The AT&T Issue Brief Library

Our issue briefs provide a summary of key topics. Download all issue briefs for a comprehensive overview, or use our issue brief builder to generate a customized PDF download with your selected topics. 

Network Security

Materiality Assessment Topic: Network and data security | Global Reporting Initiative G4 Indicator: PR8

Issue Summary

Information and communication technology networks are key parts of our everyday lives, enabling transactions and communication between individuals, businesses, governments and others. As we increasingly depend on networks to carry more information, they must remain reliable and highly secure. Attacks on networks and Internet of Things (IoT) devices can include viruses, worms, denial-of-service, ransomware and phishing.

Our Position

AT&T operates one of the world’s most advanced and powerful global backbone networks. Reaching nearly every continent and country, our network carries 150 petabytes of data traffic on an average business day. Security is at the core of our network and central to everything we do. AT&T has long been a pioneer in the development of cybersecurity capabilities, with AT&T Labs and our Chief Security Office (CSO) working closely together to provide industry-leading technology.


Our Action

The world of networked computing—especially for today’s mobile and always-connected IoT devices and applications, as well as cloud environments—is fast-moving and highly dynamic. As a result, AT&T is continually improving security through active research and development programs, influencing (via standards organizations) and tracking of industry developments, and the evaluation of new security technologies and products. AT&T is constantly employing new tools and systems to deliver highly effective security safeguards.

AT&T Chief Security Office

The CSO serves as the lead for the corporation, but a focus on security has been built into the fabric of every organization within the business. The CSO maintains a global security organization comprised of more than 600 security professionals, and more than 1,400 additional security specialists work in other organizations across AT&T. The CSO is dedicated to the protection of the AT&T global network. It supports a broad range of functions, from security policy management to security solutions. Additionally, the group reviews and assesses our security control posture to keep pace with industry developments and to satisfy regulatory and business requirements.

At the executive level, AT&T’s Chief Security Officer leads the AT&T Security Advisory Council, a program through which key business and functional leaders meet on a regular basis to discuss corporate security strategy, vision and concerns. The CSO’s technical personnel work in partnership with other AT&T business units to evaluate threats, determine protective measures, create response capabilities and assess compliance with best security practices. Additionally, the Audit Committee of the Board of Directors oversees AT&T’s risk management strategy, which includes cybersecurity and defense of our network.

AT&T Security Standards

AT&T has developed and maintains the AT&T Security Policy and Requirements (ASPR), a set of security control standards based in part on leading industry standards such as ISO/IEC 27001:2013. Given the dynamic environment that AT&T supports, ASPR content is continually re-evaluated and modified as industry standards evolve and as circumstances require. In addition, operating procedures, tools and other protective measures are regularly reviewed to ensure the highest standards of security are observed throughout our company.

AT&T maintains global ISO 27001 certification, which includes enterprise sites and functions performed globally, comprising AT&T internet data centers.

Sensitive personal information (SPI) related to the provision and administration of AT&T services is accorded significant protections. Certain customer information managed by AT&T is further protected by a Privacy Policy applicable to all employees and contractors and a Code of Business Conduct that assigns penalties for violation of the duty to protect the confidentiality of SPI and other sensitive data. As appropriate, the CSO coordinates and assists the company’s privacy team on data breach investigations and the company’s Asset Protection group (also known as Corporate Security) on issues pertaining to the protection of company personnel, property and other assets.

Training and Compliance 

The AT&T CSO is charged with directing and coordinating security awareness and education across AT&T. This group maintains an internal security awareness website, an internal awareness newsletter, employee- and business-unit-specific bulletins and communications, job aids, technology conferences, employee security awareness events and expos, workshops and security courses to deliver general and targeted security awareness initiatives within AT&T. The program uses subject matter experts from the various security groups and disciplines for content development and to deliver webcasts and video productions. In addition, all AT&T employees are required to annually acknowledge their responsibility to adhere to AT&T’s Code of Business Conduct and AT&T’s information security policy. AT&T employees receive periodic awareness and compliance training to reinforce our privacy standards.

