AT&T operates one of the world’s most advanced and powerful global backbone networks. Security is at the core of our network and is central to everything we do.
Safeguarding data is in our DNA as a 140+ year-old communications company. For more than a century, we’ve evolved security protocols and technologies alongside technological evolution from telegraph, to telephone, to internet and now to artificial intelligence–based, dynamic communication. Our ability to apply automated threat detection technologies to the analysis of AT&T’s network data is critical to safeguarding our network and infrastructure as the sheer volume of attempted cyberattacks continues to grow significantly.
As a result, AT&T is continually improving security through active research and development programs, participation in (via standards organizations) and tracking of industry developments, and the evaluation of new security technologies and products. AT&T is constantly employing new tools and systems to deliver highly effective security safeguards. To help provide security for data both in transit across the network and stored in the network, AT&T has implemented a comprehensive security program derived from ISO 17799, COBIT and other industry best practices.
AT&T Chief Security Office
The Chief Security Office (CSO), led by our chief security officer, establishes policy and requirements – as well as comprehensive programs – to help build security into the fabric of every organization across the business. The information security program is designed to help protect the integrity, confidentiality and availability of our network. The CSO maintains a global organization comprised of highly trained and expert security professionals, with additional security specialists in other organizations across AT&T. These additional specialists work closely with the CSO to address department-specific issues and help provide security for their respective functional areas.
The CSO is dedicated to the protection of the AT&T global network, supporting a broad range of functions from security policy management to implementation of security solutions. Additionally, the group reviews and assesses our security control posture to keep pace with industry developments and to satisfy regulatory and business requirements.
The CSO’s technical personnel work in conjunction with other AT&T business units to evaluate threats, determine protective measures, create response capabilities and assess compliance with security best practices. Additionally, the Audit Committee of the AT&T Board of Directors oversees the company’s risk management strategy, which includes cybersecurity and defense of our network. The Board and the Audit Committee receive regular updates from our chief security officer on network and data security, and associated risks.
AT&T Security Standards
AT&T has developed and maintains the AT&T Security Policy and Requirements (ASPR), a set of security control standards based in part on leading industry standards such as ISO/IEC 27001:2013. ASPR also aligns to laws and standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53, as well as the European Union’s General Data Protection Regulation (GDPR), Criminal Justice Information Services (CJIS) Security Policy and the California Consumer Privacy Act (CCPA). AT&T also performs annual third-party certifications/audits – such as those for the Payment Card Industry, Sarbanes-Oxley Act (SOX) and SSAE 16/ISAE 3402 (SOC) – to demonstrate compliance to our customers and our stakeholders.
Given the dynamic environment that AT&T supports, ASPR content is continually re-evaluated and modified as industry standards evolve and as circumstances require. In addition, operating procedures, tools and other protective measures are regularly reviewed to help provide the highest standards of security throughout our company. ASPR applies enterprise-wide and establishes the minimum required safeguards to protect computing and networking assets, data and services. It applies to all employees, contractors, suppliers, supervisors, application/software developers, system and database administrators, network architects and operations teams. While the standards may be exceeded, compliance with ASPR is mandatory except where covered by a legally binding agreement or an applicable but contradictory law. AT&T’s Supplier Information Security Requirements (SISR) is a minimum set of security requirements that are included in contracts with suppliers when they are performing certain services for AT&T and AT&T Customers.
Additionally, AT&T’s Purchased Products and Applications Security Requirements (PPASR) are designed to be a proactive approach to help prevent security and operational gaps in Commercial Off-the-Shelf (COTS) products and applications that are implemented into the AT&T internal network. The PPASR is used when purchasing COTS products, applications and hardware, or when obtaining trial /shareware for use within the AT&T internal network.
AT&T maintains global ISO 27001 certification, which includes the information security management systems (ISMS) for the AT&T global IP network and customer-facing services.
Training and Compliance
The AT&T CSO is charged with directing and coordinating security awareness and education. The group maintains an internal security awareness website, an internal awareness newsletter, employee- and business unit–specific bulletins and communications, job aids, technology conferences and employee security awareness events to deliver general and targeted security awareness initiatives within AT&T. The program uses subject matter experts from the various security groups and disciplines for content development and to deliver webcasts and video productions.
