Taccp and Vaccp Manual - HFL

THE VANITY CASE GROUP OF COMPANIES
HINDUSTAN FOODS LTD - CBE TITLE: FTAS Apex Manual

STANDARD OPERATING PROCEDURE
DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE.

HFL/FTAS-APEX/01 00 00 1 OF 24
FOOD THREAT ASSESMENT SYSTEM
Apex Manual
Issue No: 00
Issue Date: 01 September 2018
Hindustan Foods Limited,

Sy No: 195/2A,
Appanaickenpatti Village,
Sultanpet road, Sulur Taluk,
Coimbatore,
TamilNadu - 641402
Confidential – For Internal Use Only
NAME DESIGNATION SIGNATURE DATE STAMP

PREPARED BY V.Someswararao FSTL Member
CHECKED BY R.ESWARARAJ Manager QA
VERIFIED BY C.SANKAR FSTL
APPROVED BY K.VELMURUGAN Factory Manager
DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

HFL/FTAS-APEX/01 00 00
2 OF 24
INDEX
S. No Clause No Description Page No

1 A Index 2
2 B Release Authorization 4
3 C Revision Record 5
4 D Distribution List 6
5 1 Scope 7
6 2 Terms and Definition 7
7 3 Types Of Threat 8
8 3.1 General 8
9 3.2 Economically motivated adulteration (EMA) 8
10 3.3 Malicious contamination 8
11 3.4 Extortion 8
12 3.5 Espionage 8
13 3.6 Counterfeiting 8
14 3.7 Cyber crime 9
15 4.0 Understanding the attacker 9
16 4.1 General 9
17 4.2 The extortionist 9
18 4.3 The opportunist 9
19 4.4 The extremist 9
20 4.5 The irrational individual 10
21 4.6 The disgruntled individual 10
22 4.7 The hacktivist and other cyber criminals 10
23 4.8 The professional criminal 11
24 5.0 Threat Assessment Critical Control Point (TACCP 11
25 5.1 Broad themes 11
26 5.2 TACCP process 12
27 6.0 Assessment 13
28 6.1 Assessing threats 13
29 6.2 Assessing vulnerabilities 15
30 6.2.1 General 15
31 6.2.2 Economically motivated adulteration (EMA) 16
32 6.2.3 Malicious contamination 17
32 6.3 Assessment of risk 18
33 6.4 TACCP reporting 19
34 7.0 Critical controls 20
35 7.1 Controlling access 20
36 7.2 Tamper detection 21
37 7.3 3 Assuring personnel security 22
38 8.0 Response to an incident 24
39 8.1 Management of a food protection crisis 24
40 8.2 Contingency planning for recovery from attack: 24
CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’


3 OF 24
41 9.0 Review of food protection arrangements 24
RELEASE AUTHORISATION
This Apex Manual is released under the authority of
Mr K. Velmurugan
Factory Manager - Operation
and is the property of
Hindustan Foods Limited,
Coimbatore.


4 OF 24
REVISION RECORD
Section/ Page Date of Revision Reasons of

S. No Clause/Para/Line Signature
No. Amendment detail Amendment
( As applicable)


5 OF 24
MANUAL DISTRIBUTION LIST
Copy No. Copy Holder
Master copy FSTL
Control Copy -01 Factory Manager
Control Copy -02 Lab
Note: A PDF version of this manual is made available to interested members on common folder.


6 OF 24
1.0 Scope:
The Food Assessment System suitable to the requirements of ISO 22000 – 4.1 versions has been developed
at Hindustan Foods Limited for packing safe product.
This manual provides guidance on the avoidance and mitigation of threats to food and food supply. It
describes a risk management methodology, Threat Assessment Critical Control Points (TACCP) against ISO
22000 – 4.1 versions.
2.0 Terms and Definition:
Cyber Procedures used to protect electronic system from sources of threat

Security
Procedures adopted to assure the security of food and drink and their supply chains
Food Defence from malicious and ideologically motivated attack leading to contamination or supply
disruption
Committed when food is deliberately placed on the market, for financial gain, with
Food Fraud the intention of deceiving the consumer
Food Procedures adopted to deter and detect fraudulent attacks on food

