• Like
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.



  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. NetTN Network Security Management Plan CONFIDENTIAL under TCA 10-7-504 Prepared By: AT&T Consulting Robert Knight SMP Version 2.2 February 10, 2010 CONFIDENTIAL under TCA 10-7-504
  • 2. Modification History AUTHOR VERSION DATE COMMENTS Robert Knight 1.0 8/31/2009 Initial Version Robert Knight 1.1 9/3/2009 Incorporated Lisa Giebelhaus revisions Robert Knight 1.2 9/10/2009 Incorporated Danny White revisions Robert Knight 1.3 9/18/2009 Updated MSS contacts Robert Knight 1.4 9/22/2009 Changed font to Arial Vickie Stanfill 1.5 10/15/2009 Revised Robert Knight 1.6 10/29/2009 Incorporated Program Office Changes; added DR section language Robert Knight 1.7 12/2/09 Add Mark Freifeld’s new MRS & MSS Change Control procedures Robert Knight 1.8 12/16/09 Removed MRS MACD change control as requested by Program Office. Robert Knight 2.0 1/14/2010 Final Release, removed draft watermark, minor corrections; updated MSS MACD Process to v1/7/10. Robert Knight 2.1 2/10/2010 Added page numbers, revised MSS contacts. Robert Knight 2.2 2/10/2010 Realigned page numbers CONFIDENTIAL under TCA 10-7-504 2
  • 3. Table of Contents Overview..........................................................................................6 Purpose.........................................................................................6 Disclaimer.....................................................................................7 About NetTN and AT&T................................................................7 AT&T.............................................................................................8 AT&T Laboratories......................................................................8 AT&T Chief Security Office..........................................................9 The Worldwide AT&T Security Organization...............................9 Security Organization Mandate..................................................10 Responsibilities.............................................................................11 Overview.....................................................................................11 AT&T Security Responsibilities.................................................11 AT&T Senior Executive...........................................................11 AT&T Management..................................................................11 AT&T Staff...............................................................................12 AT&T Life Cycle Management (LCM) Team ...........................12 AT&T Global Customer Service Center (GCSC) .....................13 .................................................................................................13 AT&T Global Customer Support Center (GCSC) Manager......13 AT&T GCSC Technicians.........................................................14 AT&T CMS Tier 1 Help Desk .................................................14 AT&T Help Desk Technicians .................................................15 AT&T System Administrators..................................................17 End-Users.................................................................................17 AT&T Managed Security Services (MSS)................................18 Customer Responsibilities..........................................................21 OIR Integrated Help desk (IHD) ..............................................22 OIR Network Operations & Security Center (NOSC) .............22 NetTN Program Office.............................................................23 AT&T NetTN Security Program.....................................................24 Security Standards & Policy.......................................................24 Confidentiality.............................................................................24 Network Segmentation Control Measures.................................25 CONFIDENTIAL under TCA 10-7-504 3
  • 4. NetTN Strategic VRFs.............................................................26 NetTN Dirty VRFs.....................................................................26 Physical Access Control Measures............................................27 Logical Access Control Measures..............................................27 Network Element Access Controls............................................28 Access Validation Process.........................................................28 Network Perimeter (Firewall) Protection...................................29 NetTN Core Security Design....................................................29 Virtual Firewalls.......................................................................30 Intrusion Detection....................................................................31 IDS Features:...........................................................................31 NetTN IDSM Layout.................................................................33 NetTN IDSM Sensor Traffic Assignments...............................34 Workstation Security Management............................................34 Security Status Checking, EVM & Penetration Testing............35 Security Status Checking........................................................35 Enterprise Vulnerability Management Program (EVM)...........35 Penetration Testing.................................................................36 Security Status Reporting.......................................................36 Risk Management.......................................................................37 Security Advisory Process .........................................................37 Security Incident Reporting and Management..........................38 Incident Response Plan ..........................................................38 State of Tennessee Security Incident Response Team.........39 AT&T Incident Response Analysts..........................................39 Incident Management Guidelines............................................39 Incident Management Escalation/Notification Process.........40 Threat Management Guidelines (includes Intrusion Detection) ..................................................................................................41 Threat Management Escalation Procedure............................41 MSS Contacts and Escalation.................................................42 Incident Management Reporting.............................................43 Threat Management Email Alerts............................................43 Security Reporting...................................................................43 Security Compliance Reviews....................................................44 Change Management..................................................................45 CONFIDENTIAL under TCA 10-7-504 4
  • 5. Scope.......................................................................................45 Customer Initiated Security Policy Change Options..............45 Contacting AT&T for a Change Request.................................45 MSS MACD* Process Flow Outlines........................................46 MSS Change Request Guidelines............................................49 MSS Change Control Guidelines..............................................50 MSS Change Request Escalation Procedure..........................51 Business Continuity & Disaster Recovery Overview.................53 GCSC Disaster Recovery.........................................................54 AT&T Corporate Management Engagement..............................56 Strategy of Continuous Improvement........................................56 Personnel Security......................................................................57 Security Awareness and Education...........................................57 AT&T Cyber Security Conference..............................................57 Security Training and Certifications..........................................58 Appendix B. Statement Regarding ISO 27000 Standards.............59 CONFIDENTIAL under TCA 10-7-504 5
  • 6. Over view This document establishes the management plan for protecting data, services, and resources related to the Network Tennessee (NetTN) network, and those elements of the system that require protection. The NetTN Security Management Plan (SMP) is designed to support the NetTN Association Partners mission by providing direction and guidance to protect automated information system (AIS) resources and define responsibilities and authorities for carrying out the NetTN security program. This document is intended as a living document. Changes that affect network security may be added at anytime. The NetTN Security Management Plan is specifically for those systems described in the security architecture. The boundary of the Security Management Plan includes all network devices from the Internet connection point to the Partner end site locations. Purpose This document will describe the plan for securing the NetTN network infrastructure. Elements of the plan include: • An overview of AT&T’s security policy and comprehensive programs that strive to ensure security is incorporated into every facet of AT&T's computing and networking environments. This overview focuses on the key elements and initiatives to safeguard NetTN customers and their data while managed by AT&T or in transit on the NetTN network • High Level Roles & Responsibilities for AT&T & NetTN Association Partners • A summary of the customers’ security responsibilities to protect themselves CONFIDENTIAL under TCA 10-7-504 6