The AT&T internal security awareness program takes an innovative engage-while-learning approach. Our program enforces personal responsibility from every person who touches the network – from office workers and server administrators to folks in the field and more. Using a series of animated characters to share learnings about security, the storylines ask employees to imagine real-life scenarios that could involve them, such as opening a dangerous link or sending data unencrypted. Our lead animated character – which has become an iconic internal brand – learns awareness lessons on behalf of the employee.
Under the banner of the AT&T proprietary slogan You Are the FirewallTM, animated short stories, original video games with embedded security training, live game shows and an International Security Awareness Week promote security with employees at all of our world-wide AT&T locations. This entertainment-based approach to the security awareness program was reviewed by industry analysts and has received the highest acclaim from the Institute for Applied Network Security.
Additionally, a security awareness course has been added to the AT&T Corporate Compliance training bundle, representing a required annual security training component. The content is developed, approved and managed by the CSO. Additionally, the CSO has developed and approved a new program – planned for 2020 – that introduces new hires to security awareness as part of their orientation.
AT&T also produces a recurring security program featuring AT&T CSO analysts called AT&T ThreatTraq. This program adds another dimension of security training and awareness through weekly webisodes open to employees and to the public via the internet.
All AT&T employees are required to annually acknowledge their responsibility to adhere to our Code of Business Conduct and our Information Security Policy. AT&T employees also receive periodic awareness and compliance training to reinforce our privacy standards.
We encourage employees to obtain additional security training and achieve accreditations and certifications when relevant to their roles. This training is conducted both within AT&T and through corporate training organizations, such as:
- The International Information Systems Security Certification Consortium (ISC)
- The Information Systems Security Association
- The SANS Institute
- Vendor and product-specific training and certification
Our large population of security professionals maintains certifications and credentials, such as:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC)
AT&T conducts regular reviews of our operations and applications for security compliance, which is essential for evaluating adherence to our security procedures. These reviews may be facilitated or conducted through our CSO; by a business-unit representative for a product, service, supplier or partner relationship; or by an internal operations team responsible for lifecycle service management.
Testing and Reporting
AT&T conducts regular tests and evaluations to help provide security controls and maintain their functionality in accordance with our security policy. Security status checking includes:
- Reviewing and verifying system security settings, computer resource security settings and status, and users having security administrative authority or system authority;
- Testing of network elements to help provide the proper level of security patches and to determine only required system processes are active;
- Validating server compliance with the AT&T Security Policy; and
- Utilizing independent third-parties to help assess risk to AT&T, its network, and its customers, including its suppliers where appropriate.
Vulnerability testing is performed by authorized personnel, using AT&T-developed tools and leading-edge scan tools, to verify whether controls can be bypassed to obtain any unauthorized access. We use systemic anomaly reporting to indicate abnormal use of our online customer relationship management (CRM) systems – both customer facing and employee facing. Alarms are investigated and appropriate remediation steps are taken.
Information regarding the security of our infrastructure and services is managed and communicated on a need-to-know basis. Results of our testing and checking are combined with threat intelligence gathered through trend analysis and reported to security organization executives.
Additionally, AT&T uses a consistent, disciplined global process for the timely identification of security incidents and threats. The AT&T Global Technology Operations Center (GTOC) maintains 24/7, near-real-time security monitoring of the AT&T network for investigation, action and response to network security events. Our threat management platform and program provide near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trending analysis and predictive security alerting.
We also encourage and reward contributions by developers and security researchers through the AT&T Bug Bounty Program. We provide monetary rewards and/or public recognition for certain security vulnerabilities responsibly disclosed to us.
Business Continuity and Disaster Recovery
The U.S. Department of Homeland Security includes the communications industry among 16 critical infrastructure sectors. At AT&T, we design our network and operations to be resilient – so we’re prepared to provide essential communications and data connectivity for our customers and communities. Our global team of certified and experienced business continuity experts, led by our President of Technology and Operations, works to maintain operations of key business processes by utilizing documented business continuity strategies, plans and procedures that are updated and exercised on an annual basis. Regular reports on our business continuity efforts are shared with the Audit Committee of the AT&T Board of Directors.
