When U.S. West Coast-based semiconductor manufacturer Xilinx found that its security, warehouse, and other staff around the world needed special training as part of the U.S. Customs and Border Protection’s (CBP) Customs-Trade Partnership Against Terrorism (C-TPAT) validation, it sought assistance from its contract security provider. The provider helped it create an intranet-based program that impressed CBP so highly that the agency asked to make it available to other companies. In addition, the agency has designated the program a best practice.
Xilinx is headquartered in San Jose, California, with additional offices and manufacturing sites around the United States, as well as Dublin; London; Singapore; Hong Kong; Tel Aviv; Milan, Italy; Munich, Germany; and Grenoble, France.
The C-TPAT validation, launched after 9-11 to reduce the risk of dangerous imports, requires companies importing goods to ensure the integrity of their security practices and communicate their security guidelines to business partners within the supply chain. From a company’s perspective, the benefit of participating in the C-TPAT program, which is voluntary, is that once the company achieves validation, its imported goods are considered more secure and their processing through Customs is streamlined.
According to Ron Pennington, global security manager for Xilinx at the time of this project, “It was vital that we received this certification to maximize security protocol and simplify and expedite the supply-chain process.”
To begin, Pennington assembled a team that included the company’s import compliance manager, who was the “point person” with CBP, and the supervisors of Xilinx’s contract security force—AlliedBarton. As they began to investigate the C-TPAT criteria, the team found that “one of the significant requirements is a training program for security employees,” states Pennington, including the security officers and staff of the company’s 24/7 security command center. C-TPAT validation also requires that these employees be tested on the material, that records of the training and testing be maintained, and that the training and testing be repeated annually.
The team decided that a training delivery system via Xilinx’s intranet would be the best solution. To do this, they identified a Microsoft program called Sharepoint, a collaborative tool that includes a module for creating training programs. “We felt it was the perfect application,” says Pennington.
One selling point was that there would be no cost and few administrative headaches. Xilinx had already purchased Sharepoint, placed it on its intranet, and used it throughout the company for other collaborative purposes. Most company employees were already approved as users.
The AlliedBarton supervisors took on the creation of the C-TPAT training course for security. They began by writing the content and questions based on the required criteria. For instance, a company must adequately control the creation and removal of employee, visitor, and vendor identification badges. Test questions probe whether officers are familiar with the processes the company has in place, such as notifying administrators to grant, suspend, or terminate access.
Once this material was compiled, the training module was programmed. The entire process took less than a month.
The result of the AlliedBarton supervisor’s efforts was a self-paced computer training module, “so that an officer can sit down at any time during his tour of duty and run through this training and then take the test. It is server-based, running off a server in San Jose; officers can access it from any location necessary. They’ve already used it in Dublin; Singapore; and Longmont, Colorado,” states Pennington.
Sharepoint allows Xilinx to retain the exam results of each employee. “When a person takes the test, we see what their score is, and if it isn’t adequate, the person is retrained and takes the test again—and this is all done on an automated basis using this tool,” Pennington explains.
After the import compliance manager showed the module to other Xilinx units with employees who required C-TPAT training—warehouse, import/export compliance, shipping and receiving, and mailroom staff—the team was asked to build individual modules tailored to those groups. For example, a series of questions on the mailroom employee-training module asks about looking for and correctly handling suspicious incoming letters and packages, including containment and emergency contact policies and procedures.
The company’s security guards—65 in the United States, about 30 in Singapore, and about a half dozen in Ireland—took the training within a period of a few weeks and all passed. “There was a lot of good natured competition between the security team [members]. During all types of training, they compete to see who finishes first. When this program was ready to go, they were already standing in line to do it,” explains Pennington.
Earlier this year, the San Jose headquarters was inspected by CBP for C-TPAT validation. “They sent representatives to the site to an all-day meeting where they went through all validation criteria and spoke directly to representatives of the company who are responsible for particular criterion,” says Pennington. This included learning the types of physical security systems the company has in place, reviewing its accounting systems, and studying policies and procedures.
Afterward, CBP representatives went on a tour to see the warehouses, shipping and receiving, and the security command center. While they were there, the representatives were shown the training module and testing records. Pennington states that this is when they were so impressed that they asked for a copy and for permission to share it with other businesses seeking validation. “Customs puts out a best practices catalog for C-TPAT, and I understand that if it hasn’t already happened, next time they print one, it will be included,” he says.
Xilinx is still undergoing the validation process. In October, CBP representatives traveled to the Singapore facility to conduct an inspection there. “They select two locations—usually headquarters or where import activity is centered, then they go to a non-U.S. location. They picked Singapore because that is the company’s most significant shipping location. Afterward, all the information goes back to Washington, D.C., and they issue a finding,” he explains.
Unofficially, Pennington says that the agency’s representatives stated that they “were very pleased and impressed and gave San Jose a very high informal recommendation.”