We all make mistakes and have misunderstandings throughout our lives.
The following situations and audit findings were actual. No company names are mentioned. Even the geographical area is not mentioned.
The intent is to describe some serious and not so serious security weaknesses found during TAPA FSR, TSR and PSR Gap Analyses and certification audits.
As they say, the most important thing about a mistake is that you learn from it. In this case, we can learn from the mistakes of others.
Nonconformities in no particular order:
Wooden Doors: I visited an airfreight warehouse located at an airport in a humid environment. We went out the back door of the warehouse and closed the door which automatically locked. I grabbed the door handle and pulled hard. The entire wooden door came off the hinges and landed in the ally.
Rusty Door Hinges: I went to a warehouse near the seacoast. The back doors of the warehouse were made of metal and nearly completely rusted through. I was going to mention that the hinges were not spot welded or secured with security pins… but the top hinge of the rusty door broke while we were standing there. Needless to say, the door was replaced with a new door.
Doors Don’t Close: I certified a company. Three years later, I went back to do the recertification audit. The warehouse pedestrian doors were open, and could not be closed. They were stuck open with no alarm sounding. When asked about the open doors and no alarm sound, the employees said that the alarm system had been turned off two and a half years ago.
Pedestrian Doors not Locked: All the emergency pedestrian doors were unlocked. They were never locked… even when the facility was closed. When asked why the doors were left open, the security manager said that the warehouse was located surrounded by high ground on three sides with a fence. The back side of the building was the open air field where no people were allowed to walk.
Back Doors of Warehouses: The warehouse was located at the airport. There was full security measures on the front of the building – complete with guards, fence, security access controls, etc. The back doors of the warehouse opened to the airport tarmac. None of the back doors were locked, there were no alarms installed on the back doors, and there were no CCTV cameras monitoring the back of the building.
Motion Detection: We had to start the warehouse audit early because the last flight was early afternoon. We arrived at the warehouse and there was a guard sitting in the hallway outside the warehouse door. We did not turn off the motion detection and entered the warehouse. We were able to walk along the entire front of the warehouse dock doors and then to the centre of the warehouse before a light came on and there was an alarm signal.
Missing Internal HVC CCTV: The high value cage was big and made of light weight grill material. There was a high resolution CCTV camera looking at the front of the HVC. But there was no internal CCTV camera. The company said they did not need to install an internal camera because the external camera could monitor everything through the grill.
Magnetic HVC Door Locks: A magnetic door lock remains closed and secured when the electricity is supplied to the magnetic lock. What happens if the electric is cut to the magnetic lock? It opens.
HVC Door Locks: If the HVC door does not have a dead bolt lock or Fail Secure lock, it can probably be opened with a piece of plastic banding material, butter knife, or tea spoon. Just slip the knife between the the door and the door frame… wiggle a bit… and open the door.
HVC Cage Construction: In one case, the auditor shook the cage that was assembled with light weight grill panels. Part of the cage fell apart because the screws holding the panels together were loose. In another case… I promise… I only touched the panel with my shoes… and the panel fell out of the HVC wall leaving a hole in the HVC wall.
CCTV Camera Setup: A new CCTV system was installed. We wanted to be sure that the CCTV system had 30 days of stored images. When we set the system back 30 days, there were no images. In fact, there were no stored images at all. The security company forgot to set the CCTV cameras to record. Only the live feed was available.
Glass Pedestrian Doors: I checked the HVC in the corner of the warehouse. There was a little dark short hallway and then an emergency door. There was no light in the short hallway… and I didn’t want to open that particular door. So I pushed the bottom of the door with my foot… and my foot went through the cardboard window in the lower portion of the door. Apparently, the glass had been broken and replaced with cardboard. Since it was dark on the inside of the warehouse, it was not obvious when looking at the door.
TSR Key Control: All the vehicle keys were in a filing cabinet drawer. Some were marked and others were not. I have no idea how they knew which key was for which vehicle.
TSR Trailer Locks: The company had a lot of trailers… a lot! Key control for all the locks was no problem. One key fit all locks! If a driver lost his normal key for the trailer lock, there was another in the outside storage cubical of the truck.
Pad Lock Keys: The company bought very expensive pad locks for the trailers and containers. Two sets of locks and keys were inspected during the audit. The keys of one lock would open the other lock.
Plastic Dock Door Windows: A few warehouse dock doors had wide plastic panel windows. The plastic windows are very weak and could be pushed out of the dock door frame with a bare hand. Unfortunately, the button to raise and lower the dock door was located next to the plastic window allowing everyone easy access to open the dock door when the warehouse was closed.
CCTV Function Checks: There are a few common mistakes regarding CCTV Function Checks. One is that companies will view the live stream of the CCTV cameras and assume the images are being properly stored on the server without actually looking at the stored images. Another common problem is that they inspect a few CCTV cameras every day… and not all cameras every day.
