Security at AT&T
AT&T takes security very seriously. After it has come across the airlink, your data enters the AT&T network, where we take great care to ensure that data confidentially and integrity are protected.
To secure data both in transit across the network and stored in the network, AT&T has implemented a comprehensive security program that focuses on 13 major areas. The areas are derived from ISO 17799, COBIT, and other industry best practices.
Although this section describes AT&T's specific security program, you can apply the concepts to carrier security in general. Before deploying a mission-critical wireless application using another carrier, make sure that company's security measures meet your tight standards.
The 13 areas are as follows:
- Strategy, planning, and governance
- Policies, standards, and compliance
- Metrics and measures
- Education and awareness
- Application development and testing
- Intrusion detection and response
- Network operations and firewalls
- Patch, antivirus, and vulnerability management
- User and access management
- Continuity planning and crisis management
- Disaster recovery
- Physical and environmental security
- Security personnel
Strategy, Planning, and Governance
AT&T has an Enterprise Security and Privacy Governance council with executive representatives from each key area of our business. The council meets regularly to create strategies and make decisions about security and privacy issues that affect AT&T and our customers.
Policies, Standards, and Compliance
AT&T has developed policies and standards that cover seven security domains, and we actively monitor our security processes to make sure that the business as a whole is complying with those policies and standards:
- Confidentiality and privacy
- Systems, hosts, and devices
- Middleware and applications
- Security management and process definition
Additionally, AT&T has an active program for ensuring compliance with the Sarbanes-Oxley Act of 2002. And we have annual security assessments performed by third parties to test the effectiveness of our security program.
Metrics and Measures
It is not enough just to have security policies and to set standards. To make sure that their policies and procedures are actually followed, enterprises need to define metrics for each area of their security programs and to determine how to measure success and compliance in those areas.
At AT&T, we have established specific metrics for each of the other 12 areas in our security program. Having objective, quantifiable goals and performance measurements ensures that the program is working the way we want it to.
Education and Awareness
AT&T has a security awareness program that's designed with modules to address the needs of specific job functions and roles. For example, additional technical training is included in the modules for developers, database administrators, and system administrators; modules for executives emphasize more corporate-level policies.
Application Development and Testing
AT&T has rigorous procedures in place to makes sure that all our applications are fully tested and meet our security requirements. AT&T also regularly tests production Internet applications for security vulnerabilities.
Intrusion Detection and Response
AT&T has deployed an advanced intrusion detection system that is actively monitored by our Security Network Operations Center (SNOC). SNOC has established procedures to analyze events and to evaluate the threat that a particular event may pose. SNOC also has a Security Incident Response process in place to rapidly investigate and respond to potential attacks.
Network Operations and Firewalls
AT&T has redundant stateful inspection firewalls at each border connection to the AT&T infrastructure. Appropriate security measures are in place for all traffic that remotely accesses the AT&T infrastructure.
AT&T also has redundant Network Operation Centers operating 24x7, to ensure the proper operation of all security systems.
Patch, Antivirus, and Vulnerability Management
AT&T actively scans the network environment for potential vulnerabilities, and we have vulnerability management processes in place to mitigate risks. AT&T also has security patch and antivirus management programs to make sure that software updates and virus signatures are deployed rapidly when they become available. Additionally, our comprehensive antivirus program includes rapid virus detection and removal.
User and Access Management
AT&T uses a workflow tool for processing requests to access our applications and systems. Procedures are in place to verify employment and to review the need for access before the access is granted. Additionally, when employees leave the company, their user accounts are removed promptly.
Continuity Planning and Crisis Management
AT&T's enterprise-wide Continuity Planning and Crisis Management program is designed to minimize risk to people, profit, process, and property through defined best practices. The program has four phases:
Procedures that support these phases include:
- Business impact analysis
- Site risk assessment, policies, standards, and guidelines
- Personal preparedness
- Crisis and incident management, planning, and support
- Government coordination
- Recovery plan development
- Disaster exercises
- Recovery support
AT&T's IT Continuity Planning and Disaster Recovery Program includes disaster preparedness and recovery planning for critical IT applications, processes and facilities. AT&T contracts with third parties to support critical IT components and also implements in-house recovery strategies to ensure that business processes can continue in the event of disaster. AT&T regularly performs disaster exercises to provide training and to validate recovery capabilities.
Physical and Environmental Security
All AT&T facilities that contain critical information systems and assets are protected by a combination of physical security measures. These measures may include magnetic badge readers, security personnel, video monitoring systems, and so on. Precisely defined policies in our Data Center Access Policy for AT&T Enterprise Data Centers determine which measures we implement at a given facility.
AT&T manages physical access to facilities through card-key security badges, and AT&T Data Center Operations controls who can access critical assets across the enterprise. Some facilities use a single-badge photo ID and access card (combined); others use a dual-badge system with a separate photo ID and electronic badge that records entry to all critical-asset areas.
Procedures are in place to verify employment and to review the need for access before the access is granted. A critical-asset owner maintains a list of employees who are authorized to access the asset.
AT&T employs only well-trained and industry-certified security professionals to manage and support our security program.