is a
requirement.
Partner Response:
Currently, our company have only 4 personal computers that have been dismissed, 2 Hard disk drives have been erased and reused on other PC's. 2 other HDD are stored in a secure place until company decide how to properly
disposed.
SCSS Comment :
none

Cybersecurity : Personal Devices

If employees are allowed to use personal devices to conduct company work, do all such devices adhere to the company’s cybersecurity policies and procedures to include regular security updates and a method to securely
access the company’s network? This is a requirement.
Partner Response:
If a user who needs to connect personal equipment to the network or peripherals to the computers, must have the corresponding authorization from their manager and ask to IT department to set-up and must came with antivirus
software. In the event that a user, without authorization, connects a personal computer or peripheral to the entity's network system and this causes damage or virus contamination, it will be the user's total responsibility and the
corresponding disciplinary sanctions will be applied.
SCSS Comment :
none

Cybersecurity : Individual Accounts

Do individuals with access to IT systems use individually assigned accounts? This is a requirement.
Partner Response:
IT Department receives an email from the manager of the department to which the user belongs, requesting an account for him, the full name is provided, the system he will use, and according to the needs of his position the
account is granted by the IT department.
SCSS Comment :
none
Cybersecurity : Passwords
Is access to IT systems protected from infiltration via the use of strong passwords, passphrases, or other forms of authentication and is user access to IT systems safeguarded? These are requirements.
Partner Response:
The Network Operations Center will be in charge of assigning accounts to users for the use of e-mail on the servers it manages.
The user must fill out an application in free format and deliver it to the IT department, with her signature and that of the Area Manager.
The complexity of the password must have at least 8 characters, a Capital Letter, a number and a special symbol (! @ # $% &). Passwords will expire every 3 months. The system will automatically ask you to change the
password of the devicea, and user will not be able to repeat the same password.
SCSS Comment :
none

Cybersecurity : Restrict IT Access

Is user access restricted based on job description or assigned duties? This is a requirement.
Partner Response:
The Database Administrator is in charge of assigning accounts to users. For this purpose, the procedure is followed, in a Windows server “Active Directory” client environment, in the “AD” section the account is created in the
system base in the necesity of the rol, in case a restricted level is required, a special permission is required which must be indicated in the request, as well as whether you have read-only or write privileges.
SCSS Comment :
none

Cybersecurity : Review IT Access

Is authorized access reviewed on a regular basis to ensure access to sensitive systems is based on job requirements? This is a requirement.
Partner Response:
Database Administrator assig accounts to users based in the system they need for the performance of their job description, if a employee is transfer to a different position, system access is review for their new requirements
cancelling the previous one.
SCSS Comment :
none

Cybersecurity : Removing IT Access

Is computer and network access removed upon employee separation? This is a requirement.
Partner Response:
Managers must notify the Information Technology area when a user stops providing their services to the company. The user is unsubscribed from all the accounts he may have, and is registered in the "Windows" event viewer.
SCSS Comment :
none

Cybersecurity : Remote Access

When users are allowed to remotely connect to a network, are secure technologies employed, such as virtual private networks (VPNs), to allow employees to access the company’s intranet securely when located outside of the
office? Are procedures in place that are designed to prevent remote access from unauthorized users? These are requirements.
Partner Response:
The company does not allow remote connections to the company network
SCSS Comment :
none