  • 7. Disclaimer This document provides a summary of the AT&T security policy and program as it relates to the NetTN network. This document is provided as summary information only. It is not a contract, and no statement, representation, characterization within this document shall be construed as an implied or express commitment, obligation or warranty on the part of AT&T Inc. or any of its affiliates, or any other person. All contractual obligations between AT&T and the State of Tennessee are set out exclusively in the NetTN Contract, and nothing in this document shall amend, modify, supplement or otherwise change the provisions or terms of that agreement. About NetTN and AT&T The NetTN network serves the needs of all agencies in State Government, Higher Education, including the University of Tennessee and all the Schools of the Tennessee Board of Regents, as well as K-12, eHealth, E911, non-profits, and private schools. In addition, the network serves as the platform for use by Local Government in all 95 counties and promotes economic development across Tennessee. The State of Tennessee’s prime contractor, AT&T, will design and manage access connectivity with an overarching goal of ensuring expected performance. The NetTN Wide-Area-Network outsourced solution • NetTN is based on a private Multi-Protocol Label Switching (MPLS) core network with MPLS Virtual Private Networks (VPNs) to meet the State of Tennessee’s communication requirements. This infrastructure is the basis for all future services over Internet Protocol (IP) and collaborative computing initiatives for the next ten years. • The infrastructure is the enabler to building application-aware network- based MPLS/VPNs to link locations and efficiently transmit applications such as voice, data, and video over a single connection. • Access options to connect to the network include Dedicated Private Line, Ethernet, Wireless, and xDSL (where available). Paramount features of the NetTN effort are security, availability and reliability CONFIDENTIAL under TCA 10-7-504 7
  • 8. • The physical NetTN network consists of a partial mesh topology designed to eliminate a single point of failure from isolating a Network Access Point (e.g. Nashville, Knoxville, Memphis) or Point of Presence (POP) (e.g. Johnson City), and minimize increases in network latency in a failover scenario. • All main core backbone links between NAPs are 10 Gigabits Ethernet circuits. The partial mesh arrangement has been designed so that a failed core link will not result in excessive latency across a surviving core link. • The Johnson City POP will utilize, at minimum, redundant connections (e.g. 1 to Knoxville, 1 to Nashville) and will be sized appropriately to meet the NetTN Service Level Agreements (SLAs). • The NetTN Core backbone is scalable to 40 Gigabit services, and as end site bandwidth is ordered and aggregated, will be managed to the applicable SLAs. AT&T AT&T Inc. is a premier communications holding company. Operating globally under the AT&T brand, AT&T is recognized as the leading worldwide provider of IP-based communications services to businesses and a leading U.S. provider of wireless, high speed broadband Internet access, local and long distance voice, as well as directory publishing and advertising services. AT&T operates one of the worlds most advanced and powerful global backbone networks, carrying more than 16.5 petabytes of data traffic on an average business day to nearly every continent and country, with up to 99.999 percent reliability. AT&T Laboratories AT&T Laboratories is the driving force behind groundbreaking communications innovations that transform the way people work, live and play. Innovations include new technologies, applications and services that support our security portfolio which enhance and safeguard the customer experience. NetTN enhancements are fully tested in the AT&T lab environment prior to implementation on the NetTN production Network. CONFIDENTIAL under TCA 10-7-504 8
  • 9. AT&T Chief Security Office The AT&T Chief Security Office (CSO) organization establishes policy and requirements, as well as comprehensive programs, to ensure security is incorporated into every facet of AT&T's computing and networking environments (including NetTN). AT&T CSO technical personnel work in partnership with other AT&T Business Units and Divisions to evaluate threats, determine protective measures, create response capabilities, and ensure compliance with best security practices. The Worldwide AT&T Security Organization AT&T maintains a comprehensive global security organization comprised of over 700 security professionals. This organization is dedicated to the physical and logical security of the AT&T global network and its service offerings. It supports a broad range of functions, from security policy management to customer-facing security solutions. The AT&T global security organization reviews and assesses the NetTN Network security control posture to keep pace with industry security developments and to satisfy regulatory and business requirements. Recommendations are made to the Corporation on the technology solutions and critical skills that are to be developed or acquired in order to maintain the required security posture. AT&T actively participates in a number of global security organizations such as: • Computer Emergency Response Team/Coordination Center (CERT/CC) • Security activities within Internet Engineering Task Force (IETF) and the World Wide Web consortium (W3C) • Forum of Incident Response and Security Teams (FIRST). • In addition, AT&T participates in the following government and government-sponsored organizations in the United States: • National Coordinating Center for Telecommunications (NCC) • U.S. Government Department of Homeland Security (DHS) • Network Reliability and Interoperability Council (NRIC) • Communications - Information Sharing and Analysis Center (Communications-ISAC) • Network Reliability Steering Committee (NRSC) • The National Telecommunications and Information Administration (NTIA) • National Communications System (NCS) • National Security Telecommunications Advisory Committee (NSTAC) CONFIDENTIAL under TCA 10-7-504 9
  • 10. • FBI InfraGard • U.S. Secret Service (USSS) Cyber Crimes Task Force • National Security Information Exchange (NSIE) • Shared High Frequency Radio Resources (SHARES) Program • Communications Sector Coordinating Council (SCC) • Telecommunications Service Priority (TSP) Oversight Committee Security Organization Mandate AT&T considers network and information security to be a cornerstone of the services that it delivers worldwide. By the security policy mandate of AT&T's Chief Security Office, AT&T is committed to protecting its NetTN customers and its own information and resources from unauthorized access, disclosure, corruption or disruption of service. This security policy is designed to protect AT&T and NetTN managed assets, and is applicable to network elements, systems, applications and workstations owned or managed by AT&T. Execution of the policy is led by the AT&T Chief Security Office organization whose role is to: • Protect NetTN Managed assets and resources from security breaches by monitoring potential security threats, correlating network events, and facilitating compliance with legal and regulatory security requirements. • Own and manage the AT&T security policies and standards for the Corporation and maintain ultimate responsibility for all aspects of network and information security within the Corporation. CONFIDENTIAL under TCA 10-7-504 10
  • 11. Responsibilities Overview Specific roles and responsibilities are necessary for the effective management and efficient administration and implementation of the NetTN Security Policies. The following roles and their respective responsibilities are established and outlined to meet administration requirements. AT&T Security Responsibilities All employees, suppliers, contractors, and agents of the AT&T companies are responsible for protecting AT&T Information Resources to assure the confidentiality, integrity, and availability of computing, networking, and information assets. The following section outlines some of the security responsibilities of each AT&T employee: AT&T Senior Executive • Senior executives own the responsibility for network and information security within their organizations and are accountable to the AT&T Chief Security Officer. AT&T Management • Accountable for protecting assets under their ownership and control. • Responsible to revoke logical and physical accesses owned by an employee on his/her job reassignment or termination from employment. • Responsible for the compliance of their staff with the requirements of the AT&T security policies. • Responsible for conducting logical and physical access revalidation at regular intervals. CONFIDENTIAL under TCA 10-7-504 11
  • 12. • Responsible for developing skills of staff necessary to support the security function. • Responsible for annual review and acceptance of AT&T Code of Business Conduct with staff. AT&T Staff • Comply with AT&T security policies. • Maintain and execute security status checking processes, security profile/signature upgrades, etc., on systems under their control. • Validate their personal logical and physical accesses on systems and facilities on a regular basis. • Comply with confidentiality requirements, customer privacy agreements, government policies where applicable and necessary, and office "clean desk" programs for securing confidential information. • Comply with the AT&T Code of Business Conduct. AT&T Life Cycle Management (LCM) Team The NetTN Life Cycle Management Team supports the NetTN contract & environment. Responsibilities include: • Provide tier 4 level support related to infrastructure management, delivery, break/fix, and daily operations of the NetTN Network • Ensures the NetTN Network is operated in accordance with the requirements of this document. • Ensures requests for new NetTN Network infrastructure and services, or changes to existing NetTN Network infrastructure and services, include appropriate security requirements and that these requirements are incorporated into the system design. • Ensures coordination of significant security-related matters. • Reviews Managed Security Service (MSS) break/fix tickets related to firewalls and Intrusion Detection Systems with the NetTN Program Office on a weekly basis. • Provides assistance to NetTN Partner Member Information System Security Officer Point of Contacts. • Responsible for developing and maintaining the NetTN Security Management Plan CONFIDENTIAL under TCA 10-7-504 12
