AT&T Issue Briefs

Our issue briefs provide additional details on topics identified as most important by our stakeholders. View all the issue briefs on the Reporting Library for a comprehensive overview or choose an issue in the drop-down menu.

 


ESG Material Issues
Network & data security

ESG Material Issues
Network and data security

 

 

Our Position

 

AT&T operates one of the world's most advanced and powerful global backbone networks and is recognized as a leading provider of IP-based communication services to businesses and consumers. Security is at the core of our network and is central to everything we do. AT&T views security as a process, driven by management direction and user awareness and supported by expert skills and advanced technology.


 

 

Our Action

Safeguarding data is in our DNA as a 140+-year-old communications company. For more than a century, we've evolved security protocols and technologies alongside the technological evolution from telegraph to telephone to internet - and now to artificial intelligence-based, dynamic communication. Our ability to apply automated threat detection technologies to the analysis of AT&T's network data is critical to safeguarding our network and infrastructure as the volume of attempted cyberattacks continues to grow.

As a result, AT&T is continually improving security through active research and development programs, involvement with standards organizations, tracking of industry developments, and the evaluation of new security technologies and products. AT&T is regularly evaluating and deploying new tools and systems to deliver highly effective security safeguards. To help provide security for data both in transit across the network and stored in the network, AT&T has implemented a comprehensive security program derived from ISO-27001, COBIT and other industry best practices.

AT&T Chief Security Office

The Chief Security Office (CSO), led by our Chief Security Officer, establishes policy and requirements - as well as comprehensive programs - to help build security into the fabric of every organization across the business. The information security program is designed to protect the integrity, confidentiality and availability of our network. The CSO maintains a global organization composed of highly trained and expert security professionals, with additional security specialists in other organizations across AT&T. These additional specialists work closely with the CSO to address department-specific issues and help provide security for their respective functional areas.

The CSO is dedicated to the protection of the AT&T global network, supporting a broad range of functions from security policy management to implementation of security solutions. Additionally, the group reviews and assesses our security control posture to keep pace with industry developments and to satisfy regulatory and business requirements.

The CSO's technical personnel work in conjunction with other AT&T departments to evaluate threats, determine protective measures, create response capabilities and assess compliance with security best practices. The Audit Committee of the AT&T Board of Directors (the Board) oversees the company's risk management strategy, which includes cybersecurity and defense of our network. The Board and the Audit Committee receive updates from officers, including our Chief Security Officer, on network and data security and associated risks.

AT&T Security Standards
The AT&T Security Policy and Requirements (ASPR) serves as a guide and a reference point to conducting business in a secure environment and protecting AT&T information resources. ASPR is a comprehensive set of security control standards based, in part, on leading industry standards such as ISO/IEC 27001:2013. ASPR also aligns with laws and standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53, as well as the European Union’s General Data Protection Regulation (GDPR), Criminal Justice Information Services (CJIS) Security Policy, and the California Consumer Privacy Act (CCPA). AT&T also performs annual third-party certifications/audits – such as those for the Payment Card Industry (PCI) Data Security Standard, the Information Security Standard (ISO/IEC 27001), the Sarbanes-Oxley Act (SOX), SSAE 18/ISAE 3402 (SOC) and the Quality Management Standard (ISO 9001) 1 1 ISO 9001 certification is applicable in the following areas within AT&T: Network Operations, Supply Chain, and Government Solutions. – to demonstrate compliance to our customers and our stakeholders.

Given the dynamic environment that AT&T supports, ASPR content is continually re-evaluated and modified as industry standards evolve and as circumstances require. In addition, operating procedures, tools and other protective measures are regularly reviewed to help provide the highest standards of security throughout our company. ASPR applies enterprisewide. ASPR applies to all employees and contractors and establishes the minimum required safeguards to protect computing and networking assets, data and services. Additionally, AT&T's Supplier Information Security Requirements is a minimum set of security requirements which are required to be included in contracts with suppliers when they are performing certain services for AT&T.

AT&T's publicly available Products and Applications Security Requirements are designed to be a proactive approach to help prevent security and operational gaps in Commercial Off-the-Shelf (COTS) products and applications that are implemented into the AT&T internal network. These requirements are used when purchasing COTS products, applications and hardware, or when obtaining trial/shareware for use within the AT&T internal network.