Protection
Food Supply Elements of what is commonly called a food supply chain
Something that can cause loss or harm which arises from a naturally occurring or
Hazard
accidental event or results from incompetence or ignorance of the people involved
System which Identifies, evaluates, and controls hazards which are significant for
HACCP
food safety
Individual within or associated with an organization and with access to its assets but
Insider who may misuse that access and present a threat to its operations.
Personnel Procedures used to confirm an individual’s identity, qualifications, experience and

security right to work, and to monitor conduct as an employee or contractor.
Threat Something that can cause loss or harm which arises from the ill-intent of people.
TACCP Threat Assessment Critical Control Point

Systematic management of risk through the evaluation of threats, identification of
TACCP
vulnerabilities, and implementation of controls to materials and products,


7 OF 24
purchasing, processes, premises, distribution networks and business systems by a

knowledgeable and trusted team with the authority to implement changes to
procedures
3.0 Types of threat:
3.1 General:
Hindustan Foods Limited evaluates the threads to food authenticity and safety– economically motivated
adulteration (EMA) and malicious contamination, and outlines the nature of other threats.
3.2 Economically motivated adulteration (EMA):
The motivation of EMA is financial, to gain an increased income from selling a foodstuff in a way which
deceives customers and consumers. This may be by either passing off a cheaper material as a more
expensive one
The intention of EMA is not to cause illness or death, but that may be the happen due to adulteration
or contamination in food material.
3.3 Malicious contamination:
The motivation for malicious contamination may be to cause localized (see case 5) or widespread (see
case 6) illness or death.
3.4 Extortion:
The motivation for extortion by either an individual or group is financial, to obtain money from the
victim organization. Such activity is attractive to the criminal mind when the product is sensitive or
where a company is seen as rich.
3.5 Espionage:
The primary motivation of espionage is for competitors seeking commercial advantage to access
intellectual property. They may infiltrate using insiders to report, or may attack remotely through
information technology systems. Alternatively, organizations may try to entice executives to reveal
confidential information or use covert recording to capture such material, or they may simply steal the
material
3.6 Counterfeiting:
The motivation for counterfeiting is financial gain, by fraudulently passing off inferior goods as
established and reputable brands. Both organized and petty crime can cause companies financial loss
and harm to their reputation.


8 OF 24
3.7 Cyber-crime:
Modern information and communications technologies provide new opportunities for malpractice
Fraudster aims to defraud both business and consumer. It is common for the attacker to try and exploit
individual ignorance of the technologies involved.
4.0 Understanding the attacker:
4.1 General:
Plant classifies the attacker to below categories
4.2 The extortionist:
The extortionist wants to gain financially from an attack but does not want to be caught, and
concentrates on avoiding detection. Their target is more likely to be a high profile business with lots to
lose from negative publicity. They may work alone and be resourceful, secretive and self-interested.
Some individuals may claim to be able to take action against a business while lacking the capability to
carry it out; the business may judge the claim as not credible but still report and respond seriously.
4.3 The opportunist:
The opportunist may hold an influential position within an operation to be able to evade internal
controls. They may have some technical knowledge but their main asset is access. They are likely to
be discouraged by the chance of detection, so unannounced visits by customers or auditors, or sampling
for analysis may deter their actions.
4.4 The extremist:
The extremist takes their cause or campaign so seriously that they distort its context and overlook
wider issues. The dedication to their cause may have no limits and their determination to progress it
can be great.
Extremists may want to cause harm and are likely to enjoy publicity after the event. It may not matter,
and may be a benefit, if they themselves are harmed. The risk of failure is a deterrent, but the risk of
capture after the event is not. They are typically resourceful and innovative in devising ways to attack.
4.5 The irrational individual:
Some individuals have no rational motive for their actions. Their priorities and preoccupations have
become distorted so they are unable to take a balanced view of the world. Some may have clinically
diagnosed mental health issues.
This individual may be readily deterred by simple steps which prevent them from gaining access to
their target or make detection easy.
4.6 The disgruntled individual:


