The AT&T Issue Brief Library
Our issue briefs provide a summary of key topics. Download all issue briefs for a comprehensive overview, or use our issue brief builder to generate a customized PDF download with your selected topics.
Information and communication technology networks are key parts of our everyday lives, enabling transactions and communication between individuals, businesses, governments and others. As we increasingly depend on networks to carry more information, they must remain reliable and secure. Attacks on networks can include viruses, worms, denial-of-service and unauthorized access.
AT&T operates one of the world’s most advanced and powerful global backbone networks, carrying more than 70 petabytes of data traffic on an average business day to nearly every continent and country. Security is at the core of our networks and central to everything we do. AT&T has long been a pioneer in the development of cybersecurity capabilities, with AT&T Labs and our global security organization working closely together to provide industry-leading technology.
The world of networked computing — especially for today’s mobile, always-connected devices and applications, as well as cloud environments — is fast-moving and highly dynamic. As a result, AT&T is continually improving security through active security research and development programs, influencing (via standards organizations) and tracking of industry developments, and evaluation of new security technologies and products. New tools and systems are constantly deployed to deliver the most effective security safeguards.
AT&T Chief Security Office
AT&T maintains a global security organization comprising more than 1,000 security professionals. More than 1,000 additional security professionals work in other organizations within AT&T, as well. The AT&T Chief Security Office is the lead for the corporation, but focus on network security has been built into the fabric of every organization within the business. The AT&T Chief Security Office is dedicated to the protection of the AT&T global network and its service offerings. It supports a broad range of functions, from security policy management to customer-facing security solutions. The AT&T global security organization reviews and assesses our security control posture to keep pace with industry developments, and to satisfy regulatory and business requirements.
The AT&T Chief Security Office establishes policies, requirements and programs to ensure security is incorporated into every facet of AT&T’s computing and networking environments. At the executive level, the Chief Security Officer leads the AT&T Security Advisory Council, a program where key business and functional leaders meet on a regular basis to discuss corporate security strategy, vision and concerns. The Chief Security Office’s technical personnel work in partnership with other AT&T business units to evaluate threats, determine protective measures, create response capabilities and assess compliance with best security practices. Additionally, the Audit Committee of the Board of Directors oversees AT&T’s risk management strategy, which includes cybersecurity and defense of our network.
AT&T Security Standards
AT&T has developed and maintains the AT&T Security Policy and Requirements (ASPR), a set of security control standards based in part on leading industry standards such as ISO/IEC 27001:2005. Given the dynamic environment that AT&T supports, ASPR content is continually re-evaluated and modified as industry standards evolve and as circumstances require. In addition, operating procedures, tools and other protective measures are regularly reviewed to ensure the highest standards of security are observed throughout our company.
AT&T maintains global ISO 27001 certification, which includes all enterprise sites and functions performed globally, comprising all AT&T internet data centers, and AT&T’s hosting and cloud services.
Training and Compliance
The AT&T Chief Security Office is charged with directing and coordinating security awareness and education across AT&T. This group maintains an internal security awareness website, an internal awareness newsletter, all-employee and business-unit-specific bulletins and communications, job aids, technology conferences, employee security awareness events and expos, workshops and security courses to deliver general and targeted security awareness initiatives within AT&T. The program uses subject matter experts from the various security groups and disciplines for content development, and to deliver webcasts and video productions. In addition, all AT&T employees are required to annually acknowledge their responsibility to adhere to AT&T’s Code of Business Conduct and AT&T’s information security policy. AT&T employees receive periodic awareness and compliance training to reinforce our privacy standards.
We also encourage employees to obtain security training and achieve accreditations and certifications when relevant. This training is conducted both within AT&T and through corporate training organizations such as:
- The International Information Systems Security Certification Consortium Inc. (ISC)
- Information Systems Security Association
- The SANS Institute
- Vendor and product-specific training and certification
Our large population of security professionals maintains certifications and credentials such as:
- Certified Information System Services Professional (CISSP)
- Certified Information Systems Auditors (CISA)
- Certified Information Security Management (CISM)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC)
We conduct regular reviews of operations and applications for compliance with our security policy —essential for evaluating adherence to our security procedures worldwide. These reviews may be facilitated or conducted by our Chief Security Office; by a business area sponsor of a product, service, or supplier or partner relationship; or by an operations team responsible for life cycle service management. We also encourage business and operations areas to perform self-reviews. An internal review looks at an organization’s adherence to regulatory guidelines and internal policies, controls and procedures.
