7 SECURITY AND COUNTERMEASURES – Food and Drink – Good Manufacturing Practice, 7th Edition

7
SECURITY AND COUNTERMEASURES

Principle

Secure buildings and the wider perimeter are key aspects of good manufacturing practice (GMP), especially with regard to crime mitigation. Countermeasure is a term widely used in criminology literature, but only more recently with regard to food science and technology. A countermeasure is quite simply the action taken by an individual, organisation or other body to counteract or offset a given danger or threat. A threat in this context is an agent that can cause harm or loss that arises through the ill‐intent of others (see 5.6). A countermeasure is designed to prevent or reduce the impact of a threat through technological, tactical or planned means. Countermeasures can be actions by individuals, or processes or systems that are always operating or can be enacted when a threat is realised.

Background

7.1 Counteracting criminal behaviour in the food supply chain is an embedded requirement of GMP. The use of food crime risk assessment (FCRA) tools to identify potential threats and the means for their control (countermeasures) through the identification of critical points in the manufacturing setting where vulnerabilities need to be eliminated, or if this is not possible effectively managed, has been explored in Chapter 6. The means to then implement appropriate countermeasures and the associated monitoring and verification activities are addressed in this chapter. Ultimately, as an emerging element of GMP, how FCRA is undertaken and countermeasures identified and then integrated into an effective food integrity management system (FIMS) is a crucial area for the food manufacturer to consider and address. At the time of writing this version of the Guide there are a number of International Standards Organisation (ISO) standards being developed under the control of the ISO/TC 292 Security and Resilience Committee. These standards are explained in more detail here and crisis management protocols are addressed in Chapter 27.

ISO 28001 Security management systems for the supply chain – Best practices for implementing supply chain security, assessments and plans – Requirements and guidance states there are four types of action a business can take when faced with a threat. These can be called the 4Ts:

  • Treat: through the use of an organisational procedure and/or physical protection countermeasure;
  • Transfer: transfer of the risk may be subcontracting of a manufacturing activity, physical transfer of an activity in the manufacturing process to other locations on the site, designated time for activity etc.
  • Terminate: due to the level of risk associated with the threat the decision is made not to continue the activity; or
  • Tolerate: decide to accept the risk associated with the threat because the organisation cannot implement a countermeasure or it is too costly or impractical to implement a countermeasure.

Characteristics of Countermeasures

7.2 Countermeasures can be global and operate at the national or supply chain level and counteract single or multiple threats, or they can be specific to a particular threat at a particular point in the supply chain or within the manufacturing operation, i.e. they are situational. Countermeasures can also be distinguished in terms of whether they address detection (i.e. the identification of the activities associated with food crime and potential opportunity), mapping of the food chain to identify vulnerabilities or hotspots (e.g. through horizon scanning or other vulnerability risk assessment techniques considering potential threat scenarios associated with the materials, services and final products that the manufacturing organisation procures, produces and sells), deterrence (by inhibiting opportunity to commit crime through identifying different kinds of perpetrator and their actions and what countermeasures will discourage their activity; see Chapter 6), prevention (through using the resources available to minimise the likelihood and/or severity of a potential threat and promoting the robust systems in place) or disruption (should crime occur; see the work of Spink et al.1 ).

Countermeasures can be passive or active in nature. Passive countermeasures tend to be physical protection or hard resistance in terms of facility design within the manufacturing environment, such as locking mechanisms, self‐sealing equipment, enclosed production lines, security systems that involve fencing, access control points for people and vehicles, cameras or other surveillance equipment. This is a term often used when designing food defence systems (see 5.4). Alternatively, with regard to cyber‐crime, a firewall is an example of a passive countermeasure. Active countermeasures are reactive, often designed for a particular threat and are enacted once the threat is identified as being ‘real’ and/or imminent. An example of an active countermeasure or active protection system are those protective actions that are enabled in terms of a cyber threat to a business, such as malware or a hacking attack, or the actions of security personnel in the event of an intruder or unauthorised person entering a controlled area of a factory. Active countermeasures in the manufacturing process itself include intruder alarm systems, access alarms in enclosed production systems and continuous awareness and training programmes and refresher training of individuals so they understand their role in the food manufacturing environment with regard to the range of food crime incidents that could occur.

