Question
General
100%
1.
Does the business license match the current location name and address as listed on
the audit sheet?
Actual
Yes
No

Comments: No comments were provided
2.

Must Is there a primary point of contact (POC) identified regarding security matters?
Actual
Yes
No

Comments: No comments were provided
3.

Did the facility provide previous SCAN audit CAPAs to the auditor in preparation of this audit?
Actual
No

Yes
NA

Comments: This is initial SCAN audit.
5.

Must Has the audited location recently (within the last 60 days) participated in the
free SCAN Security and Threat Awareness Training provided in advance of this Audit?
Actual
Yes
No
SCAN training
certificate of
the
audittee.jpg

Comments:

Page 1 of 93


Risk Assessment

100%
Question

6.

Must Does the facility have a risk assessment that identifies vulnerabilities in the business
plan?
Actual
Yes
No
Risk assessment.jpg

Comments: No comments were provided

7.

Must Is the facility risk assessment shared with business partners and contractors?
CAPA Sent: 3/14/20..
Due Date:
3/28/20.. CAPA: Insufficiency comments provided. Pls upload evidence for review to
confirm the risk assessment has been shared with business partners and contractors. Or
describe it in the
comments area of when & how the facility implemented this requirement.
Actua
l

Yes
No

7.Share risk
assessment
with business
partners.pdf

Comments: 1. The company conducts internal risk assessment at least once a year. 7
days after the risk assessment results are available, the departments are responsible
for sharing the Company's risk assessment report to business partners, contractors by
email or in writing, requiring the partner's confirmation business.
2. Conduct training.
4. Share “Risk Assessment” with business partners.
5. Date completion 15/03/20...
CAPA Sent: 2/21/20..
Due Date:
4/22/20.. CAPA: It is a good business practice to share your risk assessment with both

your business partners, suppliers, and vendors to allow for coordination of corrective
actions and business
continuity planning. Please provide summary in the comments section of how this gap has been
resolved by the due date provided. If additional time is required, please describe your
plan and provide a timeline for completion and implementation.
Actual
Yes
No

Comments: 1. Modifying the business partner selection and management evaluation
process, adding the content "The security department is responsible for sharing the
Company's risk assessment report for business partners" by email or paper documents
requires confirmation from business partners.
2. Conduct training and training.


3. The security tiến hành conducts:


- Identify threats, identify hazards, assess risks, and give control method for the all operation
of the department.
- Activities include regular and irregular activities (including activities of contractors, visitors).

- Heads and deputy heads of departments are responsible for organizing the
implementation of: Identify threats, identify hazards, assess risks according to the
frequency of this process.
- The director, the head of department or designee is responsible for identifying threats,
identifying hazards of activities at the department.
- The department has high-threat, high-risk, the head of department is responsible for
monitoring the control measures for that hazard.

- The security department is responsible for aggregating high-risk threats across the
company for monitoring and control.
4. Relevant departments shares “Risk Assessment “with business partners
5. The security department reviewed and re-evaluated the above implementation.

Actua
l

Yes
No

Comments: There was no evidence to prove that the risk assessment which was performed on
25th November 2021 was shared to business partners and contractors.
8.

Material Does the facility risk assessment include vulnerabilities specific to
contracted service providers such as contractors, seasonal employees etc.?
Actual
Yes
No

Comments: No comments were provided
9.

Must Is the facility risk assessment updated periodically?
Actual
No updates noted or last update greater
than 24 months ago
Last update within the past 12 months
Last update between 12 months and 18

months
Last update between 18 months
and 24 months

Comments: No comments were provided
10.

Must Define the facility's cargo mapping process. (Select all that apply)
Actual
A written cargo process map is
available No written cargo process
map is available


The cargo process map includes transit times from
origin to final container yard


The cargo process map includes locations where
freight may be at rest
NA

Comments: No comments were provided
11.