Our Business Continuity Management Program is certified to the international business continuity standard ISO 22301:2012. It’s also aligned with the Disaster Recovery Institute International Professional Practices, Business Continuity Institute Good Practice Guidelines, U.S. Department of Homeland Security National Incident Management System and ISO 31000. Alignment with such standards demonstrates that AT&T is equipped to maintain business operations and serve our customers in the vital hours, days or weeks after disaster strikes.
AT&T Security Research Center
The AT&T Security Research Center was created within the AT&T CSO to invent the future of security in communications and computing and create what may seem to be impossible today and revolutionary for tomorrow. Researchers work on large-scale problems in areas such as mobility and cellular, cloud computing, networking and data mining. In particular, they look for ways to utilize the power of the network for new security architectures and mechanisms.
AT&T Business Solutions
Security is top of mind for any business, large or small. And helping protect customers’ IT infrastructure against today’s emerging threats is more important than ever. The cyber threat landscape is complex, requiring a coordinated and collaborative defense system. AT&T Cybersecurity, the combination of our cybersecurity consulting practice, managed security services business and AlienVault, brings together the unique assets of AT&T and AlienVault – unrivaled network visibility, diverse threat data, machine learning and world-class threat researchers – to help businesses stay ahead of evolving cybersecurity threats. Our unified security management platform integrates data for detection, response and compliance. It provides near real-time intelligence and unified, customized solutions for organizations of all sizes, industries and locations. AT&T’s new standalone cybersecurity solutions business division will focus on making AT&T’s extensive cybersecurity capabilities and technologies accessible to businesses of all sizes around the globe. Visit AT&T Cybersecurity for more information about our offerings for customers.
Engaging with Stakeholders
AT&T is proud to be a leader and a participant in many industry, academic and governmental organizations, both to set standards and to keep pace with industry developments. Our employees interact with and participate in several U.S. and international security organizations, including:
- Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security
- Computer Emergency Response Team/Coordination Center (CERT/CC)
- Forum of Incident Response and Security Teams (FIRST)
- National Security Telecommunications Advisory Committee (NSTAC), a federal advisory council to the president of the United States on issues of national security and emergency preparedness
- National Coordinating Center for Communications (NCC), which serves as the Information Sharing and Analysis Center (ISAC) for communications and organizes operational response activities in the event of both cyber and physical incidents
- Communications Sector Coordinating Council (CSCC), which conducts planning activities on cybersecurity issues with the U.S. Department of Homeland Security
- U.K. Centre for the Protection of National Infrastructure (CPNI) National Security Information Exchange (NSIE)
- Various Information Sharing and Analysis Centers (ISACs), including the Information Technology, Auto and Retail ISACs
- U.S. InfraGard
- Security activities within the Internet Engineering Task Force (IETF)
AT&T also participates in:
- National Telecommunications and Information Administration (NTIA)
- Federal Communications Commission (FCC) Communications Security, Reliability and Interoperability Council (CSRIC)
- Network Reliability Steering Committee (NRSC)
- U.S. Telecom and the Council to Secure the Digital Economy (CSDE)
- Cellular Telecommunications Industry Association (CTIA) cybersecurity working group
- Consumer Technology Association (CTA) technology council security working group
- National Institute of Standards and Technology (NIST) and the Internet Security and Privacy Advisory Board (ISPAB)
- NIST National Cybersecurity Center of Excellence
For more information on our stakeholder engagement, as well as our view and commentary on cybersecurity policy news, visit our public policy blog.
Consumer Awareness and Education
Education is the best line of defense. As more devices connect to the internet, education becomes more important. Cyber Aware is a resource from AT&T to empower and educate consumers about fraud protection and cybersecurity. Our goal is to make customers more alert to help them protect their information. We recognized that many customers have questions, but they did not know where to find answers. The Cyber Aware website explains in simple terms how many scams work, ways to recognize them and things customers can do. It offers security and privacy alerts that provide advice on patches and updates. It’s available to everyone – not just AT&T customers – at att.com/cyberaware. Visit our Responsible Use of Products & Services issue brief for more information.