CTPAT – Minimum Security Criteria for Cybersecurity

by GTC
July 21, 2021May 10, 2022

CTPAT Members must have comprehensive written cybersecurity policies and procedures to protect information technology (IT) systems. The written IT policy, at minimum, must cover all of the individual Cybersecurity criteria. To defend Information Technology (IT) systems against common cybersecurity threats, a company must install sufficient software/hardware protection from malware (viruses, spyware, worms, Trojans, etc.) and internal/external intrusion (firewalls) in Members' computer systems. Members must ensure that their security software is current and receives regular security updates. Members must have policies and procedures to prevent attacks via social engineering. If a data breach occurs or another unseen event results in the loss of data and/or equipment, procedures must include the recovery (or replacement) of IT systems and/or data. CTPAT Members using network systems must regularly test the security of their IT infrastructure. If vulnerabilities are found, corrective actions must be implemented as soon as feasible. Cybersecurity policies should address how a Member shares information on cybersecurity threats with the government and other business partners.

A system must be in place to identify unauthorized access of IT systems/data or abuse of policies and procedures including improper access of internal systems or external websites and tampering or altering of business data by employees or contractors. All violators must be subject to appropriate disciplinary actions. Cybersecurity policies and procedures must be reviewed annually, or more frequently, as risk or circumstances dictate. Following the review, policies and procedures must be updated if necessary. User access must be restricted based on job description or assigned duties. Authorized access must be reviewed on a regular basis to ensure access to sensitive systems is based on job requirements. Computer and network access must be removed upon employee separation. Individuals with access to Information Technology (IT) systems must use individually assigned accounts. Access to IT systems must be protected from infiltration via the use of strong passwords, passphrases, or other forms of authentication and user access to IT systems must be safeguarded. Passwords and/or passphrases must be changed as soon as possible if there is evidence of compromise or reasonable suspicion of a compromise exists. Members that allow their users to remotely connect to a network must employ secure technologies, such as virtual private networks (VPNs), to allow employees to access the company’s intranet securely when located outside of the office. Members must also have procedures designed to prevent remote access from unauthorized users.

If Members allow employees to use personal devices to conduct company work, all such devices must adhere to the company’s cybersecurity policies and procedures to include regular security updates and a method to securely access the company’s network. Data should be backed up once a week or as appropriate. All sensitive and confidential data should be stored in an encrypted format. Media used to store backups should preferably be stored at a facility offsite. All media, hardware, or other IT equipment that contains sensitive information regarding the import/export process must be accounted for through regular inventories. When disposed of, they must be properly sanitized and/or destroyed in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization or other appropriate industry guidelines.