Material Define the facility's crisis plan. (Select all that apply)
CAPA Sent: 3/14/20..
Due Date:
3/28/20.. CAPA: Insufficiency comments provided. Pls update your selection to match
with the previous answer selected by the auditor and provide a timeline to update the

crisis plan includes alternative
locations if facility is rendered unusable.
Actua
l

No documented crisis plan available
Crisis plan includes reporting crisis-related
issues to business partners as necessary
Crisis plan includes alternative locations if
facility is rendered unusable
Documented crisis plan available

11.Plan for an
alternative site in
the event of a
plant crisis.pdf

Page 10 of 93


Comments: 681 / 5.000
Kết quả dịch
1. Our company has 3 factories in 3 different locations. So in case Factory 1 is unusable,
we can choose 1 of the following 2 Factories:

CAPA Sent: 2/21/20..
Due Date:
4/22/20.. CAPA: Develop and share your facility crisis plan with all of your business
partners. Include in your crisis plan alternative locations to establish operations in the
event the facility is unusable for any

significant period of time. Please provide summary in the comments section of how this gap
has
been resolved by the due date provided. If additional time is required, please describe
your plan and provide a timeline for completion and implementation.
Actual
No documented crisis plan available
Crisis plan includes reporting crisis-related
issues to business partners as necessary

Page 10 of 93


Crisis plan includes alternative locations if
facility is rendered unusable
Documented crisis plan available

Comments: A business continuity planning (BCP) is a plan that describes how the
Company will continue to operating during an unexpected crisis or disturbance in the
system.
- Business continuity planning (BCP) includes contingency plans for business processes,
description of quick response to emergencies, detailed strategies on how business can
be maintained during downtime short and long term operations. Ensure that risks to
assets, human resources and business partners are minimized – as well as every aspect
of the Company that may be affected.
The Company's Security Department need to
consider revising the Business Continuity Planning to add alternative locations if the
facility is unusable during a crisis, specifically as follows:
1. The planning department considers factors to identify and assess risks in business
compared to the conditions of order production at another factory under the Company's
system or associated with another manufacturing company. Choose that factory

/Company can be a backup replacement location if the facility is unusable during a crisis.
2. After that, security department conducts the first assessment of the Standby Factory /
Company to ensure proper and complete compliance with laws, Compliance with social
responsibility, Customs-Trade Partnership Against Terrorism ( C-TPAT), security standards
of the Company and other standards of the customer.
3. After the assessment, the Board of Directors decides to choose the Factory/Company
to become the backup replacement location, the Planning department makes a list to add
to the Business continuity planning and continues to monitor, assess the compliance level
of partner based on Current law and customer's standard
4. The Security customer's standard is responsible for conducting periodic assessment and
sharing the Company's risk assessment report for factories/companies of the backup
replacement.

Actua
l

No documented crisis plan available
Crisis plan includes reporting crisis-related
issues to business partners as necessary
Crisis plan includes alternative locations if
facility is rendered unusable
Documented crisis plan available

Crisis plan.jpg

Page 8 of 93


Comments: The facility established the documented crisis plan on 28th September
2020 and reviewed this plan annually on 25 Nov 2021, but alternative location was not

mentioned.

Business Partner Requirements

100%

Question

12.

Does the facility contract services such as security, transportation or manufacturing labor?
Actual
Yes
No

Comments: The facility used Transportation service and security service providers with
below information:

Page 9 of 93


1. Transportation service provider
13. Must Does the facility review and provide copies of security criteria to business
partners, particularly those that support international supply chain activities?
Actual
Yes - Security criteria reviewed and provided in
local language
Yes - Security criteria is reviewed but not
provided to business partners
No - Security criteria is not reviewed at all


Requirement for
business partner.jpg

Yes - Security criteria reviewed and provided in
English only.

Comments: No comments were provided

14. Must Does the facility have written procedures used in the selection of business
partners including: material suppliers, manufacturers, and logistics service providers?
(Select all that apply)

CAPA Sent: 3/14/20..
Due Date:
3/28/20.. CAPA: Based on your comments, pls provide a completion date for review.
Then update your selection to all the applicable options to get the full score.
Actual
Documented screening process is
available
Screening process is done on
an annual basis

14. Business partner
selection
process.pdf

Screening process includes looking for
evidence of money laundering and terrorism
funding

No screening process takes place
Screening process includes monitoring for
financial stability

Comments: 1. Modify the process of evaluating, selecting and managing business
partners: Valid business license;
- Information about the license holder;
- Operation time of the company;
- Combat money laundering and terrorist financing
- Financial stability
The search and verification is based on:
- Review the records
- Find information about businesses online
2. Supplement the basic information, other information that should be considered as
above in the Supplier Selection Survey / Periodic Supplier Evaluation
2. Conduct training
3. Add profile to evaluate all list of business partners.
4. Date completion 11/03/20..


