AT&T operates one of the world’s most advanced and powerful global backbone networks. Security is at the core of our network and is central to everything we do.
Safeguarding data is in our DNA as a 140+ year-old communications company. For more than a century, we’ve evolved security protocols and technologies alongside technological evolution from telegraph, to telephone, to internet and now to artificial intelligence–based, dynamic communication. Our ability to apply automated threat detection technologies to the analysis of AT&T’s network data is critical to safeguarding our network and infrastructure as the sheer volume of attempted cyberattacks continues to grow significantly.
As a result, AT&T is continually improving security through active research and development programs(via standards organizations), participation in and tracking of industry developments, and the evaluation of new security technologies and products. AT&T is constantly employing new tools and systems to deliver highly effective security safeguards. To help provide security for data both in transit across the network and stored in the network, AT&T has implemented a comprehensive security program derived from ISO 17799, COBIT and other industry best practices.
AT&T Chief Security Office
The Chief Security Office (CSO), led by our chief security officer, establishes policy and requirements – as well as comprehensive programs – to help build security into the fabric of every organization across the business. The information security program is designed to help protect the integrity, confidentiality and availability of our network. The CSO maintains a global organization comprised of highly trained and expert security professionals, with additional security specialists in other organizations across AT&T. These additional specialists work closely with the CSO to address department-specific issues and help provide security for their respective functional areas.
The CSO is dedicated to the protection of the AT&T global network, supporting a broad range of functions from security policy management to implementation of security solutions. Additionally, the group reviews and assesses our security control posture to keep pace with industry developments and to satisfy regulatory and business requirements.
The CSO’s technical personnel work in conjunction with other AT&T departments to evaluate threats, determine protective measures, create response capabilities and assess compliance with security best practices. Additionally, the Audit Committee of the AT&T Board of Directors oversees the company’s risk management strategy, which includes cybersecurity and defense of our network. The Board and the Audit Committee receive regular updates from our chief security officer on network and data security, and associated risks.
AT&T Security Standards
AT&T has developed and maintains the AT&T Security Policy and Requirements (ASPR), a set of security control standards based in part on leading industry standards such as ISO/IEC 27001:2013. ASPR also aligns to laws and standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53, as well as the European Union’s General Data Protection Regulation (GDPR), Criminal Justice Information Services (CJIS) Security Policy and the California Consumer Privacy Act (CCPA). AT&T also performs annual third-party certifications/audits – such as those for the Payment Card Industry, Sarbanes-Oxley Act (SOX) and SSAE 16/ISAE 3402 (SOC) – to demonstrate compliance to our customers and our stakeholders.
Given the dynamic environment that AT&T supports, ASPR content is continually re-evaluated and modified as industry standards evolve and as circumstances require. In addition, operating procedures, tools and other protective measures are regularly reviewed to help provide the highest standards of security throughout our company. ASPR applies enterprise-wide and establishes the minimum required safeguards to protect computing and networking assets, data and services. It applies to all employees, contractors, suppliers, supervisors, application/software developers, system and database administrators, network architects and operations teams. While the standards may be exceeded, compliance with ASPR is mandatory except where covered by a legally binding agreement or an applicable but contradictory law. AT&T’s Supplier Information Security Requirements (SISR) is a minimum set of security requirements that are included in contracts with suppliers when they are performing certain services for AT&T and AT&T Customers.
AT&T maintains 2 global ISO 27001 certifications. The scope of these certifications covers the AT&T global IP infrastructure and certain customer-facing products and services.
Training and Compliance
The AT&T CSO is charged with directing and coordinating security awareness and education. The group maintains an internal security awareness website, an internal awareness newsletter, employee- and department–specific bulletins and communications, job aids, technology conferences, and employee security awareness events to deliver general and targeted security awareness initiatives within AT&T. The program uses subject matter experts from the various security groups and disciplines for content development and to deliver webcasts and video productions.
