Guidance; Cyber Security
Sections 4.1 - 4.13
Sections 4.1;
Cyber Security Supply Chain focus on onboarding suppliers (including new suppliers, renewals, proof of
concepts and trials) from a data and information security perspective to ensure we have robust
agreements in place with our suppliers. To meet its business objectives, Maersk interacts with a range of
external suppliers, who in turn have access to and process confidential information and business critical
applications and services. Loss, theft, unauthorised disclosure or access to confidential information by
external suppliers could be detrimental to Maersk and/or its staff. Additionally, failure of an external
service due to a cyber incident could lead to a significant outage to critical business processes.
https://teamsite.maerskgroup.com/sites/MLI-CyberSecurity/SitePages/IS0102_SChainSecurity.aspx
Section 4.2; 4.5 Threats and Breaches
Maersk IT has a Network Security Policy that Defines rules to protect against internal or external attacks
and breaches of security. Maersk maintains a capability to perform enterprise and endpoint forensics in
order to support incident response processes, and identify perpetrators of malicious acts and preserve
sufficient evidence to prosecute them if required. Security related events must be logged, stored in
approved locations and protected against unauthorised change or deletion.
These events must be retained for a minimum time period to enable forensic investigation and in
accordance to local legislation and regulations.
Event logging must be enabled to identify user activity, exceptions, faults and cyber security events and
administrator and operator logs must record ‘non-human’ or system account activity. IT system clocks
must be synchronised to a universal time source to ensure events can be correlated within an accurate
and consistent timeline.
Section 4.4; 4.6; 4.11 Cyber Policies
Networks are fundamental to the operation of Maersk business. Networks are comprised of network
devices, transmission lines, and network services. Network security relies upon the proper management of
each of these components, and the selection of appropriate network architectures. Maersk has a Systems
& Applications policy that Defines rules to secure and manage IS risks throughout system lifecycle. The
policy ensures secure standards configurations are used and maintained for systems and applications
deployed within Maersk environments; This Cyber policy applies to all Maersk employees, contractors and
third-parties; and all information, IT systems and Operational Technology (“OT”)/ Industrial Control
Systems (“ICS”). Cyber Security Policies and Standards are reviewed at once in a year. Last reviewed was
carried out in June 2019. The Maersk Cyber Polices are available to be viewed on the Maersk team site
https://teamsite.maerskgroup.com/sites/MLI-CyberSecurity/SitePages/IS010108_SecInc.aspx
Section 4.7; 4.8; 4.9 Access Policies
# Classification: Internal
� Maersk utilises a number of applications and systems, with individual users having varying degrees of
permissions to those and the associated data, to meet business objectives and operational needs. Exposed
account details and the misuse of access can have a detrimental impact to Maersk and/or its staff. As such,
the aim of this policy is to define the rules for securing user access to business applications, information
systems, networks and end user computing within Maersk. Direct connections from external networks
directly to the Maersk internal corporate network are not permitted. Connections from external networks
must be terminated on a device owned, controlled and managed by Maersk and that device must be
located in Maersk external Demilitarized zone (eDMZ). Included in this policy is the requirement to
terminate systems access when an employee (or contractor) is separated from the organziation. The
Human Resources (HR) separation checklist includes both IT equipment and systems termination. This can
be viewed at: https://teamsite.maerskgroup.com/sites/MLI-CyberSecurity/SitePages/
IS010103_AccMng.aspx
Section 4.10; 4.13 Personal Devices-Equipment
MDM software is in place that requires registration for employees. This Access is only for Maersk email,
calender and cloud storage. No system changes can be made for viewed on mobile devices. The Asset
Identification & Inventory Management Standard provides direction and guidance for identifying Maersk
assets and maintaining an inventory to ensure there is a clear understanding of the assets we are
responsible for maintaining and what they do. This Standard also addresses the need to understand
criticality, classification and retention requirements we have a Data Destruction Standrd that follows NIST