7.3 Hurdles are countermeasures that reduce opportunity for food crime by either assisting detection or proving to be a deterrent.2 They include online monitoring and verification activities such as audits and product sampling. Examples of hurdles can be differentiated by how they prevent or deter:

  • Access to premises: Examples include visible and appropriate perimeter fencing and vehicular access points; external landscaping, perimeter alarm system, closed circuit television (CCTV) monitoring/recording of the perimeter at designated vulnerable points or infrared heat monitoring (see 19.2); vehicles parking outside the perimeter, limited access for individuals to the manufacturing site, with zoned and restricted access for individuals within the manufacturing site; monitored vehicular access points; security guards; traffic calming on approach to site, schedule delivery times only; missed deliveries investigated; documentation associated with deliveries checked before vehicular admittance; and monitoring of services access points, e.g. air ventilation and exit points, waste storage and treatment facilities, water systems.
  • Access by people: Countermeasures include swipe card, password‐protected or coded access to site, or specific zones within the manufacturing site for people; protocols for lone working/buddying system; changing facilities where workwear and personal items are kept separate; screening of visitors – by appointment only, proof of identity required, accompanied visits only; secure handling of mail; restrictions on access for portable electronic and camera equipment, portable hard drives, USB sticks etc.; limited access to mains services; BS ISO/IEC 27032 compliant cybersecurity (see 5.5); employment checks – proof of identity and qualifications, verification protocol for contractors, supervision of temporary staff and contractors, employment checks on those working at designated vulnerable points; staff in critical roles motivated and monitored; whistleblowing arrangements (see 7.10); suitable end of contract arrangements for staff and preventive controls after termination of employment, e.g. changing access, closing computer accounts and access; enclosed conveyors, processing equipment, use of sight‐glasses, numbered seals on bulk storage silos and password protection of computer terminals and workstations.
  • Access to product: Examples include sealing of bulk storage containers, product tampering controls, global positioning systems (GPS) technology, and checks including stock control checks; secure user codes and passwords for access to materials and production lines/zones; electronic controls and reporting in the event of unauthorised access or activity on electronic systems; supplier assurance protocols and screening protocols for new suppliers, including taking up of references and credit checking. Traceability systems will identify individual lots of raw materials and final product (see Chapter 14).

7.4 Guardians are the individuals operating at national, supply chain or individual business levels that have the knowledge, skills and understanding to implement a FIMS. They may operate within the manufacturing environment or in the wider supply chain. It is important to recognise that vulnerability can still occur even in the presence of a capable guardian (see Spink et al., 20152).

New Product and New Process Development

7.5 Products are more vulnerable when specific claims are made with regard to the product, e.g. designated provenance, identity or assurance status (e.g. Fairtrade, organic, country of origin, protected geographical indication (PGI); see Chapter 15). When designing new products consideration should be given during the product development phase as to their potential vulnerability to food fraud or food crime (see 5.1). If required, specific design objectives with regard to food integrity should be developed. When the packaging or product is designed, inherent ‘markers’ could be included/adopted so that the product can be readily identified as being authentic and not counterfeit or substituted. During the development stage, developing a unique spectral fingerprint for the product should also be considered so that its integrity can be verified. With this approach the exact nature of the substitute or adulterant does not need to be known, only that product integrity has been lost.

7.6 Process development activities should consider the potential for ‘engineering out’ parts of the process where tampering or substitution could occur, e.g. by incorporating hard resistance countermeasures such as the use of machine covers, guards or enclosed sections.

Security Management Systems

7.7 ISO 28000:2007 Security management systems for the supply chain specifies requirements for a security management system, including those aspects critical to security assurance of the supply chain, including transport and logistics. ISO 28000:2007 requires the manufacturing organisation to assess the security environment in which it operates and to determine if adequate security measures are in place. This standard, along with many other ISO standards, is based on an approach known as plan‐do‐check‐act (PDCA). The four steps are:

  • Plan: Establish the objectives and processes necessary to deliver results in accordance with the organisation’s security policy.
  • Do: Implement the objectives and processes.
  • Check: Monitor and measure processes against security policy, objectives, targets, legal and other requirements, and report results.
  • Act: Take corrective or preventive actions to continually improve performance of the security management system.