  • 13. • Responsible for developing and maintaining the NetTN Incident Response Plan AT&T Global Customer Service Center (GCSC) The operations and management function for the NetTN Network is supported by AT&T. AT&T has many service support centers based upon service and function performed. Communication and information services entering and exiting end-sites via the NetTN infrastructure fall under the operational control of the Global Customer Service Center (GCSC). Currently, only OIR contacts GCSC directly as their primary help desk. Responsibilities include: • Oversees the NetTN Network through two primary support organizations, MRS (network) and MSS (security). • Provides network resources needed to achieve operational objectives. • Using network management systems, the GCSC performs network management and problem resolution for the backbone. • Provides network support services, including managing issue tracking tickets and providing coordination and communication with NetTN Members and NetTN team for problem resolution. AT&T Global Customer Support Center (GCSC) Manager The AT&T GCSC Manager is responsible for the day-to-day operations of the GCSC. The GCSC Manager is responsible for the infrastructure. The GCSC Manager works with NetTN Member network managers to ensure that the AT&T Security Policy is enforced at all appropriate levels. Responsibilities include: • Provides proactive and reactive network administration. • Monitors and controls the network, available bandwidth, hardware, and distributed software resources. • Responds to detected security incidents, network faults (errors), and user- reported outages when such problems are referred from the help desk or SOC. CONFIDENTIAL under TCA 10-7-504 13
  • 14. AT&T GCSC Technicians AT&T GCSC technicians use a central repository to archive technical advice and solutions on network systems, software applications assistance, automatic data processing support, hardware exchange, and repair service support. Because they work closely with vendors and outside providers, users and workgroup managers, GCSC technicians must be familiar with the contents of the SMP to facilitate early detection of new vulnerabilities and incidents. Responsibilities include: • They determine the type of reported systems problems (within defined response times) • Report the status of problem resolution to the affected client, and maintain a historical database on problem resolution. • Implement all troubleshooting and maintenance changes. • Monitor the status and health of the NetTN Network AT&T CMS Tier 1 Help Desk The Help Desk function for the NetTN Network is located in AT&T Help Desk Support Centers. The AT&T Help Desk uses a central repository to archive technical advice and solutions on network systems, software applications assistance, automatic data processing support, hardware exchange, and repair service support. All NetTN partners (except OIR) contact the CMS Help Desk for security and fault management issues. Responsibilities include: • Tier one single-point-of-contact help desk to reactively take calls from approved/authorized State of Tennessee end- users: Tennessee Board of Regents (TBR), University of Tennessee System, Private Colleges and Universities, State of Tennessee Department of Education, and City and County governments • Triage incidents from approved/authorized State Tennessee end-users, route incidents to the appropriate Tier 2 center. • Attend the AT&T Life Cycle Management (LCM) service delivery reviews and customer meetings. The requirement is to be prepared to discuss and report on. • Help Desk activities as it relates to the approved end-users. Recurring customer issues should be referred to the Operations Manager on the LCM team for resolution. CONFIDENTIAL under TCA 10-7-504 14
  • 15. • Support the reporting of incident management tickets. May use AT&T’s Business Direct to report incident tickets for approved/authorized State of Tennessee End-Users • Help Desk shall be available Monday through Friday 6 a.m. to 6 p.m. CST for SDE K-12, and 6 a.m. to 6 p.m. CST Monday through Saturday for all other NetTN end users.. • Help Desk shall provide as an option 24x7 support if required by any of the NetTN end users as a separate cost element. AT&T Help Desk Technicians Help Desk technicians determine the type of reported systems problems (within defined response times), report the status of problem resolution to the affected client, and maintain a historical database on problem resolution. AT&T Help Desk Help Desk technicians must be familiar with the contents of the NetTN SMP to facilitate early detection of new vulnerabilities and incidents. Responsibilities include: • The Help Desk will initiate a trouble ticket, determine the level of support and route the incident to provide action necessary to accommodate the End-Users needs. In the event the service or condition needs to be escalated, the ticket and call will be transferred to Tier 2 support. • Ticket prioritization for Critical, Major and Minor troubles based on the following time frames: a. Critical Problem Identification shall be immediate: 1) Level 3 ticket opened, work log entry within 10 minutes 2) Subsequent entries into work log within 30 minutes 3) First critical notification within 30 minutes and subsequent critical notifications every hour until the problem is fixed 4) Critical Problem Fixed: three hours or less b. Major Problem Identification shall be immediate: 1) Level 2 ticket work log generated within 30 minutes 2) Subsequent entries into log within two hours 3) Major Problem Fixed: six hours or less CONFIDENTIAL under TCA 10-7-504 15
  • 16. c. Minor Problem Identification shall be immediate: 1) Level 2 ticket work log generated within 30 minutes 2) Subsequent entries into log within four hours 3) Minor Problem Fixed: eight hours or less • Ensure the issue is completely resolved to the reporting End-User’s satisfaction. • Provide dedicated 1-800 numbers for contracting State of Tennessee End- Users: Customer Phone Number TBR (888) 820-0341 K-12 (888) 820-0345 UT (888) 684-3366 EHE, CHN (888) 820-0347 LLG, PBS, PCU, TEM (888) 269-3248 OIR (866) 373-0524 pin # 78283 (GCSC for both MRS & MSS) • Supplier will accept tickets via e-mail from authorized State of Tennessee end-users. • Problem Reporting responsibilities: a. AT&T will provide network management reports to track problem volumes, patterns and trends to the State of Tennessee. b. The AT&T LCM team will be responsible for reporting performance metrics to the State of Tennessee. c. Standard Ticket Management reporting includes: 1) Service Level Reporting on Help Desk 2) Number of tickets per month 3) ACD Call Detail 4) Ticket by problem type 5) Additional reports may be required d. All support is provided in English CONFIDENTIAL under TCA 10-7-504 16
  • 17. AT&T System Administrators System administrators ensure that servers, workstations, peripherals, communication devices, and software are on line and are available to support customers. System administrators must thoroughly understand the NetTN mission and must be completely knowledgeable about the capabilities and limitations of the network and about the NetTN Network Security Policy and NetTN Security Management Plan. Responsibilities include: • Installs and configures software and hardware • Adds, deletes, or modifies user accounts • Enforces password control • Sets permissions • Performs security management functions • Coordinates maintenance and changes with the GCSC help desk . End-Users End-users or Users are defined as any person that has access to the NetTN Network and/or with access to internal information or internal information systems. End-users accept some restrictions on their ability to use information systems in the interest of good security controls. End-users are required to abide by all security requirements defined in this document and to familiarize themselves with NetTN Network Security Plan. End Users may include LCM team members, penetration testers, etc. Responsibilities include: • Follows good security practices by protecting against viruses, protecting their passwords, abiding by specific NetTN Network Security Plan concerning e-mail and the Internet, and otherwise practicing safe computing practices. • Backs up and protects their files. • Uses computer resources for authorized purposes only. Users must sign a User Agreement before being granted access to information technology resources. • Notifies management if their requirements for access have changed. • Reports suspected compromise of good security practices to management. CONFIDENTIAL under TCA 10-7-504 17
  • 18. • Receives periodic security training. • Refrain from penetration testing the NetTN network infrastructure. AT&T Managed Security Services (MSS) Security for the NetTN Network is provided by AT&T Managed Security Services. The Security management function for the NetTN Network Security Architecture is located in Durham, North Carolina in the Security Operations Center (SOC). MSS personnel are responsible for overseeing security for the NetTN WAN Services. By using firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), fault-correlation software, and vulnerability assessment tools, the SOC monitors all traffic entering and leaving the NetTN Network via the MSS managed Internet Gateway points. The AT&T MSS team is made up of 3 primary teams to support various security activities: 1. Policy Management Team (PMT): The team is responsible for integrating new customers into the AT&T MSS lifecycle process, managing change requests via MAC’s (moves, adds, or changes), and providing answers to general questions regarding NetTN managed security service. 2. Incident Management Team (IMT): The team provides initial notification of non-scheduled impact events such as network, and hardware failures. Additionally, they support NetTN MSS customers through effective and prompt attention to any Fault Management issue you may encounter with the NetTN managed security service. 3. Threat Management Service (TMS): The team supports the Intrusion Detection devices and provides written notification either in automated or manual format for events of varying severity. The notification is for monitored traffic and is reported per the level contract. In the event of potential compromise the client will be engaged via phone and a qualified analyst will aid in mitigation. These three teams contain various security experts, including firewall Engineers, IDS Engineers, and Information Assurance Security Analysts, which are described below. CONFIDENTIAL under TCA 10-7-504 18