CAPA Sent: 2/21/20..
Due Date:
4/22/20.. CAPA: Develop a written procedure covering the steps utilized in the
selection of business partners. Please provide summary in the comments section of
how this gap has been resolved by
the due date provided. If additional time is required, please describe your plan and provide a
timeline for completion and implementation.
Actual
Documented screening process is
available

Screening process is done on
an annual basis
Screening process includes looking for
evidence of money laundering and terrorism
funding
No screening process takes place
Screening process includes monitoring for
financial stability

Comments: 1. Modify the process of evaluating, selecting and managing business
partners: Valid business license;
- Information about the license holder;
- Operation time of the company;
- Combat money laundering and terrorist financing
- Financial stability
The search and verification is based on:
- Review the records
- Find information about businesses online
2. Supplement the basic information, other information that should be considered as
above in the Supplier Selection Survey / Periodic Supplier Evaluation
2. Conduct training
3. Add profile to evaluate all list of business partners.

Actua
l

Documented screening process is available
Screening process is done on an annual basis
Screening process includes looking for
evidence of money laundering and terrorism

funding
No screening process takes place
Screening process includes monitoring for
financial stability

Business
partners
selection
procedure.jpg

Comments: The facility had written procedures for selection of its business partners
on 1st October 2020. The following terms were not included in the aforesaid
procedures:
- Screening process includes looking for evidence of money laundering and terrorism funding.
- Screening process includes monitoring for financial stability.

15.Must Are the facility's contracted business partners required to conduct an annual
security risk assessment of their operation?


Actual
No


Yes - Annually
Yes - every 2 years
Yes - At time of contract initiation only

Comments: No comments were provided


16.Must Does the facility require business partners to provide a statement of compliance or
complete a questionnaire highlighting CTPAT Minimum Security Requirements that are in
place? Is the statement or questionnaire renewed annually? (Select all that apply)
Actual
Compliance Statement and/or Security
Questionnaire required
No
Renewed annually

Comments: No comments were provided

17.Must If there are areas of non compliance found on the questionnaire, does the facility
require corrective actions plans from the business partner with evidence of
implementation?
Actual
Yes
No

Comments: No comments were provided

Question
Cyber and Information Technology Security
100%
18.Must Does the facility have a comprehensive written cyber security policy to protect
information technology systems? Is the policy reviewed and updated annually?
Actual
Policy is written and was updated within the past
12 months
Policy is written and was updated within the past
12-18 months

Policy is written but last update was greater than
18 months ago
No written policy is
available
NA

Comments: No comments were provided

19.Must Does the facility have firewall and malware software installed to identify,
protect, detect, respond and recover their network? (Select all that apply)
Actual


Firewall deployed
Anti-malware software installed
No firewall or anti-malware software
deployed

NA

Comments: No comments were provided

20.Must How frequently are updates performed on firewall and malware software? (Select
all that apply)
Actual
Software updates are automatically deployed from
the software providers
Manual updates installed by on site IT services as
needed No updating is performed
NA


Comments: No comments were provided

21.Must Are test scenarios conducted to identify open ports and IP addresses that create
vulnerable access to the internal network?

CAPA Sent: 3/14/20..
Due Date:
3/28/20.. CAPA: Based on your comments, pls provide a completion date for review to
confirm this has
been implemented.
Actua
l

Vulnerability tests are conducted by IT
personnel No vulnerability tests are
conducted
NA

21. Scenario of
information
technology
incident
rehearsal.pdf

Comments: 1. Adding the plan of information security incident response and handling
drills to the Process and measures when detecting information technology security
threats at least twice a year.
2. IT department planning drills: Rehearsal is an exercise that simulates a real-life
information incident scenario in the company. Participants are assigned roles that resemble

their actual roles.
Since drills are intended to test real-world knowledge and skills,
participants act on their own prior experience, knowledge, and skills, and are not informed
of the scenario or participate in the events. predefined action. Rehearsal participants need
to act on the information they receive during the rehearsal.
3. The company organizes the exercise "Responding to cyberinformation security
incidents" according to the plan
4. The members of the teams participating in the drill apply the knowledge they have
been equipped with the knowledge and skills to respond to cyberinformation security
incidents to participate in real combat drills in specific situations, while also exploiting
vulnerabilities. The attack vulnerability has just participated in handling network
information security incidents in accordance with the network information
5. Date completion 09/03/20..