ISO 28001 defines a security assessment as identifying and documenting supply chain vulnerabilities to a set of defined security threat scenarios as well as the likely persons who could progress a particular security threat into an actual incident. A security plan outlines the security measures (countermeasures) that are in place, or need to be introduced, to manage the security threat scenarios identified in the security assessment and reduce the threats identified in the security plan to an acceptable level. A training programme needs to be formally developed and implemented that identifies how security personnel will be trained according to their work role.

There are five distinct elements to a security management system (SMS): the security management policy (and associated security objectives), the security assessment (documented assessment that identifies the threats considered to be of importance), implementation and operation of the SMS, monitoring, verification and checking of the SMS, and management review and continuous improvement.

Annex B of ISO 28001 outlines the risk management methodology in eight steps:

  1. Identify all activities within the scope of the SMS.
  2. Identify the security controls and countermeasures currently in place.
  3. Identify security threat scenarios.
  4. Determine the consequences if the security threat scenario actually occurred.
  5. Determine the likelihood of such an event occurring, given the security controls and countermeasures currently in place.
  6. Assess whether the current security controls and countermeasures are adequate.
  7. If they are not adequate, develop and implement additional controls and countermeasures (develop a security plan).
  8. Repeat the process at a defined interval, e.g. 6‐monthly or annually.

7.8 A documented security assessment should be undertaken on the manufacturing site to determine the security procedures required in view of the site layout, nature of the products produced and the processing employed, and the specific area of the site. It may be prudent to identify high‐risk (HR) and low‐risk (LR) areas with regard to product security and have additional security controls in place in HR areas. This can include, but is not limited to, colour of protective clothing for HR areas, restricted entry procedures for authorised personnel only, including fingerprint entry to HR areas, and site security arrangements as a whole in terms of fencing, security staff and close‐circuit television (CCTV). Keys that are required for entry to HR areas should be subject to a sign out and sign back in control protocol.

The possibility of sabotage, vandalism, terrorism and even site invasion may indicate a need for particular security precautions in vulnerable areas, e.g. building entrance security, code pads to open external doors to manufacturing areas, locked rooms, use of seals, etc. Access to material and product storage areas should be restricted to personnel working in those areas and other authorised persons. Consideration should be given to site security and entry controls into designated storage areas. Designated separate lockers may need to be provided for both internal and external workwear as well as personal belongings that must not be taken into the production and storage areas.

A visitor and contractor reporting system should be in place and the person responsible for such individuals is also responsible for monitoring their activities when they are on site. The use of photographic and recording equipment, including mobile equipment that contains these functions, must be strictly controlled. All such equipment brought onto the production site must be authorised by the site management, e.g. memory sticks, laptops, tablets, mobile phones etc. Staff should be encouraged to report unknown individuals when they see them on site, but be made aware, through induction and refresher training, of the personal dangers of challenging unknown individuals. The security assessment should be reviewed a minimum of annually and more often in the event of a breach of security arrangements or identification of emerging threats or a change in threat status. This security assessment can then be used when considering wider organisational vulnerability as part of overall FCRA (see Chapter 6).

7.9 Appropriate training must be given to all staff on the actions to take in the event of them uncovering criminal activity taking place or highlighting the evidence of past criminal activity (see 7.10). The personal safety of staff is paramount. There is a duty of care on senior management to ensure appropriate procedures are in place to safeguard staff who bring forward concerns or evidence of food crime having taken place. This will include working with the relevant regulatory authorities to support such individuals. Appropriate procedures also need to be in place for those staff members who are vulnerable, e.g. those who are working alone or undertaking remote working activities at the processing site, and/or those working with high‐value food materials and products. There is also the potential for perpetrators to be embedded in an otherwise legitimate business. The category of individual that perpetrates a crime will influence the countermeasures that need to be in place to mitigate against their activity (see 5.7).

Clear instructions must be given during training on what activities are legal within the food manufacturing environment and what would constitute illegal activity where individuals as well as the food business could be prosecuted. The training programmes must be tailored for the job role and the particular vulnerabilities of interest, e.g. supplier approval and performance monitoring, procurement, operational management etc. Refresher training must be undertaken if intelligence suggests that there are new potential risks that staff need to be aware of, e.g. adulterated ingredients, counterfeit packaging etc. Training should be reinforced by adequate supervision, mentoring and support, and regular performance reviews. Training is addressed more fully in Chapter 17. If deemed necessary in security assessment, fingerprint technology should be used so that individuals are traceable to specific production areas and, by association, specific batches of product.