We also encourage employees to obtain security training and achieve accreditations and certifications when relevant. This training is conducted both within AT&T and through corporate training organizations such as:

  • The International Information Systems Security Certification Consortium Inc. (ISC)
  • Information Systems Security Association
  • The SANS Institute
  • Vendor- and product-specific training and certification

Our large population of security professionals maintains certifications and credentials such as:

  • Certified Information System Services Professional (CISSP)
  • Certified Information Systems Auditors (CISA)
  • Certified Information Security Management (CISM)
  • Certified Ethical Hacker (CEH)
  • Global Information Assurance Certification (GIAC)

AT&T conducts regular reviews of its operations and applications for security compliance, which is essential for evaluating adherence to our security procedures. These reviews may be facilitated or conducted through our CSO by a business area sponsor of a product, service, or supplier or partner relationship, or by an operations team responsible for lifecycle service management.

Testing and Reporting

AT&T conducts regular tests and evaluations to help ensure that security controls are maintained and functioning in accordance with our security policy. Security status checking includes:

  • Reviewing and verifying system security settings, computer resource security settings and status, and users having security administrative authority or system authority.
  • Testing of network elements to ensure the proper level of security patches and that only required system processes are active.
  • Validating server compliance with AT&T security policy.

Vulnerability testing is performed by authorized personnel to verify whether controls can be bypassed to obtain any unauthorized access, using AT&T-developed tools and leading-edge scan tools.

Information regarding the security of our infrastructure and services is managed and communicated on a need-to-know basis. Results of our testing and checking are combined with threat intelligence gathered through trend analysis and reported to security organization executives.

Additionally, AT&T uses a consistent, disciplined global process for the timely identification of security incidents and threats. The AT&T Global Technology Operations Center (GTOC) maintains 24/7, near real-time security monitoring of the AT&T network for investigation, action and response to network security events. Our threat management platform and program provide near real-time data correlation, situational awareness reporting, active incident investigation, and case management, trending analysis and predictive security alerting.

AT&T Security Research Center

The AT&T Security Research Center was created within the AT&T CSO to invent the future of security in communications and computing, and to create what may be impossible today and revolutionary for tomorrow. Researchers work on large-scale problems in areas such as mobility and cellular, cloud computing, networking and data mining. In particular, they look for ways to leverage the power of the network for new security architectures and mechanisms.

Business Continuity and Disaster Recovery

AT&T’s Business Continuity Management Program is certified to the international business continuity standard ISO 22301:2012. It is also aligned with the Disaster Recovery Institute International (DRII) Professional Practices, Business Continuity Institute Good Practice Guidelines, Department of Homeland Security National Incident Management System and ISO 31000. These standards demonstrate that AT&T continues to be equipped to resume business operations and continue delivering services to its customers in the vital hours and days after a disaster strikes. In the event of any disaster or other emergency, we will be able to quickly resume network traffic, field customer calls and queries, and service the communities in which we operate. The AT&T Business Continuity Management Program includes management disciplines, processes and techniques to support AT&T’s essential business processes in the event of a significant business disruption. To review our Program Handbook, visit AT&T Vital Connections.

In addition, our Network Disaster Recovery (NDR) team works to recover AT&T voice and data service network elements to an area affected by a disaster. We have invested more than $600 million in our NDR program since 1992. For more information, read about our disaster response efforts or visit www.att.com/ndr.

Engaging with Stakeholders

AT&T is proud to be a leader and a participant in many industry, academic and governmental organizations both to set standards and to keep pace with industry developments. Our employees interact with and participate in several U.S. and international security organizations, including:

  • Computer Emergency Response Team/Coordination Center (CERT/CC)
  • Forum of Incident Response and Security Teams  (FIRST)
  • U.S. Department of Homeland Security’s National Security Telecommunications Advisory Committee (NSTAC) and its National Coordinating Center (NCC) for Telecommunications
  • U.K. Centre for the Protection of National Infrastructure (CPNI) National Security Information Exchange (NSIE)
  • Various Information Sharing and Analysis Centers (ISACs), including Information Technology-ISAC and Communications-ISAC
  • U.S. InfraGard
  • Security activities within the Internet Engineering Task Force (IETF)

AT&T also participates in:

  • National Infrastructure Protection Center (NIPC)
  • National Telecommunications and Information Administration (NTIA)
  • Communication Security, Reliability and Interoperability Council (CSRIC)
  • Network Reliability Steering Committee (NRSC)

AT&T security experts gather weekly to provide information and perspective on the latest security news and trends through our AT&T Threat Traq channel. Visit our network security services page for more information about our offerings for customers and our public policy blog, which offers our view and commentary on cybersecurity policy news.

For more information, read our information and network security reference guide.

Updated on: Aug 17, 2017

×