recommended standards. The Asset Management policy can be found at
https://teamsite.maerskgroup.com/sites/MLI-CyberSecurity/SitePages/Identification-&-Inventory-
Management-Standard.aspx
Section 4.3; 4.12 Testing and Backup Data
Maersk has developed and implement an information and IT resilience strategy which is in line with the
organisation’s business continuity objectives. This strategy ensures that critical information and IT assets
run on robust, reliable hardware and software to maintain resilience and security. The recovery plans and
arrangements must be tested on a regular basis and a documented Testing schedule and outcomes to
support evidence of testing. All business information must have appropriate retention, backup and
retrieval processes and mechanisms in place. Backups of information and software must be performed on
a regular basis and according to a defined cycle corresponding to the information classification and the
policy additionally requires that Backups to be stored offline and physically separate from the production
environment. The Policy guidance can be viewed at: https://teamsite.maerskgroup.com/sites/MLI-
CyberSecurity/SitePages/IS010109_ResRec.aspx
# Classification: Internal
� U.S. Customs and Border Protection
Customs Trade Partnership Against Terrorism (CTPAT)
Security Profile Questions - Consolidators - January 2020
MSC ID # Criteria Section Must/Should
4.1 Cybersecurity Must
4.6 Cybersecurity Must
4.2 Cybersecurity Must
# Classification: Internal
� 4.4 Cybersecurity Should
4.2 Cybersecurity Must
4.11 Cybersecurity Should
4.5 Cybersecurity Must
4.5 Cybersecurity Must
# Classification: Internal
� 4.2 Cybersecurity Must
4.2 Cybersecurity Must
4.3 Cybersecurity Must
4.12 Cybersecurity Should
# Classification: Internal
� 4.13 Cybersecurity Must
4.13 Cybersecurity Must
4.1O Cybersecurity Must
4.8 Cybersecurity Must
4.8 Cybersecurity Must
# Classification: Internal
� 4.7 Cybersecurity Must
4.7 Cybersecurity Must
4.7 Cybersecurity Must
4.9 Cybersecurity Must
# Classification: Internal
�ection
020
Security Profile Question
Are comprehensive written cybersecurity policies and/or procedures in
place to protect information technology (IT) systems? Does the written
IT security policy, at a minimum, cover all of the individual
cybersecurity criteria? These are requirements.
Are cybersecurity policies and procedures reviewed annually, or more
frequently, as risk or circumstances dictate? Following the review, are
policies and procedures updated if necessary? These are
requirements.
If a data breach occurs or an event results in the loss of data and/or
equipment, do procedures include the recovery (or replacement) of IT
systems and/or data? This is a requirement.
# Classification: Internal
� Do cybersecurity policies address how information is shared on
cybersecurity threats with the government and other business
partners?
Are policies and procedures in place to prevent attacks via social
engineering? This is a requirement.
Do cybersecurity policies and procedures include measures to prevent
the use of counterfeit or improperly licensed technological products?
Is a system in place to identify unauthorized access of IT systems/data
or abuse of policies and procedures including improper access of
internal systems or external websites and tampering or altering of
business data by employees or contractors? This is a requirement.
Are all violators subject to appropriate disciplinary actions? This is a
requirement.
# Classification: Internal
� To defend Information Technology (IT) systems against common
cybersecurity threats, has sufficient software/hardware been installed
for the protection from malware (viruses, spyware, worms, Trojans,
etc.) and has an internal/external intrusion detection system been
installed (firewalls)? These are requirements.
Is security software current and does it receive regular security
updates? This is a requirement.
When utilizing network systems, is the security of the IT infrastructure
regularly tested? If vulnerabilities are found, are corrective actions
implemented as soon as feasible? These are requirements.
Is data backed up once a week or as appropriate? Is all sensitive and
confidential data stored in an encrypted format?
# Classification: Internal
� Are all media, hardware, or other IT equipment that contains sensitive
information regarding the import/export process accounted for
through regular inventories? This is a requirement.
When disposed, are they properly sanitized and/or destroyed in
accordance with the National Institute of Standards and Technology
(NIST) Guidelines for Media Sanitization or other appropriate industry
guidelines? This is a requirement.