  • 19. Firewall Engineer The Firewall Engineer ensures that all applicable operating system patches and software revisions are installed. The GCSC Firewall Engineer provides oversight for the maintenance of the NetTN Firewall Enforcement Policy and serves as a resource for handling violations of that policy. Responsibilities include: • Maintains firewall rule enforcement policy & configuration. • Conducts periodic firewall enforcement policy reviews to ensure compliance with network security procedures. • Evaluates known firewall vulnerabilities to see if additional safeguards are needed. • Troubleshoots firewall related problems • GCSC Firewall Engineers support firewalls accepted into GCSC maintenance (including when a new site is added into an existing virtual firewall instance). A different (non-GCSC) firewall engineering team is focused on provisioning new firewall CMA builds for new NetTN partners. Network Intrusion Detection Systems (IDS) Engineer The Network Intrusion Detection Systems Engineer ensures that all applicable operating system patches and software revisions are installed. The Network Intrusion Detection Systems Engineer provides oversight for the design & maintenance of the NetTN IDSM blades and serves as a resource for design changes. Responsibilities include: • Maintains IDS equipment design & configuration. • Creates IDS design diagrams and engineering specifications • Troubleshoots IDS related problems Information Assurance (IA) Security Analysts IA Security Analysts work in the SOC and employ firewalls, intrusion detection systems, intrusion prevention systems, fault correlation software, and vulnerability assessment tools, to enhance the security of the NetTN Network. CONFIDENTIAL under TCA 10-7-504 19
  • 20. The IA analysts perform proactive security functions to assist NetTN Association Partners in deterring, detecting, isolating, containing, mitigating and recovering from information system and network security intrusions. The IA Security Analysts also monitor, and direct proactive and reactive network information protection defensive measures to help ensure the availability and integrity of the NetTN Network. Responsibilities include: • AT&T Managed Security System maintenance – Operating system updates, configuration changes, etc. • Monitors – Review, oversee, and manage configuration of IDS/IPS and firewall operations. • Event Resolution – Identify vulnerabilities and proactively prevent attacks on through MSS managed platforms. • Audits – Maintain and review log files collected at the from security devices identified as part of the NetTN network and managed by MSS. • Ensures that logical measures to protect the network/Data are in effect and those measures to protect sensitive data processing are implemented. • Reviews security policy changes to identify any potential to network security degradation or compromise. • Investigates Network security events identified by the MSS managed devices. • Reports network security violations • Recommends mitigation activities in the event a network compromise is detected. • Monitors the system recovery processes to assure that security features are correctly restored. This would pertain to all MSS managed security devices only. • Notifies the Security Incident Response Teams (SIRT), which is dedicated to handling security incidents. • Implement the NetTN Security Policy (including IDS signature selection & shunning) on the MSS Managed devices in accordance with the requirements as specified by the customer. • Provides security guidance for information systems within the AT&T GCSC Team. • Assists in coordination with AT&T GCSC staff on security-related matters. CONFIDENTIAL under TCA 10-7-504 20
  • 21. Customer Responsibilities NetTN customers are responsible for safeguarding the security of their enterprise, their data, and any connection to the NetTN Network from loss, disclosure, unauthorized access or service disruption. The customer is expected to promptly notify AT&T of any actual or suspected security incidents or vulnerabilities relating to NetTN services of which the customer becomes aware. Prompt notification is required if the customer believes that an unauthorized party has obtained access to the customer's user identifications and passwords, personal identification numbers or tokens. Each NetTN Partner should have a security policy defined and a security program in place to support the policy. The program should address, at a minimum, physical and logical security, and confidentiality of data.. The State of Tennessee Security policy is located at http://Tennessee.gov/finance/oir/security/ secpolicy.html. The State of Tenneesee Chief Security Officer is the owner of the security policy and program. The NetTN customer's security obligations include, but are not limited to: • Responsible for gathering firewall & IDS business requirements and memorializing them within NetTN Technical Provisioning Documents for each newly built security asset. • Responsible for submitting Business Direct MACs to maintain firewall enforcement policies where required • Responsible for maintaining URL filtering (white list & black list) policies where required • Responsible for defining IDS shunning policy where required • Responsibility for protecting the customer's confidential information from disclosure. • Responsible for defining & provisioning State employee and/or Partner user access to Business Direct security applications • Responsibility for the management of customer data, content and transaction information stored on or transmitted over the NetTN Network, e.g., backup and restoration of data, erasing data from disk space that customer controls. • Responsibility for the selection and use of appropriate services and security features and options to meet the customer's business and security requirements, such as encryption to protect privacy of personal information. • Responsibility for developing and maintaining appropriate management and security procedures, such as, physical and logical access controls and processes, (e.g., application logon security, including unique user CONFIDENTIAL under TCA 10-7-504 21
  • 22. identifications and passwords/pins/tokens complying with prudent security policies) on any customer provisioned and managed networked devices and systems. • Responsibility for the protection and physical security of devices and systems on the customer's premises, including preventing unauthorized sensors, sniffers and eavesdropping devices from being installed on the customer's premises. • Responsibility to ensure no security testing or scanning, etc sourced by the customer occurs on network or application components outside the responsibility and ownership of the customer. • Responsibility to ensure that its End-Users comply with applicable law and also with the State of Tennessee Acceptable Use Policy in using any service offered by NetTN that is provided over or includes access to the Internet. • Responsibility for the acts and omissions of the customer's End-Users of any service obtained from NetTN. Responsibility to notify AT&T promptly of any security breaches detected by the customer related to the services provided by the NetTN Network. OIR Integrated Help desk (IHD) The OIR Integrated Help Desk takes user calls on a great variety of support issues. The primary responsibility for the IHD in reference to NetTN support is the resetting of Remote Access Platform (RAP) account passwords. All other calls received regarding NetTN issues are escalated to the Network Operations & Security Center (NOSC). OIR Network Operations & Security Center (NOSC) The Network Operations and Security Center’s primary role regarding NetTN is to provide a liaison between the NetTN GCSC technicians, and OIR aagency end users. The NOSC maintains POC (point of contact) information for all State of Tennessee service locations, and works directly with both NetTN and the State customers who are experiencing any of a number of communication issues. Responsibilities include: • Reports latency and high utilization issues to NetTN for further investigation. CONFIDENTIAL under TCA 10-7-504 22
  • 23. • Assists in the coordination of technicians’ access to facilities when a dispatch is required. • Works in conjunction with Security Policy and Audit to identify potential Security threats and reports them to NetTN for further investigation and isolating actions when needed. NetTN Program Office Beyond contract management, the NetTN Program Office is responsible for governance & oversight of the NetTN environment from a security perspective. Responsibilities include: • Oversight of NetTN enterprise security, including engineering & operational support • Oversight of NetTN penetration testing program • Oversight of security management reporting (break/fix and incident response) • Administration of Business Direct Portal for NetTN End-User access CONFIDENTIAL under TCA 10-7-504 23