AT&T maintains two global ISO/IEC 27001:2013 certifications. The scope of these certifications covers the AT&T global IP infrastructure and certain customer-facing products and services. To maintain the certifications, AT&T undergoes annual recertification assessments. We are committed to achieving ongoing certification.

AT&T has also achieved ISO 9001:2015 certification, the global standard for quality management systems. ISO 9001 certification demonstrates AT&T's ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements as well as AT&T's aim to enhance customer satisfaction through the effective application of the quality management system, including processes for continual improvement.

In 2021, the AT&T CSO hosted a public AT&T Cyber Security Conference featuring AT&T and industry security experts covering the latest security trends, increasing threats and best practices.

Training and Compliance

The AT&T CSO is charged with directing and coordinating security awareness and education. The group maintains an internal security awareness website and newsletter, employee- and department-specific bulletins and communications, job aids, technology conferences, and employee security awareness events to deliver general and targeted security awareness initiatives within AT&T. The program uses subject matter experts from various security groups and disciplines across the business for content development and to deliver webcasts and video productions.

The AT&T internal security awareness program takes an innovative engage-while-learning approach. Our program enforces personal responsibility from every person who touches the network - from office workers and server administrators to those in the field and more. Using a series of animated characters to share learnings about security, the storylines ask employees to imagine real-life scenarios that could involve them, such as opening a dangerous link or sending data unencrypted. Our lead animated character - which has become an iconic internal brand - learns awareness lessons on behalf of the employee.

Under the banner of the AT&T proprietary slogan You Are the FirewallTM, animated short stories, original video games with embedded security training, live game shows and an International Security Awareness Week promote security with employees at all of our worldwide AT&T locations. This entertainment-based approach to the security awareness program was reviewed by industry analysts and has received the highest acclaim from the Institute for Applied Network Security.

AT&T also produces a recurring security program featuring AT&T CSO analysts called AT&T ThreatTraq. This online program adds another dimension of security training and awareness through weekly webisodes available to employees and the public.

A security awareness course is included in the AT&T Corporate Compliance training bundle, representing a required annual security training component. The content is developed, approved and managed by the CSO.

AT&T's Code of Business Conduct (Code) is the foundation for how we do business and how we treat each other and our customers. The Code puts our values in action and guides us to the right decisions every day. All AT&T employees are required to annually acknowledge their responsibility to adhere to our Code and our Information Security Policy. AT&T employees also receive periodic awareness and compliance training to reinforce our privacy standards.

We have controls in place so AT&T employees, contractors and suppliers are properly screened. For example, we conduct background checks on the finalists for all U.S. and international employment positions, 2 2 It is AT&T’s practice to conduct background checks that include foreign countries to the best of our ability and within our influence. We respect the laws and customs of all foreign countries that prohibit us from conducting a complete background check. and AT&T’s Global Connections and Supply Chain organization includes asset protection background check requirements in AT&T agreements with suppliers. These requirements help to ensure that personnel of suppliers granted physical access to AT&T and customer premises are properly screened and are aware of their responsibilities regarding AT&T and customer assets.

We encourage employees to obtain additional security training and achieve accreditations and certifications when relevant to their roles. This training is conducted both within AT&T and through corporate training organizations, such as:

  • The International Information Systems Security Certification Consortium
  • The Information Systems Security Association
  • The SANS Institute
  • Vendor- and product-specific training and certification

Our large population of security professionals maintains certifications and credentials, such as:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified Ethical Hacker (CEH)
  • Global Information Assurance Certification (GIAC)

AT&T conducts regular reviews of our operations and applications for security compliance, which is essential for evaluating adherence to our security procedures. These reviews may be facilitated or conducted through our CSO; by a department representative for a product, service, supplier or partner relationship; or by an internal operations team responsible for life cycle service management.