The AT&T internal security awareness program takes an innovative engage-while-learning approach. Our program enforces personal responsibility from every person who touches the network – from office workers and server administrators to those in the field and more. Using a series of animated characters to share learnings about security, the storylines ask employees to imagine real-life scenarios that could involve them, such as opening a dangerous link or sending data unencrypted. Our lead animated character – which has become an iconic internal brand – learns awareness lessons on behalf of the employee.
Under the banner of the AT&T proprietary slogan You Are the FirewallTM, animated short stories, original video games with embedded security training, live game shows and an International Security Awareness Week promote security with employees at all of our worldwide AT&T locations. This entertainment-based approach to the security awareness program was reviewed by industry analysts and has received the highest acclaim from the Institute for Applied Network Security.
A security awareness course is included in the AT&T Corporate Compliance training bundle, representing a required annual security training component. The content is developed, approved and managed by the CSO.
AT&T also produces a recurring security program featuring AT&T CSO analysts called AT&T ThreatTraq. This program adds another dimension of security training and awareness through weekly webisodes open to employees and to the public via the internet.
All AT&T employees are required to annually acknowledge their responsibility to adhere to our Code of Business Conduct and our Information Security Policy. AT&T employees also receive periodic awareness and compliance training to reinforce our privacy standards.
We encourage employees to obtain additional security training and achieve accreditations and certifications when relevant to their roles. This training is conducted both within AT&T and through corporate training organizations, such as:
- The International Information Systems Security Certification Consortium (ISC)
- The Information Systems Security Association
- The SANS Institute
- Vendor- and product-specific training and certification
Our large population of security professionals maintains certifications and credentials, such as:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC)
AT&T conducts regular reviews of our operations and applications for security compliance, which is essential for evaluating adherence to our security procedures. These reviews may be facilitated or conducted through our CSO; by a department representative for a product, service, supplier or partner relationship; or by an internal operations team responsible for life cycle service management.
Testing and Reporting
AT&T conducts regular tests and evaluations to help provide security controls and maintain their functionality in accordance with our security policy. Security status checking includes:
- Reviewing and verifying system security settings, computer resource security settings and status, and users having security administrative authority or system authority
- Testing of network elements to help provide the proper level of security patches and to determine only required system processes are active
- Validating server compliance with the AT&T Security Policy
- Utilizing independent third-parties to help assess risk to AT&T, its network and its customers, including its suppliers where appropriate
Vulnerability testing is performed by authorized personnel, using AT&T-developed tools and leading-edge scan tools, to verify whether controls can be bypassed to obtain any unauthorized access. We use systemic anomaly reporting to indicate abnormal use of our online customer relationship management (CRM) systems – both customer facing and employee facing. Alarms are investigated and appropriate remediation steps are taken.
Information regarding the security of our infrastructure and services is managed and communicated on a need-to-know basis. Results of our testing and checking are combined with threat intelligence gathered through trend analysis and reported to security organization executives.
Additionally, AT&T uses a consistent, disciplined global process for the timely identification of security incidents and threats. The AT&T Global Technology Operations Center (GTOC) maintains 24/7, near-real-time security monitoring of the AT&T network for investigation, action and response to network security events. Our threat management platform and program provide near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trending analysis and predictive security alerting.
We also encourage and reward contributions by developers and security researchers through the AT&T Bug Bounty Program. We provide monetary rewards and/or public recognition for certain security vulnerabilities responsibly disclosed to us.
Business Continuity and Disaster Recovery
The U.S. Department of Homeland Security includes the communications industry among 16 critical infrastructure sectors. At AT&T, we design our network and operations to be resilient – so we’re prepared to provide essential communications and data connectivity for our customers and communities. Our global team of certified and experienced business continuity experts, led by our President of Technology and Operations, works to maintain operations of key business processes by utilizing documented business continuity strategies, plans and procedures that are updated and exercised on an annual basis. Regular reports on our business continuity efforts are shared with the Audit Committee of the AT&T Board of Directors.