In addition to security compliance reviews, we conduct regular internal and external reviews to address compliance with regulatory, industry, corporate governance and privacy requirements. External audits and certifications are performed for specific services where business requirements merit third party compliance evaluation. We have also undertaken an audit of our enterprise security program, policies and practices, resulting in formal certification to the ISO 27001:2005 Information Security Management Standard (covering AT&T Services Inc. and affiliates, as well as hosting and cloud services).
Testing and Reporting
We conduct regular tests and evaluations to ensure that security controls are maintained and are functioning in accordance with our policy. Security status checking includes:
- Reviewing and verifying system security settings, computer resource security settings and status, and users having security administrative authority or system authority.
- Testing of network elements to ensure the proper level of security patches, and that only required system processes are active.
- Validating server compliance to AT&T security policy.
Vulnerability testing is performed by authorized personnel to verify whether controls can be bypassed to obtain any unauthorized access, using AT&T-developed tools and leading-edge scan tools from commercial software providers.
Information regarding the security of our infrastructure and services is managed and communicated on a need-to-know basis. Results of our testing and checking are combined with threat intelligence gathered through trend analysis and reported to security organization executives.
Additionally, AT&T uses a consistent, disciplined global process for the identification of security incidents and threats in a timely manner. The AT&T global network operations center maintains 24x7, near real-time security monitoring of the AT&T network for investigation, action and response to network security events. Our threat management platform and program provide real-time data correlation, situational awareness reporting, active incident investigation and case management, trending analysis, and predictive security alerting.
AT&T Security Research Center
The AT&T Security Research Center was created within the AT&T Chief Security Office to invent the future of communications and computing, and to create what may be impossible today and revolutionary for tomorrow. Researchers work on large-scale problems in areas such as mobility and cellular, cloud computing, networking and data mining. In particular, they look for ways to leverage the power of the network for new security architectures and mechanisms.
AT&T Security Operations Center
The AT&T Security Operations Center (SOC) is a 24x7, centralized, command-and-control facility that includes seasoned expert staff, time-tested methodologies and AT&T proprietary technology. The SOC can monitor and analyze traffic via AT&T’s backbone to provide near-real-time and advance notification of different types of security events. Using a global sensor network, our SOC supports detection and mitigation of security events across multiple devices and device types. It provides correlation and alerting, situational awareness, incident response and proactive threat vulnerability analysis to manage threats and clean harmful traffic. Additionally, the Network Operations Center and IT Operations have responsibility for monitoring and managing various areas of AT&T security ranging from access and firewalls to monitoring DDoS attacks and incident rates.
Business Continuity and Disaster Recovery
AT&T is the first private-sector company to receive certification under the Department of Homeland Security’s Private Sector Preparedness (PS-Prep) program. This validates that we are able to maintain or recover our business operations in the face of an emergency or disaster, whether natural, man-made or cyber in nature. The Network Operations Planning and Support team coordinates these efforts across every organization within AT&T.
In addition, our Network Disaster Recovery team works to recover AT&T voice and data service network elements to an area affected by a disaster. We have invested more than $600 million in our NDR program since 1992. For more information, read about our disaster response efforts or visit www.att.com/ndr.
Engaging with Stakeholders
The AT&T Chief Security Office hosts an annual AT&T Cyber Security Conference to enable open communications with our enterprise customers and the general security community on latest emerging threats and countermeasures. The conference showcases AT&T’s security leadership, strategy and advanced technology to further protect business customers using AT&T network and systems.
AT&T is proud to be a leader and a participant in many industry, academic and governmental organizations both to set standards and to keep pace with industry developments. Our employees interact with and participate in several U.S. and international security organizations, including:
- Computer Emergency Response Team/Coordination Center (CERT/CC)
- Forum of International Response and Security Teams (FIRST)
- U.S. Department of Homeland Security’s National Security Telecommunications Advisory Committee (NSTAC) and its National Coordinating Center (NCC) for Telecommunications
- U.K. Centre for the Protection of National Infrastructure (CPNI) National Security Information Exchange (NSIE)
- Various Information Sharing and Analysis Centers (ISACs), including Information Technology-ISAC and Communications-ISAC
- U.S. InfraGard
- Security activities within the Internet Engineering Task Force (IETF)
AT&T also participates in:
- National Infrastructure Protection Center (NIPC)
- National Telecommunications and Information Administration (NTIA)
- Communication Security, Reliability and Interoperability Council (CSRIC)
- Network Reliability Steering Committee (NRSC)
AT&T malware and network security experts gather weekly to provide information and perspective on the latest security news and trends at our AT&T Threat Traq channel. Visit our network security services page for more information on our offerings for customers, and our public policy blog which offers our view and commentary on cybersecurity policy news.
For more information, read our information and network security reference guide.
Updated on: Aug 2, 2016