CAPA Sent: 2/21/20..
Due Date:
4/22/20.. CAPA: You should have a plan to implement test scenarios to identify cyber
security risks. Please provide summary in the comments section of how this gap has
been resolved by the due date
provided. If additional time is required, please describe your plan and provide a timeline for
completion and implementation.
Actual
Vulnerability tests are conducted by IT
personnel
No vulnerability tests are
conducted
NA

Comments: 1. Adding the plan of information security incident response and handling

drills to the Process and measures when detecting information technology security
threats at least twice a year.
2. IT department planning drills: Rehearsal is an exercise that simulates a real-life
information incident scenario in the company. Participants are assigned roles that resemble
their actual roles.
Since drills are intended to test real-world knowledge and skills,
participants act on their own prior experience, knowledge, and skills, and are not informed
of the scenario or participate in the events. predefined action. Rehearsal participants need
to act on the information they receive during the rehearsal.
3. The company organizes the exercise ""Responding to cyberinformation security
incidents"" according to the plan
4. The members of the teams participating in the drill apply the knowledge they have
been equipped with the knowledge and skills to respond to cyberinformation security
incidents to participate in real combat drills in specific situations, while also exploiting
vulnerabilities. The attack vulnerability has just participated in handling network
information security incidents in accordance with the network information security
incident handling process: detection, analysis, troubleshooting and system operation
recovery.

Actual
Vulnerability tests are conducted by IT
personnel
No vulnerability tests are
conducted
NA

Comments: No test scenarios were conducted to identify any vulnerable access to the
internal network.

22.What actions are taken when problems are identified while testing firewall, malware,

and other network vulnerabilities?

Comments: If problems are identified when checking for firewalls,
malware, and network vulnerabilities, following steps:
Step 1: Isolate the area from the network attack
- When detecting a network attack incident, it is necessary to
immediately disconnect the system, quickly assess the impact of
the problem on the network system. Find out the device that has


been compromised, the data that has been stolen, the extent of
the impact.
- Disconnect the internal network and the Internet to isolate the computer


infected with Virus, then scan for Virus and other
vulnerabilities. Step 2:
- After cleaning the computer infected with Virus, the IT department
will check the reason why the computer is infected with Virus. Make
inspection records, handle incidents and notify the reasons for the risk
of virus infection to the departments.
Step 3
Reconnect the system to the computer. Update vulnerability and
security patches for windows
Step 4: Contact
- Inform the department,director.

- Partners - for timely handling and prevention, prevention.
- Government: Department of Cybersecurity and High-tech Crime
Prevention, Ministry of Public Security - phone number: 0338.897.798,

1. Adding the plan of information security incident response and handling
drills to the Process and measures when detecting information
technology security threats at least twice a year.
2. IT department planning drills: Rehearsal is an exercise that
simulates a
real-life information incident scenario in the company. Participants are
assigned roles that resemble their actual roles. Since drills are intended
to test
real-world knowledge and skills, participants act on their own prior
experience, knowledge, and skills, and are not informed of the
scenario or participate in
the events. predefined action.
Rehearsal participants need to act on the information they receive
during the rehearsal.
3. The company organizes the exercise "Responding to
cyberinformation security incidents" according to the plan
4. The members of the teams participating in the drill apply the
knowledge they have been equipped with the knowledge and skills
to respond to cyberinformation security incidents to participate in real
combat drills in specific situations, while also exploiting vulnerabilities.
22. Troubleshooting
The attack vulnerability has just participated in handling network
procedures
information security incidents in accordance with the network
identified while
information
checking firewalls,
- Date completion 09/03/20..
malware, and
network

vulnerabilities.pdf

Com
ment
s: If
proble
ms are
identifi
ed
when
checki


ng for firewalls, malware, and network vulnerabilities, following
steps:
Step 1: Isolate the area from the network attack

- When detecting a network attack incident, it is necessary to
immediately disconnect the system, quickly assess the impact
of the problem on the network system. Find out the device that
has been compromised, the data that has been stolen, the
extent of the impact.
- Disconnect the internal network and the Internet to isolate
the computer infected with Virus, then scan for Virus and
other vulnerabilities.