Security Policy Statement: Many companies are ISO 9001 certified and understand the concept of a Quality Policy that explains the organization’s purpose and strategic direction, framework for quality objectives, a commitment to meet customer requirements, adherence to regulatory requirements, and continuous improvement with regard to quality. However, many companies struggle to create a security oriented policy statement issued by management.
Missing Work Procedures: If the TAPA requirements mention that a written procedure or policy is required, the process for meeting the requirement must be written. Too often, the process is not documented.
Incomplete Work Procedures: Remote audits allow the auditor to identify and inspect work procedures without the stress of time constraints during a on-site audit. Sometimes, the company will identify a general security procedure in response to a written procedure requirement. However, the content of the work procedure does not address the specific requirements of the standard. To simply say that the company will do something is not sufficient as a work procedure. The procedure should explain how the requirement is fulfilled.
HVC Key Control: Some companies have the practice of allowing each warehouse shift leader to pass the HVC key on to the next shift leader without written traceability. Other companies will allow managers to take the HVC key home at the end of the day when the warehouse is closed and locked. This process is not allowed.
Operational Waste: Though illegal, some individuals will go through the trash of a logistics company trying to collect operational information such as what products are stored in the building, names of employees, contractors, suppliers, transport partners, schedules, materials ordered, etc. Any information may provide potential information harvesters with unauthorized information.
Incomplete Risk Analysis: TAPA specifically tell which risks must be included in the risk analysis. Sometimes, all required risks are not included in the risk analysis. Most notably, the need or non-need for anti-ram barriers for ground floor windows and ramp dock doors are not on the risk analysis.
Risk Analysis Format: TAPA does not specify how a company must document the risk assessment. However, since most companies are ISO 9001 certified, the same format should be used to document the TAPA Security Risk Analysis. Remember, you should document the risk, measure the risk without mitigation, document the mitigation you have in place to reduce the raw risk, and remeasure the risk to show that the mitigation measure are effective. ISO 9001 requires a company to measure the effectiveness of risk mitigation.
Burned Out Lights: When looking at the CCTV images at night when the facility is closed, it is easy to identify if there are burned out lights in sensitive areas such as dock areas and ramps.
Untrained Auditors: TAPA requires all company auditors to attend a formal TAPA training course. However, some auditors used, especially in multi-sited certifications, have not been trained by TAPA. The result are very poor to no comments being written in annual self-assessments. Untrained auditors are not allowed for self-assessment audits.
No Comments in Self-Assessments: Companies must complete a self-assessment internal audit before a certification audit and an annual self-assessment audit in year two and three. A self-assessment audit report that simply says – “OK” or nothing as a comment – results in a useless and unacceptable self-assessment report. The self-assessment report should record what was inspected during the audit and what was found as a result of the inspection.
Denied Access Reports: Many companies do not know how to create a denied access report. On a quarterly basis, the security manger should print a list of all the incidents that were recorded where the electronic access badge did not open the door. Sometimes this is because the reader is broken, badge problems, access not updated, badge reported as lost in the past, expired badges, etc. These incidents are administratively corrected. However, if a badge was used several time trying to access a secured area, then further investigation may be necessary. After all denied incidents have been reviewed, the printout is signed and dated by the person that conducted the review.
Unsecure CCTV Images: Some companies have a CCTV monitors in the reception area. Those monitors are viewable by unauthorized persons such as visitors and drivers. Something must be done to restrict the viewing of the images by unauthorized persons. This can be accomplished by turning the monitors, using screens on the monitors so images are not viewable from the side, and tinting windows.
Formally Appointed Persons: The TAPA requirements say that a person with the responsibility for the security program must be identified and appointed by management. Sometimes, there is no written evidence of this appointment. The appointment should be written, signed and dated by management.
Panic Button Tests: It is always best to explain what will happen when the panic button is pressed rather than pressing the panic button once the auditor starts talking about the process. On more than one occasion, police arrived with weapons drawn when a receptionist pushed the button during the audit.
Location of Panic Button: Companies will locate the panic buttons in a variety of locations. They are hung on a wall, located in someone’s pocket, in another room, or missing all together. It should be in a covert easy to reach location for the receptionist, guard, or dispatch person.
Panic Button Response: As mentioned above, sometimes the police arrive ready for action! A direct link to the police should be justified, though it is always a decision for management. Another technique is an alarm at the 3rd party security office with a follow-up telephone call with code word… or a review of the CCTV system by the 3rd party security company to look at the reception area. Another technique might be a light alarm in the warehouse where employees can react as required by company policy.
Conclusion: There is always a possibility of mistakes and misunderstandings. The official TAPA requirements are in English, and there can be misinterpretations as a result of translations and use of certain words in different languages. What is most important that we all learn from these type mistakes and have a successful audit… and a secure security system.