9 OF 24
The disgruntled individual believes that an organization has been unfair to them and seeks revenge.
For example, they may be an aggrieved employee or former employee, supplier or customer. They may
have expert knowledge of the operation and access to it.
This attacker is likely to be an individual rather than part of a group. If an insider, they could be
dangerous, but are more likely to want to cause embarrassment and financial loss than harm to the
public. If not an insider, this individual is more likely to claim or boast of having done something than
actually being able to do it.
4.7 The hacktivist and other cyber criminals:
A hacktivist or other cyber-criminal aims to subvert controls on computerized information and

communications systems in order to stop them working effectively, to steal or to corrupt data which
they hold, and/or to disrupt internet business. Their motivation may be criminal, but may also be to
demonstrate their expertise and ability to beat any protective system devised to stop them.
This type of attacker has information and communications technology expertise that can cause
commercial harm and may pose an increasing threat to food safety as internet activity increases
4.8 The professional criminal:
Organized crime may see food fraud as a relatively simple crime, with big gains in prospect, little chance
of apprehension, and modest penalties if convicted. The global trade in food in which food materials
move, often with little notice, across enforcement area borders appears to encourage the professional
criminal.
They may be deterred by close collaboration between food operations and national and international
police authorities.
Control Measures Against Attackers
Type of
Nature Control Measures
Attacker
Legal Identity verification Personal
Wants gain financially May work alone Verification before employment Working
The extortionist
and be resourceful, secretive under supervision Access control to critical
areas
An influential position within an Legal Identity verification Personal
operation have some technical Verification before employment Working
The opportunist
knowledge but their main asset is under supervision Access control to critical
access areas
Legal Identity verification Personal
Takes their cause or campaign so
Verification before employment Working
The extremist seriously may want to cause harm and
under supervision Access control to critical
are likely to enjoy publicity
areas


10 OF 24
Abnormalities with respect to process &

No rational motive for their actions Person shall be discussed during daily
The irrational
Some may have clinically diagnosed meeting Personal Verification before
individual
mental health issues employment Working under supervision
Access control to critical areas
Believes that an organization has been Abnormalities with respect to process &
unfair to them and seeks revenge they Person shall be discussed during daily
The disgruntled may be an aggrieved employee or meeting Personal verification before
individual former employee, supplier or customer employment Working under supervision
may have expert knowledge of the Authorization restrictions Vendor
operation and access to it evaluation
Password protected systems and
Aims to subvert controls on equipment panels Access and
The hacktivist
computerized information steal or to authorization restrictions Working under
and other cyber
corrupt data has information and supervision Services like calibration,
criminals
communications technology expertise equipment service shall be done with
approved vendor.
Abnormalities with respect to process &
Person shall be discussed during daily
The
Organized crime may see food fraud as meeting Personal verification before
professional
a relatively simple crime employment Working under supervision
criminal
Authorization Vendor evaluation
restrictions
5.0 THREAT ASSESSMENT CRITICAL CONTROL POINT (TACCP):
Ref: HFL/FTAS-APEX/01/TRA/5.0 - TACCP Risk assessment carried
5.1 Aim:
• Identifying specific threats to the company’s business and reduce the likelihood (chance) of a
deliberate attack.
• Reduce the consequences (impact) of an attack by assessing the potential impact by considering
the consequences of a successful attack
• Protect plant and customer brand reputation.
• Satisfy international expectations and support the work of own organization and customer
(Hindustan Unilever Limited) and demonstrate that reasonable precautions are taken and due
diligence is exercised in protecting food.
HINDUSTAN FOODS LIMITED unit will take actions to minimize the chances of loss of life, ill health,
financial loss and damage to business reputation that an attack could cause.
5.2 TACCP process:


11 OF 24
TACCP shall be conducted through Food Safety Team to meet its needs and adapt it to other threats as
necessary to deal with four underlining questions:
A) Who might want to attack us?

B) How might they do it?
C) Where are we vulnerable?
D) How can we stop them?
The following flowchart (see Figure 2) and description of the TACCP process focuses on deliberate
adulteration and contamination.
HINDUSTAN FOODS LIMITED forms the TACCP/ Food Safety team and it include individuals with all
sections / Departments. Team follows the below steps and evaluate the threads against process and
its controls.
1. Evaluate all new information which has come to its attention.

2. Identify individuals and/or groups which may be a threat to the organization and assess their
motivation, capability and determination.
3. Identify individuals and/or groups which may be a threat to the specific operation in the factory
and premises.
4. Draw a process flow chart for the product from but not limited by, ‘farm to fork’ including, for
example, domestic preparation.