Testing and Reporting

AT&T's approach to identifying and mitigating network and application vulnerabilities is formalized in our security risk management program. AT&T conducts regular tests and evaluations to help provide security controls and maintain their functionality in accordance with our security policy. Security status checking includes:

  • Reviewing and verifying system security settings, computer resource security settings and status, and users having security administrative authority or system authority
  • Testing network elements to help provide the proper level of security patches and to determine only required system processes are active
  • Validating server compliance with AT&T Security Policy and Requirements
  • Utilizing independent third parties to help assess risk to AT&T, its network and its customers, including its suppliers where appropriate

Vulnerability testing is performed by internal authorized personnel, using leading-edge industry scan tools augmented by AT&T-developed tools to verify whether controls can be bypassed to obtain any unauthorized access. We use systemic anomaly reporting to indicate abnormal use of our systems - both customer-facing and employee-facing. When vulnerabilities are identified, they are assessed as to severity, potential impact to AT&T and its customers, and likelihood of occurrence. Plans are developed, implemented and tracked to address vulnerabilities.

AT&T has a formal, documented Risk Management policy and program that includes risk identification, risk assessment, risk analysis and risk mitigation. An extensive program of vulnerability testing, compliance reviews and security audits provides a comprehensive view of AT&T's security risk posture.

Additionally, AT&T uses a consistent, disciplined global process for the identification of security incidents and threats in a timely manner to minimize the loss or compromise of information assets and facilitate incident resolution. The AT&T Global Technology Operations Center maintains 24/7, near-real-time security monitoring of the AT&T network for investigation, action and response to network security events. Our threat management platform and program provide near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trending analysis and predictive security alerting. AT&T utilizes the same set of security tools to manage its global network that it uses for the Managed Security Services available to enterprise customers.

We also encourage and reward contributions by developers and security researchers through the AT&T Bug Bounty Program. We provide monetary rewards and/or public recognition for certain security vulnerabilities responsibly disclosed to us.

AT&T Security Innovation Strategy

The world of networked computing - especially for today's mobile, always-connected devices, applications and cloud environments - is fast moving and highly dynamic. New security architectures taking advantage of the latest advances in virtualization, artificial intelligence and networking are designed and implemented to protect network, data, mobility and cloud-based information resources in an era of large-scale, sophisticated attacks.

The AT&T Security Center for Innovation was created within the AT&T CSO to share new perspectives with the security industry and drive best-in-class security innovation in communications and computing. Researchers work on large-scale problems in areas such as mobility and cellular/5G, cloud computing, networking, virtualization, Internet of Things (IoT), blockchain and artificial intelligence/deep learning/machine learning (AI/DL/ML). In particular, researchers look for ways to utilize the power of AT&T’s network for new security solutions, architectures and mechanisms. Their results and innovations become part of new systems and services that AT&T deploys for next-generation security to protect our customers.

AT&T Business Solutions

Security is top-of-mind for any business, large or small. And helping protect customers' IT infrastructure against today's emerging threats is more important than ever. The cyberthreat landscape is complex, requiring a coordinated and collaborative defense system.

AT&T Cybersecurity, through its cybersecurity consulting practice, endpoint security, network security, and threat detection and response powered by AT&T Alien Labs threat intelligence, helps businesses stay ahead of evolving cybersecurity threats. A trusted adviser, AT&T Cybersecurity works with customers to design, deploy and manage security solutions and services that proactively identify areas of cyber-risk and preventive measures to help protect critical assets. AT&T Cybersecurity’s Managed Security Services utilize the power of the AT&T Unified Security Management platform and enable integration, automation and orchestration across AT&T’s portfolio of network-centric managed security services – helping make it safer for businesses to innovate through network resiliency. Visit AT&T Cybersecurity at cybersecurity.att.com for more information about our solutions for business customers.

Engaging with Stakeholders

AT&T is proud to be a leader and a participant in many industry and academic organizations - both to help set standards and to keep pace with industry developments. Our employees participate in several U.S. and international security organizations including:

  • Computer Emergency Response Team/Coordination Center (CERT/CC)
  • Forum of Incident Response and Security Teams (FIRST)
  • Various Information Sharing and Analysis Centers (ISACs), including the Communications, Information Technology, Auto and Retail ISACs
  • U.S. InfraGard
  • Internet Engineering Task Force (IETF)
  • U.S. Telecom and Cellular Telecommunications Industry Association (CTIA) Cybersecurity Working Groups
  • National Cyber-Forensics and Training Alliance (NCFTA)
  • Industry Traceback Group (ITG), which actively traces and identifies the source of illegal robocalls
  • Various standards bodies, including 3rd Generation Partnership Project (3GPP) and the Alliance for Telecommunications Industry Solutions (ATIS)