Step 2:

- After cleaning the computer infected with Virus, the IT department will check the

reason why the computer is infected with Virus. Make inspection records, handle
incidents and notify the reasons for the risk of virus infection to the departments.
Step 3
Reconnect the system to the computer. Update vulnerability and security patches for
windows Step 4: Contact
- Inform the department,director.

- Partners - for timely handling and prevention, prevention.
- Government: Department of Cybersecurity and High-tech Crime Prevention, Ministry of
Public Security - phone number: 0338.897.798,

23. Material To whom does the facility report cybersecurity threats and attempts at unapproved
access to network systems?
Actual
Senior management
Internal business
partners
External
business
partners
Customers / suppliers
Government agencies
No reporting process and procedure in
place

NA

Comments: No comments were provided

24. Must Are automated systems in place to monitor and prevent attempts of unauthorized access

and tampering with systems and/or electronic data?
Actual
No
Yes
NA

Comments: No comments were provided

25. Must Does management regularly review the employees with network access in order to restrict
access to only those applications required to perform current job requirements?
Actual
Management reviews
annually
Management
reviews quarterly
Management reviews monthly
No management review
conducted

NA

Comments: No comments were provided


26. Must Is there a written procedure to remove network access for employees who are terminated
or on leave longer than vacation? (Select all that apply)
Actual
Access immediately removed for terminated
employees
Employees on long term disability or

maternity leave
have access suspended
No written procedure is
available
NA

Comments: No comments were provided

27.

Must How is computer access managed at the factory? (Select all that apply)
Actual
Passwords are required
No passwords are required
Passwords are changed periodically.
Passwords must be
complex NA

Comments: No comments were provided

28. Must If employees and/or contractors are permitted to access information technology (IT)
systems remotely, is a virtual private network (VPN) or similar software used to control
access?
Actual
Remote access is permitted and VPN or similar
software is used
Remote access is permitted but no VPN or
similar software is used to control accesss
Remote access is not permitted


Comments: No comments were provided

29.

Must Do all security policies apply to personal devices that connect to the network?
Actual
Facility does not permit personal devices to
connect to the network
All security policies apply to personal devices
Security policies do not apply to personal devices

Comments: No comments were provided

30. Material Does IT security limit and monitor the downloading of software and access to external
websites?

CAPA Sent: 3/14/20..

Due Date: 3/28/20..


CAPA: Based on your comments, pls provide a completion date for review to confirm
this has been implemented.
Actua
l

No
Yes

30. Limited IT security

and monitoring of
software
downloads and
access to
websites.pdf

Comments: 1. In order to monitor software downloads and access to external websites,
the Security Committee needs to make amendments to the Information Technology
Usage and Management Procedures that include the following:
Employees are not allowed to use the Internet to download unauthorized software or
data. Separate accounts, clear rights and responsibilities for social network accounts,
websites, and systems.
- List of software allowed to install
- Authorize website access
2. Conduct training and training
3. Check reviews
4. Date completion 09/03/20..
CAPA Sent: 2/21/20..
Due Date:
4/22/20.. CAPA: Develop a policy limiting who and how external websites can be
accessed and who is permitted to download software. Please provide summary in the
comments section of how this
gap has been resolved by the due date provided. If additional time is required, please describe
your plan and provide a timeline for completion and implementation.
Actual
No
Yes

Comments: 1. In order to monitor software downloads and access to external websites,
the Security Committee needs to make amendments to the Information Technology

Usage and Management Procedures that include the following:
Employees are not allowed to use the Internet to download unauthorized software or
data. Separate accounts, clear rights and responsibilities for social network accounts,
websites, and systems.
- List of software allowed to install
- Authorize website access
2. Conduct training and training
3. Check reviews

Actua
l

No
Yes

Comments: It was noted that limitation and monitoring measure for downloading external


software was not installed for computers in place.

