AT&T operates one of the world’s most advanced and powerful global backbone networks. Security is at the core of our network and is central to everything we do.
Safeguarding data is in our DNA as a 140+ year-old communications company. For more than a century, we’ve evolved security protocols and technologies alongside technological evolution from telegraph, to telephone, to internet and now to artificial intelligence (AI)-based, dynamic communication. Our ability to apply automated threat detection technologies to the analysis of AT&T’s network data is critical to safeguarding our network and infrastructure as the sheer volume of attempted cyberattacks continues to grow significantly.
As a result, AT&T is continually improving security through active research and development programs, influencing (via standards organizations) and tracking of industry developments, and the evaluation of new security technologies and products. AT&T is constantly employing new tools and systems to deliver highly effective security safeguards. To help secure data both in transit across the network and stored in the network, AT&T has implemented a comprehensive security program that focuses on 13 major areas. The areas are derived from ISO 17799, COBIT and other industry best practices.
- AT&T Chief Security Office
The Chief Security Office (CSO), led by our chief security officer, establishes policy and requirements — as well as comprehensive programs — to help ensure security has been built into the fabric of every organization within the business. The CSO maintains a global security organization comprised of more than 700 security professionals, and more than 1,400 additional security specialists work in other organizations across AT&T. These additional specialists work closely with the CSO to address department-specific issues and help secure their areas.
The CSO is dedicated to the protection of the AT&T global network. It supports a broad range of functions from security policy management to security solutions. Additionally, the group reviews and assesses our security control posture to keep pace with industry developments and to satisfy regulatory and business requirements.
The CSO’s technical personnel work in partnership with other AT&T business units to evaluate threats, determine protective measures, create response capabilities and assess compliance with security best practices. Additionally, the audit committee of the AT&T Board of Directors oversees the company’s risk management strategy, which includes cybersecurity and defense of our network. The Board and the Audit Committee receive regular updates on network and data security and the associated risks.
- AT&T Security Standards
AT&T has developed and maintains the AT&T Security Policy and Requirements (ASPR), a set of security control standards based in part on leading industry standards such as ISO/IEC 27001:2013. ASPR aligns to laws and standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53. AT&T also performs annual third-party certifications/audits — such as those for the Payment Card Industry, Sarbanes-Oxley Act (SOX) and SSAE 16/ISAE 3402 (SOC) — to demonstrate compliance to our customers and our stakeholders.
Given the dynamic environment that AT&T supports, ASPR content is continually re-evaluated and modified as industry standards evolve and as circumstances require. In addition, operating procedures, tools and other protective measures are regularly reviewed to help ensure the highest standards of security are observed throughout our company. ASPR applies enterprise-wide and establishes the minimum required safeguards to protect computing and networking assets, data and services. It applies to all employees, contractors, suppliers, supervisors, application/software developers, system and database administrators, network architects and operations teams. AT&T’s Supplier Information Security Requirements (SISR) is a minimum set of security requirements which are included in contracts with Suppliers when they are performing certain services for AT&T.
Additionally, AT&T’s Purchased Products and Applications Security Requirements (PPASR) are intended to be a proactive approach to help prevent security and operational gaps in Commercial Off-the-Shelf (COTS) products and applications that are implemented into the AT&T internal network. The PPASR is used when purchasing COTS products, applications and hardware, or when obtaining trial /shareware for use within the AT&T internal network.
AT&T maintains global ISO 27001 certification, which includes the information security management systems (ISMS) for the AT&T global IP network and customer-facing services.
- Training and Compliance
The AT&T CSO is charged with directing and coordinating security awareness and education. The group maintains an internal security awareness website, an internal awareness newsletter, employee- and business unit–specific bulletins and communications, job aids, technology conferences and employee security awareness events to deliver general and targeted security awareness initiatives within AT&T. The program uses subject matter experts from the various security groups and disciplines for content development and to deliver webcasts and video productions.