Consideration should be given to organisational incentive bonus schemes which could inadvertently promote occupational food crime. If implemented, such schemes should be designed to discourage operators from taking unauthorised shortcuts and the activities monitored through effective supervision. The potential for inappropriate action by current or previous employees needs to be addressed by the manufacturer including pre‐employment screening and employment termination interviews.

Whistleblowing

7.10 Personnel should be instructed and encouraged to report immediately any incident or potential incident associated with people, materials, packaging, equipment or the product. They should be aware of the potential for illegal behaviour at all stages of the manufacturing operation and be in a supportive culture and environment where they feel confident to report any issues that may arise.

In simple terms, a whistleblower is any person who reports or discloses information about a given threat or of harm to the public interest that is identified in the context of their work (Council of Europe, 2014).3 Publicly Available Specification (PAS) 1998 (2008:9) Whistleblowing arrangements: Code of practice4 defines a whistleblowing concern as a ‘reasonable and honest suspicion an employee has about a possible fraud, danger [illegality] or other serious risk that threatens customers, colleagues, shareholders, the public or the organisation’s own reputation’. This is different to an employee grievance or complaint, which PAS 1998:2008 states is an employment dispute that has no public interest element.

The act of whistleblowing can be internal, i.e. disclosure within the organisation to a supervisor or manager, or external to regulatory officers, the police, an independent body, media, auditor or consumer group and so forth. The cost to the organisation of a missed opportunity to treat, transfer or terminate a threat can be significant in terms of loss of business, profits and jobs, fines and an increase in insurance premiums.5

If the food manufacturer wants to effectively counteract illegal practice within the organisation and wider supply chain, then organisational whistleblowing procedures should be adopted. Internal reporting channels should be available for staff so that action can be taken to prevent or reduce the likelihood of criminal activity and minimise the impact on customers and consumers. Adopting procedures that identify the communication channels for whistleblowing to take place and also to protect individuals should they whistleblow will strengthen this approach as a countermeasure.

The European Committee on Legal Co‐operating (CDCJ) of the Council of Europe developed the Recommendation CM/Rec (2014)7 on the protection of whistleblowers (Council of Europe, 2014). Member states are encouraged to develop a robust national framework that facilitates and protects whistleblowers in all industries. The Recommendation sets out a number of key principles to ensure that at a regulatory level there are:

  • laws to protect whistleblowers cover a broad range of information that is in the public interest;
  • access points to more than one communication channel for individuals to report and disclose sensitive information;
  • mechanisms in place to ensure reports and disclosures are acted upon promptly; and
  • protocols to ensure whistleblowers’ identities remain confidential and all forms of retaliation are prohibited as long as the individual whistleblower has reasonable grounds to believe in the accuracy and credibility of the information.

In the UK, the Public Interest Disclosure Act 1998, and equivalent legislation, protects workers, if they report wrongdoing in the workplace, from unfair treatment or victimisation from their employer. If they raise concerns in accordance with the Act’s provisions, employees are protected under the Act.6 The Food Standards Agency’s National Food Crime Unit (NFCU) was created as a result of a recommendation in the 2014 Elliott Review.7 All intelligence received by the NFCU is logged on the Food Fraud Database and an investigation launched.

The UK Department of Business, Innovation and Skills report Whistleblowing: Guidance for Employers and Code of Practice,8 issued in 2015, states it is good business practice to implement a whistleblowing policy. PAS 1998:2008 outlines that overall responsibility for whistleblowing should rest with the Board, Chief Executive, Group Secretary, legal department or finance department, with day‐to‐day responsibility falling to the human resources department, who can implement a formal protocol. In smaller manufacturing businesses a simple statement will be sufficient. The statement should explain what whistleblowing is and that it should not be a means for undermining managers, how to make an internal or external disclosure, e.g. on an independent disclosure helpline, and the process for maintaining confidentiality. The statement or larger policy should be communicated to staff so that they are aware of the requirements. For some manufacturers their customers may have prescribed processes for whistleblowing. This may include awareness training, the siting of posters and information data, and internal reviews of staff engagement with the protocols.

Notes