31.

Material How frequently is data backed up for this facility?
Actual
No data back ups are
performed Data is backed
up daily
Data is backed up
weekly
up monthly


Data is backed

Comments: No comments were provided

32.

Material Is the data backup stored offsite and encrypted?
CAPA Sent: 3/14/20..
Due Date:
3/28/20.. CAPA: Insufficiency comments provided. The data buck up needs to be
offsite instead of stored in the IT server room inside the facility. Pls describe how you
implemented this requirement.
Then, select all the applicable options to get the full score.
Actua
l

Data backup is stored offiste
Data backup is encrypted
Data is not stored offsite nor
encrypted

32. Backups of data
are stored
externally and are
encrypted.pdf

Comments: Every day, after storing data, IT staff who are responsible for preservation
move the hard drive to storage room 306 and put it back in the locker.
- Date completion 09/03/20..

CAPA Sent: 2/21/20..
Due Date:
4/22/20.. CAPA: It is a best practice to have data backed up off-site and encrypted.
Please consider establishing such a program as this may become a requirement in the
future. Please comment that
you acknowledge your consideration.
Actual
Data backup is stored
offiste
Data backup is
encrypted
Data is not stored offsite nor encrypted

Comments: The purpose of backing up data is to create another copy of the data that
can be restored when the original data has a problem by any reason. Main data failure can
be caused by hardware or software failure, broken or man-made, such as virus attack
(virus or malware) or accidental deletion of data. The data backup allows data to be
restored from an earlier time to help company recover from force majeure.
1. Modify the process of management and use of information technology as follows, data
backup content


- With personal computer:
Important data that needs to be stored on personal computers is automatically backed up
online on google drive. Folders to be backed up will be backed up continuously in real time.
Google Drive


account managed by IT department
- With the server:

Data server is backed up by external storage device every 5 days and online data
backup on BAIDU's server once time a day. External data storage device secured by
password and 256bit encryption
2. Conduct training
3. Records of archival database backup

Actua
l

Data backup is stored offiste
Data backup is encrypted
Data is not stored offsite nor
encrypted

Backup data inside
the facility.jpg

Comments: It was noted that the facility conducted back up data into the hard disk
driver at least once per week, but it was stored in their IT server room inside the
facility instead of offsite.

33.

Material Is equipment slated for disposal returned to the IT department for disposal?
Actual
Yes
No

Comments: No comments were provided


Question
Conveyances and Instruments of International Traffic

34.

100%

Does the facility load trailers/containers or Instruments of International Traffic (IIT)?
Actual
Yes
No

Comments: No comments were provided

35. Critical While in the facility's control are containers stored in a secured manner whether
on-site or off site?
Actual
Container/trailer storage area is free from
personal vehicle parking and any other
storage
Area is secured as described in CTPAT MSC
requirements Stored, loaded containers/trailers are
secured with a seal
Container/trailer storage does not meet
minimum security requirements


Comments: Containers/ Trailers were stored in secured area with a seal, CCTV, Physical
fence, Security guard's monitoring.


36. Were you able to observe a container inspection in process or a previously completed
container inspection via CCTV recordings?
Actual
Yes
No

Comments: No comments were provided

37. Critical Is there a written procedure in place to inspect the security integrity of a
container or trailer prior to loading?
Actual
Yes
No
Container and
trailer inspection
procedure.jpg

Comments: The written procedure to inspect container and trailer prior to loading
was established on 30 March 2020 and reviewed annually on 25 November 2021.

38. Critical Is there a documented, comprehensive inspection of a trailer/container
conducted prior to loading of the container? (Select all that apply)
Actual
Size of container notated
Name of person performing the inspections
included on checklist
Undercarriage checked for damage
No inspections completed or

Container inspection

checklist.jpg

documented
Checklist is utilized
Date and time of inspection notated
Floor and roof of container intact no holes or leaks
notated
Outside walls free of damage notated
Inspection for invasive species (eggs nests, dirt
seeds) included

Comments: No comments were provided

39. Material Are photos and/or CCTV videos taken during the container/trailer loading
process? (Select all that apply)