AT&T also participates in the U.S. government’s critical infrastructure protection partnership process, collaborating with several agencies to protect U.S. communications networks and critical infrastructure including:

  • Cybersecurity and Infrastructure Security Agency (CISA) and Joint Cyber Defense Collaborative (JCDC) at the U.S. Department of Homeland Security
  • National Security Telecommunications Advisory Committee (NSTAC), a federal advisory council to the president of the United States on issues of national security and emergency preparedness
  • Enduring Security Framework (ESF), a public-private partnership between industry and various federal agencies intended to improve cybersecurity
  • National Coordinating Center for Communications (NCC), which serves as the ISAC for communications and organizes operational response activities in the event of both cyber and physical incidents
  • Communications Sector Coordinating Council (CSCC), which conducts planning activities on cybersecurity issues with the U.S. Department of Homeland Security
  • National Security Information Exchange (NSIE)
  • Federal Communications Commission (FCC) Communications Security, Reliability and Interoperability Council (CSRIC)

For more information on our stakeholder engagement and our view and commentary on cybersecurity policy news, visit our public policy blog.

Consumer Awareness and Education

Educating consumers on proper security measures is the best line of defense. And as more devices connect to the internet, education becomes even more important. AT&T Cyber Aware is a resource designed to empower and educate consumers about fraud protection and cybersecurity. The Cyber Aware website explains in simple terms how many scams work, ways to recognize them and steps consumers can take to protect themselves. The website offers information and alerts on security and privacy topics and is available to everyone – not just AT&T customers. For more information, see our Responsible Use of Products & Services issue brief. 

Robocall Scam Identification and Mitigation

AT&T has established mechanisms to identify illegal robocall campaigns and help to mitigate them. Fraud calls are blocked from reaching customers' phones and suspected spam is labeled so customers can choose to answer or not. About 1 billion robocalls are blocked or labeled per month through two complementary programs:

  1. AT&T Call Protect automatically blocks fraud calls and labels other nuisance calls so a wireless customer can choose to answer or not. It identifies the calls through data analytics, network intelligence and customer reports. It comes standard and is automatically enabled on mobility lines at no charge. No app is needed, but customers can download a free AT&T Call Protect app to customize settings and block more calls. 3 3 Available for wireless customers with AT&T HD voice-enabled iOS or Android smartphones. Labeling requires an AT&T HD Voice coverage area. A similar service, Digital Phone Call Protect, is available free for customers of AT&T Phone, our digital home phone Voice over Internet Protocol (VoIP) service.
  2. AT&T's Global Fraud Management organization, with assistance from the AT&T Chief Data Office, uses sophisticated algorithms to examine billions of calls each day for patterns that indicate a robocalling scheme. They investigate suspicious activity that may be illegal or forbidden, relying on human fraud expertise before blocking. The program helps prevent illegal calls from reaching any type of AT&T phone - wireless, VoIP or traditional landline.

The Global Fraud Management team also works closely with the U.S. Telecom Industry Traceback Group and law enforcement to identify the source of illegal calls. This process provides necessary information to stop illegal robocall campaigns and places responsibility on service providers for traffic that originates on their networks.

Implementation of the caller ID authentication standard known as STIR/SHAKEN remains a top priority for AT&T, and we have deployed it across our IP networks. We have filed comments with the FCC detailing our progress on this front and offering our support as the FCC addresses the complex details of implementation. We also supported the TRACED Act, which codified implementation requirements.

Customers are offered complimentary security features through AT&T ActiveArmorSM, which includes 24/7 network protection, built-in security technology and additional security apps for both wireless and internet customers. We also work to protect our customers from abusive, illegal and unwanted text messages – including patented, automated scanning and filtering. Consumers can help by forwarding suspicious text messages to 7726 (SPAM) so we can investigate them.

For more information on how to report and guard against fraud or security issues, please visit our Fraud & Security Resources site.

Disclaimer: This document provides an overview of the AT&T security policies and programs. This document is provided as summary information only. It is not a contract, and no statement, representation or characterization within this document shall be construed as an implied or express commitment, obligation or warranty on the part of AT&T Inc. or any of its affiliates, or any other person. The information, policies and procedures described herein are subject to change.