  • 24. AT&T NetTN Security Program Security Standards & Policy AT&T has developed and maintains a comprehensive set of security standards based in part to similar leading industry standards (COBIT, ISO/IEC 27001:2005, etc.). The library of AT&T security standards is continually re-evaluated and modified as industry standards evolve and as circumstances require. In addition, operating procedures, tools and other protective measures are regularly reviewed to ensure the highest standards of security are observed throughout the Corporation. AT&T’s corporate security policies and standards are proprietary to AT&T and are not generally disclosed to any organization or entity external to the AT&T corporate family. Maintaining the confidentiality of this information is, in itself, a facet of our security program that protects AT&T customers. However, for the purposes of this contract, NetTN specific policies have been developed and articulated within this Security Management Plan document. Confidentiality To ensure confidentiality, information is accessible only to those authorized. AT&T has implemented a three-tiered Information Classification framework for categorizing information based on sensitivity of the content and specific legal requirements. Document markings are specified for each data classification in order to identify the means and levels of protection required to safeguard information in each classification. Sensitive customer information especially related to the provision and administration of NetTN services is accorded significant protections, including encryption (where permitted by law) when stored or transmitted on untrusted networks. Customer information managed by AT&T is further protected by requiring personnel to commit to a standard confidentiality agreement on commencement of their employment, and a code of business that assigns severe penalties to violations of these commitments. CONFIDENTIAL under TCA 10-7-504 24
  • 25. AT&T employs information and data destruction and sanitization procedures to ensure that electronic and hard media containing proprietary data and information are physically destroyed or shredded, or properly erased or wiped according to commercially accepted practices when the media or hard copy leaves the control of the company or is no longer required for business purposes. Equipment containing storage media are checked to ensure that any proprietary data and licensed software has been removed or securely overwritten prior to disposal. Network Segmentation Control Measures The NetTN Network consists of the WAN infrastructure backbone equipment beginning at the Internet Border Router (IBR) and through to the Customer Edge Router (CE Router), which is used to connect organizational LANs to the NetTN Network managed by AT&T GCSC. NetTN is a layer-3 VPN delivery structure, set up in accordance with principles and constructs as set forth in RFC 4364. An MPLS core is used to provide a platform for VPN deployment across a common IP infrastructure. Communication and information services entering and exiting End Sites via the NetTN infrastructure fall under the operational control of the GCSC. Organizational LANs connect to the NetTN Network for Intranet and Internet connectivity. These LANs provide office automation services for the member agencies and are managed by NetTN Association Member system administrators. Organizational LANs normally include servers (file, mail, and Web), networking devices (routers, bridges, and the like), media, user workstations, and printers. Each of the Nashville and Knoxville NAPs has a pair of redundant Crossbeam X80 firewalls in a High-Availability configuration. In addition, each NAP has dual Egress PE routers, or External Gateway Routers (EGR) and dual Internet Border Routers (IBR) to provide redundant connectivity to the Crossbeam HA architecture. CONFIDENTIAL under TCA 10-7-504 25
  • 26. NetTN Strategic VRFs The NetTN core has 10 strategic user VRFs assigned to the TN Associated Partner networks: 1. E-health 2. Office of Information Resources (OIR) 3. Community Health 4. Tennessee Board of Regents (TBR) 5. University of Tennessee (UT) 6. Libraries and Local Government (LLG) 7. K-12 (includes multiple discrete Checkpoint VSX instances) 8. Private Community Colleges & Universities (PCU) 9. Public Broadcasting Systems (PBS) 10. Tennessee Emergency Management Agency (TEM) NetTN Dirty VRFs A ‘dirty’ VRF (virtual routing and forwarding network) is a type of user VRF that is considered unfiltered by the NetTN security infrastructure. All traffic originated from non-secure/un-trusted remote access methods such as via the AT&T mobility network or ANIRA dial-up access must be routed across the MPLS core to the firewall demark. This traffic must remain separate from the trusted ‘clean’ traffic prior to it being processed through the security infrastructure. Example Data Path: ANIRA Dialup User > Dirty VRF (untrusted zone) network & firewall > Corresponding NetTN Partner network & firewall (trusted zone) CONFIDENTIAL under TCA 10-7-504 26
  • 27. Physical Access Control Measures AT&T operates in a highly secured environment where physical access to staff office space, switching centers, global network and service management centers and other network facilities is strictly monitored and controlled. AT&T employs many strategies to safeguard these assets by: • Limiting and monitoring physical access to, and movement throughout, AT&T facilities through the use of physical monitoring and intrusion detection systems. • Screening access through the use of trained security personnel and/or technical means such as automated card access systems and biometric screening systems. • Conducting periodic in depth Physical Security surveys and audits of its facilities and locations. Logical Access Control Measures Logical access controls are based on the principle of "Least Privilege". A user who needs access to AT&T's and customers' systems must have a current business requirement, must be allocated a unique identifier (a User ID), and must verify that they are who they claim to be. The following control processes are used to manage logical access: • Authentication is the process of proving a claimed identity to the satisfaction of an access permission-granting authority. All individual users must be positively and uniquely identified prior to granting access. Authentication of the user is achieved utilizing several methods such as: passwords, personal identification numbers (PIN) and tokens. • UserIDs and accounts must be reviewed regularly by system and network administrators or access providers to verify that continued authorization and associated command and data access permissions are appropriate for the person's respective job responsibilities. If a valid business reason does not exist for the continuance of such privileges, the access must be removed. • The "Least Privilege" principle ensures that all access to computer resources is restricted to only the commands, data and systems necessary to perform the authorized functions. • Security administration of access control measures restricts access to sensitive information by authorized personnel and system network processors, and limits the ability to set, modify or disable system security CONFIDENTIAL under TCA 10-7-504 27
  • 28. functions. Privileged access to systems and network elements is tightly controlled. • Audit logging provides a record for each successful and unsuccessful access attempt. Suspicious access attempts are recognized as security violations and reported. Repeated failed attempts result in the blocking of access. • All passwords for user authentication (employee, contractor, business partner, etc.) must conform to established rules that specify minimum number and types of characters, uniqueness from previous user passwords, uniqueness from user name or dictionary words, avoidance of repeated characters, limitations on sharing or group use, etc. The passwords must also be changed at regular intervals. Network Element Access Controls Current industry tools are utilized for managing the authentication and approval of support personnel to access network routers in the NetTN network. Access is provided to AT&T technical support personnel only on an as-needed basis for individuals with responsibility for network element maintenance and support. Access is controlled by an authenticating server that validates and verifies user access, ensuring that only personnel currently responsible for managing the customer networks have access. All access to the customer premises devices is logged and repeated failed login attempts are flagged and result in blocking of the offending accounts. Passwords for routers are changed at regular intervals and comply with State of Tennessee and AT&T internal password policies. Passwords on routers, or their management application, are also reviewed whenever an employee possessing such a password ceases to be employed or has been re-assigned. When strong authentication is required, two-factor token- based authentication is available for access to customer’s managed elements. Access Validation Process Only those AT&T personnel with a current business need are authorized physical and logical access to facilities and systems. All managers are obligated to remove staff accesses, (physical and logical accesses) upon staff re-assignment or termination of employment. As a control measure, physical and logical accesses are revalidated regularly at defined time intervals. The owner or operator of the network elements or of the facility is obligated to conduct the revalidation of personnel accesses with their supervising manager to ensure that the staff continues to have a legitimate business requirement for the access. CONFIDENTIAL under TCA 10-7-504 28
  • 29. Network Perimeter (Firewall) Protection AT&T external network connections are protected by firewalls that screen incoming and outgoing traffic based on source and destination address, protocol and port, in accordance with the security policy. In particular, Internet connections and Extranets are protected by firewalls and demilitarized zones (DMZs) that block any direct network routing between the Internet and internal AT&T networks. External customer and partner connections to the NetTN network are protected by access controls (such as access control lists or network based firewalls) that screen incoming and outgoing packets to ensure only authorized traffic is allowed. NetTN Core Security Design rne t y In te P rima r t h IBR1 Pa IBR2 AT&T (ISP) EGR1 LLG NASHVILLE EGR2 NAP K12 cHLTH TBR UT eHLTH Backup Internet KNOXVILLE NAP Path CMNSVCS EGR1 IBR1 LC (ISP) OIR EGR2 NetTN Core IBR 2 Infrastructure CONFIDENTIAL under TCA 10-7-504 29