The AT&T internal security awareness program takes an innovative engage-while-learning approach. Our program enforces personal responsibility from every person who touches the network — from office workers and server administrators to folks in the field and more. Using a series of animated characters to share learnings about security, the storylines ask employees to imagine real-life scenarios that could involve them such as opening a dangerous link or sending data unencrypted. Our lead animated character — which has become an iconic internal brand — learns awareness lessons on behalf of the employee.
Under the banner of the AT&T proprietary slogan You Are the FirewallTM, animated short stories, original video games with embedded security training, live game shows and an International Security Awareness Week promote security with employees at all of our world-wide AT&T locations. This entertainment-based approach to the security awareness program was reviewed by industry analysts and has received the highest acclaim from the Institute for Applied Network Security.
AT&T also produces a recurring security program featuring AT&T CSO analysts called AT&T ThreatTraq. This program adds another dimension of security training and awareness through weekly webisodes open to employees and to the public via the internet.
All AT&T employees are required to annually acknowledge their responsibility to adhere to our Code of Business Conduct and our Information Security Policy. AT&T employees also receive periodic awareness and compliance training to reinforce our privacy standards.
We encourage employees to obtain additional security training and achieve accreditations and certifications when relevant to their roles. This training is conducted both within AT&T and through corporate training organizations, such as:
- The International Information Systems Security Certification Consortium (ISC)
- The Information Systems Security Association
- The SANS Institute
- Vendor and product-specific training and certification
Our large population of security professionals maintains certifications and credentials, such as:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC)
AT&T conducts regular reviews of our operations and applications for security compliance, which is essential for evaluating adherence to our security procedures. These reviews may be facilitated or conducted through our CSO; by a business area sponsor of a product, service, supplier or partner relationship; or by an internal operations team responsible for lifecycle service management.
- Testing and Reporting
AT&T conducts regular tests and evaluations to help ensure that security controls are maintained and functioning in accordance with our security policy. Security status checking includes:
- Reviewing and verifying system security settings, computer resource security settings and status, and users having security administrative authority or system authority;
- Testing of network elements to help ensure the proper level of security patches and that only required system processes are active; and
- Validating server compliance with the AT&T Security Policy.
Vulnerability testing is performed by authorized personnel, using AT&T-developed tools and leading-edge scan tools, to verify whether controls can be bypassed to obtain any unauthorized access. We use systemic anomaly reporting to indicate abnormal use of our online customer relationship management (CRM) systems — both customer facing and employee facing. Alarms are investigated and appropriate remediation steps are taken.
Information regarding the security of our infrastructure and services is managed and communicated on a need-to-know basis. Results of our testing and checking are combined with threat intelligence gathered through trend analysis and reported to security organization executives.
Additionally, AT&T uses a consistent, disciplined global process for the timely identification of security incidents and threats. The AT&T Global Technology Operations Center (GTOC) maintains 24/7, near-real-time security monitoring of the AT&T network for investigation, action and response to network security events. Our threat management platform and program provide near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trending analysis and predictive security alerting.
We also encourage and reward contributions by developers and security researchers who make our online environment more secure. Through the AT&T Bug Bounty Program, we provide monetary rewards and/or public recognition for certain security vulnerabilities responsibly disclosed to us.
- Business Continuity and Disaster Recovery
The AT&T Business Continuity Management Program is certified to the international business continuity standard ISO 22301:2012. It is also aligned with the Disaster Recovery Institute International (DRII) Professional Practices, Business Continuity Institute Good Practice Guidelines, Department of Homeland Security National Incident Management System and ISO 31000. These standards demonstrate that AT&T remains equipped to resume business operations and continue delivering services to our customers in the vital hours and days after a disaster strikes. In the event of any disaster or other emergency, we will be able to quickly resume network traffic, field customer calls and queries, and service the communities in which we operate. The AT&T Business Continuity Management Program includes management disciplines, processes and techniques to support our employees and critical business operations in the event of a significant business disruption. This program requires that key business processes have documented business continuity strategies and procedures that are updated and exercised on an annual basis. For more information, visit AT&T Disaster Preparedness and read our Network Architecture & Reliability issue brief.