12 OF 24
5. Walk through the flow chart and examination of each step of the process to identify the
vulnerable points where an attacker might hope for success and the people who would have
access.
6. Identify possible threats appropriate to the product at each step and assess the impact that the
process may have in mitigating the threats.
7. Select the points in the process where the threat would have the most effect, and where they
might best be detected based on the risk matrix.
8. Assess the likelihood of routine control procedures detecting such a threat
9. Score the likelihood of the threat happening, score the impact it would have, and chart the
results to show the priority it should be given and revise if this risk assessment seems wrong
10. Where the priority is high, identify the action points or control measures to reduce to eliminate
the risk or points to justify it is not a major risk to the product or organization or Brand.
11. Identify record proportionate preventative action (critical controls). The TACCP/ Food Safety
team should have a confidential reporting and recording procedure and same to be in controlled
condition.
12. Determine the review mechanism along with FSMS review and revise any based on the issues
faced or changes in operations.
13. Maintain a routine watch of local issues.
6.0 Assessment:
6.1 Assessing threats:
HINDUSTAN FOODS LIMITED assess the premises and the organization to control the attack from a
range of groups and individuals (see Clause 4), and each element shall be assessed separately. The
TACCP/ Food Safety team shall consider suppliers under financial stress, alienated employees and
former employees, single issue groups, commercial competitors, media organizations, terrorist
organizations, criminals and local pressure groups.
The TACCP/Food Safety team goes through the following to access the risk and control measures.
6.1.1 For the product:
Areas of risk Action to be taken
Hindustan Unilever Limited having an agreement with the

Effect of cost increase on the product material vendor & continuously monitoring the materials.
Supporting documents available with HUL Team
product have particular religious, Product commonly used across all category people.
ethical or moral significance for some Product details printed on Laminate (Pouch) itself like Veg.
people logo. HUL Team shall ensure the local land rule


13 OF 24
product be used as an ingredient in a Product and its packaging material made up of approved
wide range of popular foods materials. HUL Team shall ensure the local land rule.
product contain ingredients or other Product and its packaging material made up of approved
material sourced from overseas materials. HUL Team shall ensure the local land rule.
Requirements Activity Action From Plant

Does the plant located
To check for the past history of
in Politically or Socially Site selection verification shall be done.
the locality. Avoid such locations
sensitive area?
Check for: The neighboring
Do the premises share premises / plants,
access or key services Product they manufacture.
Site selection verification shall be done.
with controversial Any drainage system shared
neighbours? which can cause issues.
Contract labors etc.
Are new recruits,
All employees’ certificate
especially agency and
verification and authenticity Employee personal check sheets verification
seasonal staff,
verification through their Govt for all employees before his employment.
appropriately
approved photo ID card.
screened?
Are services to the
Only approved or verified service Approved vendor list shall be created based
premises adequately
providers to be used. on selection process
protected?
All utilities like, compressed Air, Access control and authorization restriction
water etc. coming in contact with given to limited peoples.
Are external utilities
product (compressed air) or Work External testing schedule for compressed
adequately protected?
men (like hand wash water, air, SWAP test, drinking water and utility
drinking water etc.) water
Are hazardous Hazardous materials shall be stored away
Hazardous materials to be stored
materials, which could from the packing area.
separately and not in reach to
be valuable to hostile Periodic removal shall be monitored by
public and under protection.
groups, stored on site? authorized person.