  • 30. Virtual Firewalls The Crossbeam firewall has the ability to logically segregate security policy and firewall blades within a single chassis into multiple virtual firewall instances. These virtual firewall instances are called Virtual Systems (VSX). The NetTN core network provides VPN services to more than 47 strategic VRFs. Therefore, each NetTN user VRF and NetTN dirty VRF will have a dedicated connection to the Crossbeam chassis and a dedicated VSX firewall instance. The configuration of the Checkpoint VSX firewalls for member’s network is established to protect the WAN connectivity between that end-site and the internet. At a minimum, default/implied configurations are recommended by AT&T to block all inbound traffic from outside the NetTN wide area network infrastructure from and to RFC 1918 Intranet addresses, block all inbound traffic with source addresses of locally assigned IP addresses (local to NetTN clients), block all outbound traffic from non-locally assigned IP addresses to prevent internal users from generating IP spoofing attacks and block all loose and strict source-routed packets at every router. Firewall enforcement policy is the sole responsibility of the customer. In many cases, NetTN Association Partners have requested, and been provisioned with unrestricted VSX firewall enforcement policies, due to business requirements, including, but not limited to, asymmetrical routing needs, and in support of customer managed perimeter firewalls. For Partner networks that have opted for securely-configured firewall enforcement policies, all attempted violations of the RFC 1918 address or spoofing filters is logged and these logs should be provided to the appropriate NetTN Operations Group for interfacing directly with the End-User on a daily basis. CONFIDENTIAL under TCA 10-7-504 30
  • 31. Intrusion Detection The Cisco IDSM provides network-based intrusion detection that transparently monitors network traffic to detect and respond to the network-based attacks. It operates on the high-speed back plane of the NetTN Network’s high performance equipment. It is capable of accepting new attack signature definitions and is set up at each NAP in Nashville and Knoxville. The Cisco IDSM2s are mated for each internal NetTN entity as appropriate. The IDSM modules are managed by the AT&T Managed Security Services (MSS) team. The Cisco IDSMs are configured to perform logging of selected network activity, which is deemed suspicious. Logs are monitored, analyzed and used in conjunction with any and all reporting methodologies and requirements mandated by Security Policy. IDS Features: • The IDS system performs shunning inbound and outbound for the OIR10 NetTN Virtual Private Network (VPN). Shunning allows an IDS event (based on a signature match) to be automatically blocked by a router ACL for a customer-defined length of time. • Many IDSM sensors are dedicated to specific partners, while others are shared (see the NetTN IDSM diagrams below for sensor to partner assignments). • For each of the 19 IDSM sensors, several distinct IDS metric reports are available for daily, weekly or monthly time windows. • Reports can be found in the AT&T Business Direct customer portal and are retained historically for one year. • The IDS system creates near real-time Threat Management Alert emails that can be sent to an alerting distribution list. Each sensor can have a separate email distribution list. Customers can submit an MSS MAC change request to be added or removed from any sensor distribution list. • See the Reporting section for more details on Business Direct and Threat Alert eMails. CONFIDENTIAL under TCA 10-7-504 31
  • 32. NetTN IDSM Mangement & Shunning Network Architecture Nashville NAP Details Shunning Interface (ACL applied) EGR-Crossbeam Outbound Security Policy (access-list) Crossbeam-IBR  Deny ALL IP traffic to EGR v72 interfaces OIR inside vlan OIR outside vlan  Allow AT&T Mgmt IP Hosts to IDSM (Vlan 1310) (Vlan 2310)  Allow IBR-IDSM traffic VRF Vlan 1310/  DENY IP ANY ANY 0100F 1399 NSHEGR1 Vlan2310 OIR10 VPN Gi5/1, Gi6/1 NSHIBR1 VRF Vlan 1310/ Vlan72 (.113) 1399 Internet NSHEGR2 0200F Vlan72 (HSRP-.115) Vlan2310 IDSM Modules Gi5/1, Gi6/1 NSHIBR2 MIDTEN01K Vlan72 (.114) (NSHEGR1 Slot 2) Vlan72 (.116) NSHEGR1 Gi5/2, Gi6/2 MIDTEN02K (NSHEGR1 Slot 8) Vlan72 (.117) MIDTEN03K NSHEGR2 (NSHEGR2 Master Blocking Slot 7) Sensor Gi5/1, Gi6/1 Nashville IDSM Mgmt DMZ - Vlan 72 MIDTEN04K (NSHEGR2 Slot 8) © 2008 AT&T Intellectual Property. All rights reserved. AT&T LABS - Tim Range AT&T, the AT&T logo and all other AT&T marks contained MSS -Bob Hermes herein are trademarks of AT&T Intellectual Property and/or Last Update – 07/15/09 AT&T affiliated companies. All other marks contained herein are the property of their respective owners. CONFIDENTIAL under TCA 10-7-504 32
  • 33. NetTN IDSM Layout Nashville IDSMs Knoxville IDSMs IBR1 IBR2 IBR1 IBR2 6509 6509 6509 6509 EHLTH, EHLTH, CHLTH, K-12, CHLTH, K-12, TBR & TBR & LLG, TBR LLG, TBR EHLTH EHLTH MIDSTEN13S MIDSTEN18S MIDSTEN12S MIDSTEN14S MIDSTEN17S MIDSTEN19S MIDSTEN11S MIDSTEN15S 7 8 8 9 7 8 8 9 Module Module Module Module Firewall Complex Firewall Complex EGR1 EGR2 EGR1 EGR2 6509 6509 6509 6509 OIR & OIR & CHLTH CHLTH OIRd OIRd OIR K-12,LLG Spare OIR K-12,LLG MIDSTEN10S MIDSTEN03S MIDSTEN04S MIDSTEN09S MIDSTEN07S MIDSTEN08S MIDSTEN05S MIDSTEN01S MIDSTEN06S MIDSTEN02S 1 2 8 7 8 7 8 9 8 9 Module Module Module Module CONFIDENTIAL under TCA 10-7-504 33
  • 34. NetTN IDSM Sensor Traffic Assignments Sensor Location IP address Agency Active/Standby Name MIDTEN01S NSHEGR1 Slot 2 OIR & OIRd Active MIDTEN02S NSHEGR1 Slot 8 OIR & OIRd Active MIDTEN03S NSHEGR2 Slot 7 MBS OIR & OIRd Active MIDTEN04S NSHEGR2 Slot 8 OIR & OIRd Active MIDTEN05S KNXEGR1 Slot 7 OIR & OIRd Standby MIDTEN06S KNXEGR1 Slot 8 CHLTH, K-12, LLG Standby MIDTEN07S KNXEGR2 Slot 8 MBS OIR & OIRd Standby MIDTEN08S KNXEGR2 Slot 9 CHLTH, K-12, LLG Standby MIDTEN09S KNXEGR1 Slot 9 Spare Standby MIDTEN10S NSHEGR1 Slot 1 OIR & OIRd Active MIDTEN11S NSHIBR1 Slot 7 EHLTH, CHLTH, K-12, LLG TBR Active MIDTEN12S NSHIBR1 Slot 8 EHLTH, CHLTH, K-12, LLG TBR Active MIDTEN13S NSHIBR2 Slot 8 EHLTH, CHLTH, K-12, LLG TBR Active MIDTEN14S NSHIBR2 Slot 9 EHLTH, CHLTH, K-12, LLG TBR Active MIDTEN15S KNXIBR1 Slot 7 TBR, EHLTH Active MIDTEN17S KNXIBR1 Slot 8 TBR, EHLTH Active MIDTEN18S KNXIBR2 Slot 8 TBR, EHLTH Active MIDTEN19S KNXIBR2 Slot 9 TBR, EHLTH Active Workstation Security Management The workstation security policies protect AT&T and customer assets through a series of processes and technologies including verification of personnel workstation accesses, PC anti-virus protection, Operating System hardening and updates, full disk encryption where permitted by law to protect sensitive information on portable assets, along with a personal firewall intrinsic to remote access software implemented on workstations or portable PCs that remotely connect to the NetTN network. Securing of the personal computer while in use is further managed by the requirements for power-on passwords, hard drive passwords where possible, and password-protected keyboard or screen-locks that are automatically triggered through inactivity. Management at AT&T is responsible for ensuring compliance with these policies. CONFIDENTIAL under TCA 10-7-504 34
  • 35. AT&T workstations are required to have active, up-to-date "anti- virus" software. AT&T's antivirus software vendor regularly provides virus signature updates, which are propagated automatically to workstations across the Corporation. Furthermore, security advisories forwarded by the AT&T global security organization provide key AT&T personnel with details on virus warnings, new security patches and newly discovered vulnerabilities. The anti-virus vendor provides updates almost every business day as well as during virus outbreak emergencies; these updates are propagated automatically throughout the Corporation. Security Status Checking, EVM & Penetration Testing AT&T conducts regular tests and evaluations to ensure that security controls are maintained and are functioning in accordance with policy. These initiatives include Security Status Checking, Vulnerability Testing & Penetration Testing. Results from these activities are reviewed and tracked to ensure timely remediation and follow-up actions. Security Status Checking • Status Checking is performed on a regular basis to review and verify system security settings, computer resource security settings and status, and users having security administrative authority or system authority. • Status Checking also includes the testing of network elements to ensure the proper level of security patches, to ensure that only required system processes are active, to ensure the existence and retention of activity logs, and to verify support personnel accesses. • Validation of server compliance to AT&T security policy is conducted on a regular basis on AT&T servers. Enterprise Vulnerability Management Program (EVM) Vulnerability Testing (known as the Enterprise Vulnerability Management Program) is performed by authorized AT&T personnel to verify whether controls can be bypassed to obtain any unauthorized access. CONFIDENTIAL under TCA 10-7-504 35