- AT&T Security Research Center
The AT&T Security Research Center was created within the AT&T CSO to invent the future of security in communications and computing, and create what may be impossible today and revolutionary for tomorrow. Researchers work on large-scale problems in areas such as mobility and cellular, cloud computing, networking and data mining. In particular, they look for ways to utilize the power of the network for new security architectures and mechanisms.
- AT&T Business Solutions
Security is top of mind for any business, large or small. And, helping protect customers IT infrastructure against today’s emerging threats is more important than ever. The cyber threat landscape is complex, requiring a coordinated and collaborative defense system. AT&T Cybersecurity, the combination of our cybersecurity consulting practice, managed security services business and AlienVault, brings together the unique assets of AT&T and AlienVault — unrivaled network visibility, diverse threat data, machine learning and world class threat researchers — to help businesses stay ahead of evolving cybersecurity threats. Our unified security management platform integrates data for detection, response and compliance. It provides near real-time intelligence and unified, customized solutions for organizations of all sizes, industries and locations. AT&T’s new standalone cybersecurity solutions business division will focus on making AT&T’s extensive cybersecurity capabilities and technologies accessible to businesses of all sizes around the globe. Visit AT&T Cybersecurity for more information about our offerings for customers.
- Engaging with Stakeholders
AT&T is proud to be a leader and a participant in many industry, academic and governmental organizations both to set standards and to keep pace with industry developments. Our employees interact with and participate in several U.S. and international security organizations, including:
- Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security
- Computer Emergency Response Team/Coordination Center (CERT/CC)
- Forum of Incident Response and Security Teams (FIRST)
- National Security Telecommunications Advisory Committee (NSTAC), a federal advisory council to the president of the United States on issues of national security and emergency preparedness
- National Coordinating Center for Communications (NCC), which serves as the Information Sharing and Analysis Center (ISAC) for communications and organizes operational response activities in the event of both cyber and physical incidents
- Communications Sector Coordinating Council (CSCC), which conducts planning activities on cybersecurity issues with the U.S. Department of Homeland Security
- U.K. Centre for the Protection of National Infrastructure (CPNI) National Security Information Exchange (NSIE)
- Various Information Sharing and Analysis Centers (ISACs), including the Information Technology, Auto and Retail ISACs
- U.S. InfraGard
- Security activities within the Internet Engineering Task Force (IETF)
AT&T also participates in:
- National Telecommunications and Information Administration (NTIA)
- Federal Communications Commission (FCC) Communications Security, Reliability and Interoperability Council (CSRIC)
- Network Reliability Steering Committee (NRSC)
- USTelecom and the Council to Secure the Digital Economy (CSDE)
- Cellular Telecommunications Industry Association (CTIA) cybersecurity working group
- Consumer Technology Association (CTA) technology council security working group
- National Institute of Standards and Technology (NIST) and the Internet Security and Privacy Advisory Board (ISPAB)
- NIST National Cybersecurity Center of Excellence
- Internet of Things (IoT) Cybersecurity Alliance (IoTCA)
For more information on our stakeholder engagement, as well as our view and commentary on cybersecurity policy news, visit our public policy blog.
- Awareness and Education
Education is the best line of defense. As more devices connect to the internet, education becomes more important. Cyber Aware is a resource from AT&T to empower and educate consumers about fraud protection and cybersecurity. Our goal is to make customers more alert to help them protect their information. We recognized that many customers have questions, but they did not know where to find answers. The Cyber Aware website explains in simple terms how many scams work, ways to recognize them and things customers can do. It offers security and privacy alerts that provide advice on patches and updates. It’s available to everyone — not just AT&T customers — at att.com/cyberaware.
Since the acquisition of WarnerMedia in June 2018 and the launch of Xandr in September 2018, we are continuing to integrate operationally and through our CSR reporting. For this reason, information for these 2 affiliates is not included in this brief, except where specifically referenced.
More Governance Issue Briefs