14 OF 24
Hazardous wastes to be removed

periodically and recorded.
Workmen and any official visitors

Are large numbers of are only to be allowed.
people (including the Visitors to be allowed with Plant shall have gate control system.
general public) using permission and with gate pass Visitors allowed based on the visitor policy
the location? control accompanied with any one
plant staff.
Plant shall have internal audit schedule.
Are internal audit
Internal audits to be carried out Adherence and effectiveness of the closure
arrangements
by own team cross functionally. shall be reviewed during Food Safety
independent?
Meeting and MRM.
Have key roles been Plant defines the Roles and Responsibilities
occupied by staff for Roles of staff to be monitored by of all staffs.
many years with little respective HOD on periodic basis Respective department head monitor the
supervision? staffs performance
6.1.2 For the premises:
6.1.3 For the organization:
Are we under foreign ownership by nations HUL & Hindustan Foods Limited both are in same
involved in international conflict? nation and ensure the local land rule to avoid conflict.
Does product/brand have a celebrity or high Product is belongs to HUL. Hindustan Foods Limited
profile chief executive or proprietor? having proper agreement with HUL.
Does organization have a reputation for having
HUL & Hindustan Foods Limited both are in same
significant links, customers, suppliers, etc. with
nation and ensure the local land rule to avoid conflict.
unstable regions of the world?
HUL & Hindustan Foods Limited both are in same
Are brands regarded as controversial by some?
nation and ensure the local land rule to avoid conflict.
Hindustan Foods Limited gets the material from HUL
Do we or our customers supply high profile
approved vendor and dispatch to HUL Depots as per
customers or events?
the received plan from HUL.
6.2 Assessing vulnerabilities:
Ref: HFL/FTAS-APEX/01/VRA/6.2 - VACC Risk assessment
Ref: HFL/FTAS-APEX/01/VRA/6.2/FM/001 - The site verification of VACCP monthly once through

VACCP self assessment check list.
6.2.1 General:


15 OF 24
Organizations have different business needs and operate in different contexts. The TACCP/ Food Safety
team can judge which approach and questions are appropriate and proportionate to the threats they
identify.
6.2.2 Economically motivated adulteration (EMA)
A typical feature of EMA (see 3.2) is the substitution of a low cost item in place of a relatively high cost
component/ingredient. The TACCP/ Food Safety team needs to be alert to the availability of such
alternatives. An example where this may happen is when added value is claimed, (e.g. organic, non-
gm., locally grown, free range or with protected designations of origin).
The TACCP/Food Safety team goes through the following to access the risk and control measures.
Material purchased by HFL team with HUL approved

Are low cost substitute materials used?
vendors only.
Have there been significant material cost HFL Team monitors the Material availability in market and
increases? its cost variations.
Supplier audit shall be planned by HUL team and
Do you trust your suppliers’ managers, and documents available with HUL representative.
their suppliers’ managers? Mass balancing done for critical suppliers by HUL Team.
Material inspection system in place during its receipt.
Supplier audit shall be planned by HUL team and
Do key suppliers use personnel security documents available with HUL representative.
practices? Mass balancing done for critical suppliers by HUL Team

Do suppliers think that we monitor their
Vendor audit done by HUL Team and documents available
operation and analyze their products?
with HUL team.
HUL Team maintains the vendor performance details and

Which suppliers are not routinely audited?
vendor audit schedule.
HFL gets the material from HUL approved vendor and
Are we supplied through remote, obscure
dispatch to HUL Depots as per the received plan from
chains?
HUL.
Are major materials becoming less
Materials are procured by Hindustan Foods Limited, from
(available) or alternatives plentiful
HUL approved vendor.
(E.g. from overproduction)?
HUL Team monitors the Material availability in market
Have there been unexpected increases or and its cost variations.
decreases in demand? Material purchased by HFL team with HUL approved
vendors.
How do suppliers dispose of excessive HUL having agreement with approved suppliers to ensure
amounts of waste materials? the product disposal


16 OF 24
Are we aware of shortcuts to the process Hindustan Foods Limited having eligible staffs to monitor
which could affect us? the process against the standard procedure.
Hindustan Foods Limited & suppliers are not having direct

Are our staff and those of suppliers interactions.
encouraged to report concerns (whistle Communications passes through HUL team only.
blowing)? All staffs having access to top management directly to
raise their concerns
Are accreditation records, certificates of
Hindustan Foods Limited having their own inspection
conformance and analyzes reports
team and they are directly reporting to top managements
independent?
All materials are procured by Hindustan Foods Limited and the materials during receipt at
plant will be inspected based on the specification and UMA method from HUL. Test reports
will be shared and if any failing the rejection call will be taken by HUL.
6.2.3 Malicious contamination:
Questions which the TACCP/ Food Safety team could ask of both its own operations and that of its
suppliers include:
Requirement Activity Action From Plant
Hindustan Foods Limited defines the