  • 36. • Vulnerability tests to evaluate the level of safeguards on network components are performed utilizing authorized leading-edge testing tools. • EVM vulnerability scans are performed on the NetTN network weekly. • In addition to AT&T-developed tools, leading-edge scan tools from recognized commercial software providers are used by AT&T for network, computer host and application scans. • AT&T uses McAfee Foundstone Enterprise, a comprehensive solution that uses threat intelligence and correlation to immediately determine how emerging threats affect risk profile. The appropriate resources can quickly be deployed where they are needed most. The loop closes with remediation tracking and reporting. Penetration Testing Network or computer security analysis is commonly referred to as penetration testing, intrusion testing, sweeps, profiling, and vulnerability analysis. Performing security analysis of the NetTN network or AT&T computers or applications is the responsibility of AT&T. • NetTN Penetration Testing is performed bi-annually by an independent third-party • Penetration Testing is used to baseline NetTN asset security & perform trend analysis • Penetration Testing may include theme development and different attack scenarios • Penetration Testing does not test customer assets or customer-defined firewall enforcement policies • All NetTN network & firewall assets are typically in scope • AT&T Coordinates Penetration Testing closely with the NetTN Program Office & discloses findings and remediation efforts Security Status Reporting Information regarding the security status of the NetTN infrastructure and services is managed and communicated as requested by the NetTN Program Office. Results of security health checking, vulnerability testing and penetration testing are tracked and reported by the security programs responsible for compliance management of those activities. Security status, as well as progress on security initiatives, is combined with threat intelligence gathered through trend analysis and reported to security organization executives. CONFIDENTIAL under TCA 10-7-504 36
  • 37. Security program managers share security status information to ensure alignment of program objectives and prioritization of efforts. This disciplined sharing of security status information and reporting enables AT&T to achieve synergy and cooperation among security teams and appropriate management attention on our overall security posture. Risk Management AT&T’s approach to identifying and mitigating network and application vulnerabilities is formalized in the Risk Management program. When vulnerabilities are identified, they are assessed as to severity, potential impact to AT&T, NetTN and its customers, and likelihood of occurrence. Plans are developed, implemented and tracked to address vulnerabilities within prescribed timeframes according to security policy. When business needs preclude timely resolution, the risk level is documented and mitigating controls are put in place where practicable. AT&T executives are expressly accountable for unmitigated vulnerabilities and accept responsibility for the potential risk. AT&T coordinates risk management efforts with the NetTN Program Office and Partners to address threats and risks to each customer’s environment. Examples include assembling a Tiger Team to address K-12 URL filtering issues and providing security resources to facilitate firewall lock down strategies for Partners. Other risks may be socialized with the Program Office through the change control (CR) process, where engineering changes are required to mitigate technology risk. Security Advisory Process AT&T utilizes an internal global process to acquire and distribute security advisories, coupled with compliance and review processes as a follow-up to these advisories. The advisories originate from industry security organizations, equipment and systems suppliers. They predominately consist of newly identified flaws to established network software, systems and equipment which could potentially allow unauthorized users to bypass access controls and/or gain access to data. AT&T continually reviews security patch and vulnerability announcements from vendors and organizations such as CERT for all managed components. The security integrity and advisory process oversees that security patches are applied to network systems in a timely manner. Each security advisory is categorized, assigned a severity rating and published by the AT&T global security organization, which in turn, dictates the timeframe within which the vulnerability must be resolved. CONFIDENTIAL under TCA 10-7-504 37
  • 38. Security Incident Reporting and Management A security incident can be defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Security incidents may result from intentional or unintentional actions. Examples of security incidents include unauthorized attempts to gain access to information, introduction of malicious code or viruses, loss or theft of computer media, and failure of a security function to perform as designed. Incident Response Plan The NetTN Incident Response Plan provides a framework for the NetTN Program Office, in conjunction with Association Partners, to escalate to the appropriate resources within AT&T to coordinate a network security incident response effort. The AT&T global network operation centers maintain 24 x 7 real-time security monitoring of the NetTN network for investigation, action and response to network security events. AT&T’s NetTN Threat Management platform and program provides real-time data correlation, situational awareness reporting, active incident investigation and case management, trending analysis, and predictive security alerting. In the event of a security incident, AT&T identifies the level of the potential impact and notifies at-risk NetTN designated customer contacts via email threat management alerts. Incidents are reported to AT&T’s senior management to draw attention to the types of attacks reported by our incident response team as well as other noteworthy incident and vulnerability information. The NetTN Incident Response Plan does not specifically address physical disruptions to, or the loss of, information, automated information systems or networks as a result of manmade or natural disasters impacting the NetTN information infrastructure. While the NetTN Incident Response Plan is described here, the plan is partially maintained in a separate document that contains: CONFIDENTIAL under TCA 10-7-504 38
  • 39. • Organizational Structure (roles and responsibilities) • Current Department, Team, and Escalation Contact Lists • Incident Declaration and Response Procedures • Services Provided • Incident Severity Definitions State of Tennessee Security Incident Response Team In support of the State of Tennessee’s Enterprise Information Security Policy, section 4.2, AT&T NetTN Team resources (LCM, GCSC, MSS) will participate in the State’s Security Incident Response Team (SIRT) as appropriate. AT&T Incident Response Analysts The Information Assurance (IA) Security Analysts at the AT&T GCSC will use automated tools to help identify intrusions into, or attacks on, the network infrastructure. These tools will be configurable to provide immediate notification to a security monitoring console in the GCSC and notification of appropriate personnel. Incident Management Guidelines This section provides guidelines for the effective handling of security incidents. Incidents may include network attacks directed against NetTN managed assets, or customer assets connected to the NetTN infrastructure. • When a NetTN end-site has an issue with the Managed Security Service (for example: customer can’t access a service that is allowed in the firewall policy, slow response, etc…), the Incident Management Team is available to resolve issues in a proficient manner. • The MSS Incident Management associate will open a ticket to track the issue, provide the ticket number to the Security Contact, and will began investigating the issue. • If the MSS Proactive Monitoring Tools detects an issue/outage with the Managed Security equipment (transport circuit drops, firewall stops responding to a poll, etc): an Incident Management associate will contact CONFIDENTIAL under TCA 10-7-504 39
  • 40. ASAP the authorized Security Contact (LCM Operations team in many cases) that is designated as an “Outage” contact to provide a ticket number and any update to the issue. • The MSS team will provide updates of issues to the Security Contact as they develop. Incident Management Escalation/Notification Process • Clients can request status of an active maintenance issue based on the information and time frames set forth in the table below. • The Team Lead is available Monday – Friday from 0700 – 1600. The Escalation Manager is available outside of these hours. a. Dial the standard toll free service number and prompts that you have been provided. b. Ask to be connected to the MSS Tier II Team. (This is the level two center for Security Services.) c. When you reach an associate, ask to contact the appropriate level of management based upon you issue, as listed below. Time Frame Escalation Contacts Escalation Mgr. No Resolution in 30 Incident Management Team Shift Team Lead on Duty minutes Lead No resolution in 1 hour Security Managers Shift Supervisor on Duty No resolution in 2 hours Operations Manager Operations Manager on Duty No resolution in 3 hours Group Manager Ihab Youssef No resolution in 4 hours Security Services Director Matt Lucas For after hours Notification/Escalation, the team personnel will contact the appropriate level of management to address the problem. CONFIDENTIAL under TCA 10-7-504 40
  • 41. Threat Management Guidelines (includes Intrusion Detection) • The best and preferred method to reach the Threat Management Team to resolve an issue is to call the issued customer support numbers listed in this document. This method will bring prompt attention to your issue. • The Threat Management Analyst will open a ticket to track the issue, provide the ticket number to the customer and will began investigating the issue. Threat Management Escalation Procedure • Clients can request status of an active maintenance issue based on the information and time frames set forth in the table below. • While working an outage, the following Escalation/Notification table will be strictly adhered to. • The Team Lead is available Monday – Friday from 0700 – 1600. The Escalation Manager is available outside of these hours. a. Dial the standard toll free service number and prompts that you have been provided b. Ask to be connected to the GCSC. (This is the Level Two Center for Security Services.) • When you reach an associate, ask to contact the appropriate level of management based upon you issue, as listed below. CONFIDENTIAL under TCA 10-7-504 41