If employees are allowed to use personal devices to conduct company
work, do all such devices adhere to the company’s cybersecurity
policies and procedures to include regular security updates and a
method to securely access the company’s network? This is a
requirement.
Do individuals with access to IT systems use individually assigned
accounts? This is a requirement.
Is access to IT systems protected from infiltration via the use of strong
passwords, passphrases, or other forms of authentication and is user
access to IT systems safeguarded? These are requirements.
# Classification: Internal
� Is user access restricted based on job description or assigned duties?
This is a requirement.
Is authorized access reviewed on a regular basis to ensure access to
sensitive systems is based on job requirements? This is a requirement.
Is computer and network access removed upon employee separation?
This is a requirement.
When users are allowed to remotely connect to a network, are secure
technologies employed, such as virtual private networks (VPNs), to
allow employees to access the company’s intranet securely when
located outside of the office? Are procedures in place that are
designed to prevent remote access from unauthorized users? These
are requirements.
# Classification: Internal
� Help Text
Briefly give an overview of your
cybersecurity policies and procedures. This
is a must to be part of the CTPAT program.
Describe your process for conducting an
annual review of cybersecurity policies. This
is a must to be part of the CTPAT program.
Describe your procedure in case of a data
breach resulting in loss of data and/or
equipment to include your process to
recover data and/or replace equipment—if
needed. This is a must to be part of the
CTPAT program.
# Classification: Internal
� Do you have a policy regarding information
sharing? If yes, does that policy include
sharing information with business partners
and/or the Government?
Describe the company's policy/procedure
for preventing cyber attacks via social
engineering. This is a must to be part of the
CTPAT program.
Do you have policy/procedures to prevent
the use of counterfeit or improperly licensed
products? If yes, describe your anti-
counterfeit measures and methods to
ensure products are authentic.
Briefly describe the procedures in place to
identify unauthorized access of IT
systems/data, abuse of IT
policies/procedures and tampering, or the
altering of business data. This is a must to
be part of the CTPAT program.
Briefly describe the disciplinary actions in
place for any IT policy/procedure violations.
This is a must to be part of the CTPAT
program.
# Classification: Internal
� Describe your plan/policy to protect your IT
system from malware and other cyber
threats. What types of protective software
are installed? Describe how hardware and
network systems are protected. This is a
must to be part of the CTPAT program.
Describe your procedures for ensuring
security software is up to date. This is a
must to be part of the CTPAT program.
Briefly describe how the security of your IT
infrastructure is tested. This is a must to be
part of the CTPAT program.
Do you perform data backups of the IT
system? If yes, how often is the system
backed up?
# Classification: Internal
� Describe your inventory policy and
procedures for all media, hardware, and IT
equipment. This is a must to be part of the
CTPAT program.
Describe your procedures for the disposal of
all media, hardware, and IT equipment. This
is a must to be part of the CTPAT program.
Do you allow employees to use personal
devices to conduct company business? If
yes, are the employees required to adhere
to the company's cybersecurity
policies/procedures? This is a must to be
part of the CTPAT program.
Describe your IT policies for individual
account assignment. This is a must to be
part of the CTPAT program.
Describe your IT system security policies
pertaining to passwords/passphrases or
other forms of authentication requirements.
This is a must to be part of the CTPAT
program.
# Classification: Internal
� Describe your procedures to restrict user
access to information technology systems.
This is a must to be part of the CTPAT
program.
Describe the procedure for review of
current employee system accesses against
job requirements. This is a must to be part
of the CTPAT program.
Describe your procedures for removal of
system access upon an employee's
exit/separation from the company. This is a
must to be part of the CTPAT program.
Do you allow employees to remotely
connect to the company's network? If yes,
describe your policy/procedures for remote
connectivity via virtual private networks
(VPNs) or multi-factor authentication etc.
This is a must to be part of the CTPAT
program.
# Classification: Internal
�# Classification: Internal
�# Classification: Internal
�# Classification: Internal
�# Classification: Internal
�# Classification: Internal
� Compliance with the requiremnets on
cybersecurity are met via the procedures
that are set and controlled by our IT
department.
Evidence is to be found at the link in the
guidance chapter.
# Classification: Internal
