ASPR applies to all employees and contractors and establishes the minimum required safeguards to protect computing and networking assets, data and services.
In addition, operating procedures, tools and other protective measures are regularly reviewed to help provide the highest standards of security throughout our company. Given the dynamic environment that AT&T supports, ASPR content is continually re-evaluated and modified as industry standards evolve and as circumstances require. – to demonstrate compliance to our customers and our stakeholders. AT&T also performs annual third-party certifications/audits – such as those for the Payment Card Industry (PCI) Data Security Standard, the Information Security Standard (ISO/IEC 27001), the Sarbanes-Oxley Act (SOX), SSAE 18/ISAE 3402 (SOC) and the Quality Management Standard (ISO 9001) 1 certification is applicable in the following areas within AT&T: Network Operations, Supply Chain, and Government Solutions. ASPR also aligns with laws and standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53, as well as the European Union’s General Data Protection Regulation (GDPR), Criminal Justice Information Services (CJIS) Security Policy, and the California Consumer Privacy Act (CCPA). ASPR is a comprehensive set of security control standards based, in part, on leading industry standards such as ISO/IEC 27001:2013. The AT&T Security Policy and Requirements (ASPR) serves as a guide and a reference point to conducting business in a secure environment and protecting AT&T information resources. The Board and the Audit Committee receive updates from officers, including our Chief Security Officer, on network and data security and associated risks. The Audit Committee of the AT&T Board of Directors (the Board) oversees the company’s risk management strategy, which includes cybersecurity and defense of our network. The CSO’s technical personnel work in conjunction with other AT&T departments to evaluate threats, determine protective measures, create response capabilities and assess compliance with security best practices. Additionally, the group reviews and assesses our security control posture to keep pace with industry developments and to satisfy regulatory and business requirements. The CSO is dedicated to the protection of the AT&T global network, supporting a broad range of functions from security policy management to implementation of security solutions. These additional specialists work closely with the CSO to address department-specific issues and help provide security for their respective functional areas. The CSO maintains a global organization composed of highly trained and expert security professionals, with additional security specialists in other organizations across AT&T. The information security program is designed to protect the integrity, confidentiality and availability of our network. The Chief Security Office (CSO), led by our Chief Security Officer, establishes policy and requirements – as well as comprehensive programs – to help build security into the fabric of every organization across the business. To help provide security for data both in transit across the network and stored in the network, AT&T has implemented a comprehensive security program derived from ISO-27001, COBIT and other industry best practices. AT&T is regularly evaluating and deploying new tools and systems to deliver highly effective security safeguards. Our ability to apply automated threat detection technologies to the analysis of AT&T’s network data is critical to safeguarding our network and infrastructure as the volume of attempted cyberattacks continues to grow.Īs a result, AT&T is continually improving security through active research and development programs, involvement with standards organizations, tracking of industry developments, and the evaluation of new security technologies and products. For more than a century, we’ve evolved security protocols and technologies alongside the technological evolution from telegraph to telephone to internet – and now to artificial intelligence-based, dynamic communication. Safeguarding data is in our DNA as a 140+-year-old communications company.