internal audit plan for own process.
Ensure food safety audits are
Are food safety audits Adherence and effectiveness shall be
happening as per the
rigorous and up-to-date? reviewed during Food Safety Team
calendar
meeting & MRM.
Supplier audit planned by HUL team
Inspection activity randomly circulated
Ensure the workmen and staff within the team.
Are personnel security inspecting the products is as Periodic R&R conducted for all
procedures in use? per the specification and inspection peoples.
records are cross verified. Records Randomly cross check done by
Sr. Executive-QA.
Visitors allowed only based on the
visitor policy.
Ensure any external person Photo capturing restricted in process
Is access to product
entering the plant or area
restricted to those with a
premises are with gate pass Mobile not allowed inside the plant
business need?
and approvals. premises
CCTV monitoring & Accompanied by
staffs


17 OF 24
Ensure RM and FG bags are

Do storage containers have Weekly and Monthly Mass balancing
tied with cable tie (temper
tamper-evident seals? checks done through SAP.
proofs)
Hindustan Foods Limited Dispatches the

Is the organization involved
Under HUL Scope FG materials to HUL Depots based on
with controversial trade?
the plan received from HUL team.
Is the organization owned by

No
nationals from conflict areas?
Is there opportunity for

access by sympathizers of No
single issue groups?
Do any employees bear a HR HOD & Factory Manager Any grievances from Hindustan Foods
grudge against the recorded the grievances from Limited workers will be recorded and to
organization? workers. be recorded by HR HOD/ Unit head.
6.3 Assessment of risk:
Organizations understand the threats that they face, but shall focus attention on the priority ones.
For each identified threat the TACCP/ Food Safety team considers and gives a score for the likelihood
of each threat happening and for its impact (see Table 1).
THREAT ASSESMENT CRITICAL CONTROL POINT:
Scoring pattern:


18 OF 24
Score Probability Score Severity Score Brand image Score Economical
No medical treatment
1 Low 1 1 No brand image loss 1 no loss
required
2 Medium low 2 First Aid 2 Within plant 2 Minor loss
3 Medium 3 Medical treatment 3 City 3 Medium loss
4 Medium high 4 Hospitalization 4 State 4 Huge loss
5 High 5 fatal or catastrophic 5 India impact 5 No controll
Risk Score= Severity* Prbabilty PROBABILITY
If Risk Score= 1 -8 : No risk 1 2 3 4 5
If Risk No. 9- 25 TACCP point 1 1 2 3 4 5

SEVERITY
2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25
VULNERABLE ASSESMENT CRITICAL CONTROL POINT:
Scoring pattern:


19 OF 24
Score PROBABILITY Vulnerability score:
1 Low Risk Sore = Severity* Probability

2 Medium low Risk No. 1 -8 no risk
3 Medium Risk No. 9-25 Vulnerability point
4 Medium high
5 High
PROBABILITY
1 2 3 4 5
1 1 2 3 4 5
SEVERITY 2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25
6.4 TACCP reporting
Hindustan Foods Limited conducted a risk assessment on the TACCP and recorded the same. It is used
to demonstrate that the business had taken all reasonable precautions.


20 OF 24
TACCP Hazard assessment document - (Ref No: HFL/FTAS-APEX/01/TRA/5.0)
Threat
Severity TACCP
Score
Contributin Justific Risk
S. No Prob
g factor Brand Economical Avg Risk Control ation Owner
Health
image loss Severity No. measure
6.5 VACCP reporting
Hindustan Foods Limited conducted a risk assessment on the VACCP and recorded the same. It is
used to demonstrate that the Procurement and Transportations had taken all reasonable precautions.
VACCP Hazard assessment document – (Ref No: HFL/FTAS-APEX/01/VRA/6.2)
Vulnerability Vul
Contributing factor VACCP
Assessment Score
Supplier relationship
Geopolitical issues
Test frequency
Audit Strategy
Supply chain
Justification
Risk Owner
Economical
Anomalies
Control measure
History of
Prob Avg
Material
Severity
Quality
history
Issues
Fraud
S.No
Risk
No.
Avg
Probability Sev
Prob
7.0 Critical controls:
7.1 Controlling access:


21 OF 24
Organization maintains the access control to workmen’s, visitors, vehicles and other aspects through
gate control, surveillance camera, dedicated parking place.
Approaches to risk reduction
Risk Controls Approach