Our Business Continuity Management Program is certified to the international business continuity standard ISO 22301:2012. It’s also aligned with the Disaster Recovery Institute International Professional Practices, Business Continuity Institute Good Practice Guidelines, U.S. Department of Homeland Security National Incident Management System and ISO 31000. Alignment with such standards demonstrates that AT&T is equipped to maintain business operations and serve our customers in the vital hours, days or weeks after disaster strikes.
AT&T Security Research Center
The AT&T Security Research Center was created within the AT&T CSO to invent the future of security in communications and computing and create what may seem to be impossible today and revolutionary for tomorrow. Researchers work on large-scale problems in areas such as mobility and cellular, cloud computing, networking and data mining. In particular, they look for ways to utilize the power of the network for new security architectures and mechanisms.
AT&T Business Solutions
Security is top of mind for any business, large or small. And helping protect customers’ IT infrastructure against today’s emerging threats is more important than ever. The cyber threat landscape is complex, requiring a coordinated and collaborative defense system.
AT&T Cybersecurity, through its cybersecurity consulting practice, managed by security services and Alien Labs threat intelligence, helps businesses stay ahead of evolving cybersecurity threats. A trusted adviser, AT&T Cybersecurity works with customers to design, deploy and manage security solutions and services that proactively identify areas of cyber risk and preventive measures to help protect critical assets. AT&T Cybersecurity’s Managed Security Services utilize the power of the AT&T Unified Security Management platform and enable integration, automation and orchestration across AT&T’s portfolio of network-centric managed security services, helping make it safer for businesses to innovate through network resiliency. Visit AT&T Cybersecurity at cybersecurity.att.com for more information about our solutions for business customers.
Engaging with Stakeholders
AT&T is proud to be a leader and a participant in many industry, academic and governmental organizations, both to set standards and to keep pace with industry developments. Our employees interact with and participate in several U.S. and international security organizations, including:
- Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security
- Computer Emergency Response Team/Coordination Center (CERT/CC)
- Forum of Incident Response and Security Teams (FIRST)
- National Security Telecommunications Advisory Committee (NSTAC), a federal advisory council to the president of the United States on issues of national security and emergency preparedness
- Enduring Security Framework (ESF), a public-private partnership between industry and various federal agencies intended to improve cybersecurity
- National Coordinating Center for Communications (NCC), which serves as the Information Sharing and Analysis Center (ISAC) for communications, and organizes operational response activities in the event of both cyber and physical incidents
- Communications Sector Coordinating Council (CSCC), which conducts planning activities on cybersecurity issues with the U.S. Department of Homeland Security
- U.K. Centre for the Protection of National Infrastructure (CPNI) National Security Information Exchange (NSIE)
- Various Information Sharing and Analysis Centers (ISACs), including the Information Technology, Auto and Retail ISACs
- U.S. InfraGard
- Security activities within the Internet Engineering Task Force (IETF)
AT&T also participates in:
- National Telecommunications and Information Administration (NTIA)
- Federal Communications Commission (FCC) Communications Security, Reliability and Interoperability Council (CSRIC)
- Network Reliability Steering Committee (NRSC)
- U.S. Telecom and the Council to Secure the Digital Economy (CSDE)
- Cellular Telecommunications Industry Association (CTIA) cybersecurity working group
- Consumer Technology Association (CTA) technology council security working group
- National Institute of Standards and Technology (NIST) and the Internet Security and Privacy Advisory Board (ISPAB)
- National Cyber-Forensics and Training Alliance (NCFTA)
- Industry Traceback Group (ITG), which actively traces and identifies the source of illegal robocalls
For more information on our stakeholder engagement, as well as our view and commentary on cybersecurity policy news, visit our public policy blog.
Consumer Awareness and Education
Educating consumers on proper security measures is the best line of defense. And as more devices connect to the internet, education becomes even more important. AT&T Cyber Aware is a resource designed to empower and educate consumers about fraud protection and cybersecurity. The Cyber Aware website explains in simple terms how many scams work, ways to recognize them and steps consumers can take to protect themselves. The website offers information and alerts on security and privacy topics and is available to everyone – not just AT&T customers. See our Responsible Use of Products & Services issue brief for more information.