Access to people on
people access by appointment and restricted to process area
business only
Vehicle parking outside
Dedicated parking place provided away from the process area
perimeter
Premises zoned to restrict
Process area separated and isolated. Authorization restricted for
access to those with a
entering process area for visitors.
business need
Visible and comprehensive
perimeter Boundary Wall / Clear Boundary Wall / fencing provided around the plant
fencing
CCTV monitoring/recording CCTV monitoring and Recording facility available for all vulnerable
of perimeter vulnerabilities points
Access to vehicles:

Access points having CCTV monitoring and Recording.
Monitored access points Unloading and loading done under the supervision of Security and
stores team.
Approach roads traffic-
Vehicle movement path & Parking zone defined
calmed
Material receipt and dispatch done based on the HUL Requirements.

Scheduled deliveries
Same to be verified by stores team before allowing the vehicles.
Supporting documents verified security at gate and stores team before

Documentation checked
accepting the vehicle.
before admittance
Vehicle inspection system in place
Missed deliveries Bulk bags having tampered seal and batch & Number tracking system.
investigated Dispatched vehicle having tampered seal with number tracking system.
Screening of visitors:


22 OF 24
By appointment only Visitors allowed only on appointment
Proof of identity required Visitor details collected and verified at security gate
Accompanied throughout Staffs / security accompany throughout the visit
Visitor pass system in place

Positive identification of staff and
Visitor entry register in place
visitors
Self declaration form in place
CCTV monitoring and recording of CCTV Monitoring and Recording system in place for all
sensitive areas sensitive areas
Other aspects:
All the system having password protection and limited

Secure handling of mail
authorization given to access.
Restrictions on portable electronic Area restricted to take photos and copy electronic data's.
and camera equipment Accompany throughout the visit.
Limitations on access to mains Visitors allowed only on appointment and access to their
services scope only.
7.2 Tamper detection:


23 OF 24
Much raw material storage, some product storage, most distribution vehicles and all packaged foods
can be tamper evident. Should an attacker gain access, tamper evidence gives some chance that the
attack may be detected in time to avoid the impact.
Detecting Tamper:
Activity Controls
Seal verification system during unloading.
Document verification system before start unloading.
Raw Material Quantity verification system before start unloading.
Material Quality inspections system after unloading.
Vehicle inspection system before start unloading.
Document verification system before start unloading.
Quantity verification system before start unloading.
Packaging Material
Material Quality inspections system after unloading.
Vehicle inspection system before start unloading.
All Raw material stored on racks through ASRS system.
Limited authorization given to handle of ASRS system.
All packaging material stored on racks with proper identification label
with bin card. All finished Goods are 2 layer packing system having with
Storage (RM, PM, FG, sealed inner layer and double stitched outer layer.
HK & scrap yard) Housekeeping chemicals stored with proper identification and lock & Key
system in place and limited authorized given to handle.
All the material issued authorized persons only.
All materials mass balancing weekly / monthly basis
CCTV monitoring and Recording system in place for all areas.
All the computers are password protected.
Electronic storage
Limited authorization given to access the mail and computer
Effective seals on retail All the retail packs having effective seal.
packs CCTV monitoring & Recoding system in place for all important areas
Dispatch against HUL Planning.
Vehicle selection through approved transporters.
Vehicle inspection and approval system in place and QA persons only
Dispatches
approved.
Seal recording and bag counting system in place.
CCTV Monitoring & Recording system
7.3 Assuring personnel security:
Personnel security guidance is used to mitigate the insider threat to the organization. Its principles can
also be used by food businesses to judge whether key staff within the organizations that supply goods
and services can be trusted to comply with specifications and procedures, and to work in the best
interest of both the supplier and customer.


24 OF 24
Pre-employment Checks:
1 Proof of identity
2 Proof of qualifications
3 Verification of contractors
4 More sensitive roles identified with appropriate recruitment
On-going personnel security:
Activity Approach
Staff in critical roles motivated Incentive system in place to motivate the people.
and monitored Top management involves and monitor their routine issues
All loaders are working under contractor
Legal identity verification
Verification against visitor pass
Loaders from external Personal hygiene verification
Basic food safety induction shall be given
Working under supervision
Access restricted to limited areas
Whistle packing arrangements Daily abnormality monitoring system in place
No Temporary staffs and all external persons worked under
Temporary staff supervised
the supervision.
Induction and approval system in place.
Individuals able to work alone
Review system in place
Security control in place
Favorable security culture
CCTV monitoring and recording system in place
End of contract arrangements:
Activity Approach
Access and ID cards and keys
Hand over system in place
recovered
Computer accounts closed or
Electron data’s retained with different password
suspended
Termination interview assesses
Hand over and Relieving system in place
security implications
8.0 Response to an incident:
8.1 Management of a food protection crisis:


25 OF 24
Food protection and defense system aims to reduce the risk of an attack but cannot eliminate it, so
emergency response and business continuity protocols are essential.
Food protection may sit within a business’ crisis management system (see BS 11200), and is likely to
share its general objectives:
• To minimize physical and financial harm to consumers, customers, employees and others
• To collaborate with investigatory and enforcement authorities
• To gain public support for the organization
• To minimize the cost, financial, reputational and personal, of the incident
• To prevent re-occurrence and to identify offenders.
Where contamination is implicit, quarantine and withdrawal / recall of product shall be initiated.
Mock recall to be conducted yearly once to ensure the system effectiveness.
Ref: HFL/SOP/QA/025 - MANAGEMENT OF INCIDENTS, PRODUCT WITH DRAWAL AND PRODUCT RECALL
8.2 Contingency planning for recovery from attack:
Business continuity management principles give good resilience to react to and recover from an
attack. Advice on how best to develop and implement your organization’s recovery in response to a
disruptive incident is provided in BS ISO 22313.
9.0 Review of food protection arrangements:
Any changes which could affect the TACCP assessment, such as breaches and suspected breaches of
security or authenticity, to be immediately reported to the TACCP/ Food Safety team leader who decides
if a full review is needed.
Review will be happening along with Food safety MRM half yearly once with Top management or
whenever it is necessary.
The TACCP/ Food Safety team shall review food protection arrangements on yearly once.
*********

Taccp and Vaccp Manual - HFL

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Taccp and Vaccp Manual - HFL

Caricato da

Copyright:

Formati disponibili

THE VANITY CASE GROUP OF COMPANIES

HINDUSTAN FOODS LTD - CBE TITLE: FTAS Apex Manual

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE.

FOOD THREAT ASSESMENT SYSTEM

Hindustan Foods Limited,

Confidential – For Internal Use Only

NAME DESIGNATION SIGNATURE DATE STAMP

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

S. No Clause No Description Page No

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

41 9.0 Review of food protection arrangements 24

This Apex Manual is released under the authority of

Factory Manager - Operation

and is the property of

Hindustan Foods Limited,

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

Section/ Page Date of Revision Reasons of

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

MANUAL DISTRIBUTION LIST

Copy No. Copy Holder

Master copy FSTL

Control Copy -01 Factory Manager

Control Copy -02 Lab

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

2.0 Terms and Definition:

Cyber Procedures used to protect electronic system from sources of threat

Food Procedures adopted to deter and detect fraudulent attacks on food

Personnel Procedures used to confirm an individual’s identity, qualifications, experience and

TACCP Threat Assessment Critical Control Point

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

purchasing, processes, premises, distribution networks and business systems by a

3.0 Types of threat:

3.2 Economically motivated adulteration (EMA):

3.3 Malicious contamination:

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

4.0 Understanding the attacker:

Plant classifies the attacker to below categories

4.2 The extortionist:

4.3 The opportunist:

4.4 The extremist:

4.5 The irrational individual:

4.6 The disgruntled individual:

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

4.7 The hacktivist and other cyber criminals:

A hacktivist or other cyber-criminal aims to subvert controls on computerized information and

4.8 The professional criminal:

Control Measures Against Attackers

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE

Abnormalities with respect to process &

5.0 THREAT ASSESSMENT CRITICAL CONTROL POINT (TACCP):

Ref: HFL/FTAS-APEX/01/TRA/5.0 - TACCP Risk assessment carried

5.2 TACCP process:

CLASSIFICATION: ‘BUSINESS CONFIDENTIAL’

DOCUMENT NO. ISSUE NO. REVISION NO. REVISION DATE. PAGE