  • 42. MSS Contacts and Escalation Escalation Title / Role Name Office Email Time 1-800-727-2222 MSS Daily Prompt 8, 2 MSS Help Managed.security Operations Immediate Desk (Managed FW, @ems.att.com Notification Proxy, or Anti- Virus) MSS Help Desk will MSS Off Shift contact the 30 Minutes Managers MSS Off Shift Manager MSS Help Desk will AT&T MSS contact the Critical AT&T MSS Situation Critical 30 Minutes Manager / Situation Operations Manager / Manager Operations Manager MSS Director Network Ihab Youssef (919) 474-1525 iyoussef@ems.att.com 3 Hours Operations Executive Matt Lucas (949) 221-1930 mlucas@ems.att.com 4 Hours Director CONFIDENTIAL under TCA 10-7-504 42
  • 43. Incident Management Reporting Significant security incident responses include a follow-up report to the NetTN Program Office. These follow-up reports will describe the nature of the incident, resolution, countermeasures taken, and suggested configuration changes to prevent future incidents. Threat Management Email Alerts Reporting of newly discovered vulnerabilities and incidents ensures the containment of impacts, recovery of network availability, identification of breach and perpetrator, and countermeasure implementation. Detected issues (attacks & malicious code propagation) are delivered in near real-time to designated email recipients in the form of IDS and Firewall Threat Management Alerts. Security Reporting Overview Security reporting provides intelligence to senior management. It also provides quantitative costs and benefits of security. The reporting should align with NetTN goals and policy; provide data regarding residual risks and highlight significant trends and events. These reports are to help make strategic security decisions. Security reports are provided by the NetTN LCM Team and use standard reports from the AT&T Managed Security Services tools. Business Direct Security reports are made available to the NetTN Association Partners through the AT&T BusinessDirect web portal. The reports are updated daily. CONFIDENTIAL under TCA 10-7-504 43
  • 44. These reports include: • Critical intrusion detection system events: a. Top 20 IDS Events by Destination IP b. Top 20 IDS Events by Service c. Top 20 IDS Events by Signature d. Top 20 IDS Events by Source IP • Critical firewall events: a. Top 20 Accepts by Destination IP b. Top 20 Accepts by Service c. Top 20 Accepts by Source IP d. Top 20 Denies by Destination IP e. Top 20 Denies by Service f. Top 20 Denies by Source IP A weekly security summary report (Security Operations Report) is presented to the NetTN Program Office. This report includes the following: • Summary of security tickets • Security operational issues • Security events investigated • Incident reports Security Compliance Reviews AT&T considers reviews of operations and applications functions for compliance to security requirements essential to evaluating the adherence to the established security procedures worldwide. Results of these reviews are reported to regional security managers and executive management. Security reviews may be facilitated or conducted by the Chief Security Office; by a business area sponsor of a product, service, or supplier or partner relationship; CONFIDENTIAL under TCA 10-7-504 44
  • 45. or by an operations team responsible for life cycle service management. Business and operations areas are encouraged to perform self-reviews to verify compliance with published security requirements. Change Management To ensure that the integrity of the security infrastructure is not degraded, AT&T uses change management processes to enter, approve, and report change requests. A new change request initiates approval processing and subsequent scheduling of maintenance activity for an ‘approved’ change request. Scope The scope of change management program includes but is not limited to: • Installing or removing software • Modifying configuration parameters including Operating System (OS) and application security logging and security parameters • Upgrading to a new release level • Installing patches or fixes • Changes to application software • Changes to hardware Customer Initiated Security Policy Change Options Customers can initiate the following types of security policy changes: • Firewall Policy changes can be requested via Business Direct web portal using the MAC feature. GCSC performs the actual change. • IDS Policy changes can be requested via Business Direct web portal using the MAC feature. GCSC performs the actual change. • URL Filtering Policy changes can be performed directly by URL Filter Administrators via SmartPortal web portal, or by calling the appropriate AT&T Help Desk number. Contacting AT&T for a Change Request CONFIDENTIAL under TCA 10-7-504 45
  • 46. MSS Hours of Operation • Policy Management: 24 hours per day X 7 days per week X 365 days per year coverage • Incident Management: 24 hours per day X 7 days per week X 365 days per year coverage • Threat Management: 24 hours per day X 7 days per week X 365 days per year coverage The MSS Operations team has the responsibility of being the SPOC (Single Point of Contact) for NetTN Security Issues related to an Emergency circumstance on a Sev1 or emergency MACD. For issues with the customer network related to the Managed Security device, accessing AT&T Business Direct to submit a trouble ticket is the fastest way for the AT&T Operations team to work the security issue. If the NetTN customer needs to speak with an AT&T MSS Operations by a phone call to, the call will be picked up by an MSS Operations Associate to resolve the problem/issue (use the appropriate dedicated support line). URL for submitting Firewall & IDS Change Requests to AT&T • http://www.businessdirect.att.com MSS MACD* Process Flow Outlines MSS MACD Classifications: • Major A.19: 6 hours or less • Critical A.18: 15 minutes or less for video & 3 hours or less for all other services. * Referred to as “MACs” for MSS changes within Business Direct Portal CONFIDENTIAL under TCA 10-7-504 46
  • 47. Ticket Creation: Customer can open a MACD ticket several ways; 1. Business Direct – All Business Partners https://www.businessdirect.att.com (“Manage Your Network Security” Tool for MSS MACD’s) 2. Tier 1 – OIR IHD NOSC – OIR sites (615-741-1001 Option 3 or 800-342-3276 Option 3) 3. Tier 1 – Arlington Heights – Customer will call their corresponding 800 number. • SDE - 888-820-0345 • TBR - 888-820-0341 • PCU - 888-820-0341 • UTS - 888-684-3366 • EHE - 888-820-0347 Option 2 • CHN - 888-820-0347 Option 2 • LLG - 888-269-3248 • PBS - 888-269-3248 • TEM - 888-695-3627 4. Designated Operations Manager; • Danny White – OIR Locations (615) 401-4233 office (615) 618-7598 Mobile • Chuck Tillman – SDE Locations (901)761-6422 office (901)-268-0693 Mobile • Jim Snyder – CHN, EHE, LLG, PBS, PCU, TBR, UTS, TEM Locations (615) 271-3716 Office (615) 916-1289 Mobile MSS MACD (Major) – Customers With “Manage Your Network Security” Access In Business Direct I. Customer Opens MSS MACD under “Manage Your Network Security” in Business Direct. II. Customer calls the dedicated SOTN phone number (800-727-2222 Option 8, Option 2) to reach MSS Operations and alert them to the Expedited MAC Request. i. The Manage Your Network Security tool itself will generate an email (to the individual who opened the ticket) when the ticket is acknowledged. CONFIDENTIAL under TCA 10-7-504 47
  • 48. ii. The tool will also generate an e Mail (to the individual who opened the ticket) when put in a state “pending customer information.” III. Tier II Security Engineer is assigned to work the MAC request. IV. If Tier II requires additional information, they will follow up with a phone call (to the individual who opened the ticket). V. When the MAC is completed, the system will generate an e Mail back to the individual who opened the ticket acknowledging completion. MSS MACD (Major) Customers Without Access To Business Direct I. Customer Site Contact will Call Arlington Heights Tier I Help Desk using their corresponding 800 # in the ticket creation section. II. Arlington Heights will contact corresponding LCM Operations Manager / Duty Manager for the specific Business Partner. III. LCM Operations Manager / Duty Manager will open the MAC using the Managed Network Security Tool in Business Direct. If they require help with the MAC, they will contact the Security Engineer. i. The Managed Network Security tool itself will generate an email when the ticket is acknowledged. ii. The tool will also generate an e Mail when put in a state “pending customer information.” iii. LCM Operations Manager / Duty Manager calls the dedicated SOTN phone number (800-727-2222 Option 8, Option 2) to reach MSS Operations and alert them to the Expedited MACD Request. IV. Once MAC is submitted, Tier II Security Engineer is assigned to work the MAC request. V. Tier II will follow up with a phone call to the LCM Operations Manager / Duty Manager if additional information is required. VI. Once MAC is completed, the system will generate an e Mail. The LCM Operations Manager / Duty Manager will notify the customer. CONFIDENTIAL under TCA 10-7-504 48
  • 49. MSS MACD (Critical) All Business Partners I. Customer Opens Ticket as a Severity 1 (Using any method listed under Ticket Creation section above) i. Customer Notifies Corresponding LCM Operations Manager / Duty Manager about the ticket. ii. LCM Operations Manager / Duty Manager will call the SOT Dedicated Number (800-727-2222 Option 8, Option 2) to connect to MSS Operations. II. MSS Operations will begin to investigate and troubleshoot issue. III. MSS Operations determines an “Emergency” change needs to be made. IV. Per authorization from client, MSS Operations implements “Emergency Break/Fix” change. V. Client and MSS Operations test to ensure “Emergency Break/Fix” change restores desired functionality. i. If not successful, MSS Operations continues to troubleshoot to resolve issue. ii. If successful and the change is determined to be “Permanent”, MSS Operations contacts LCM Operations Manager/Duty Manager to have Standard MAC created from Customer’s AOTS MSS ticket in Business Directs’ Managed Network Security Tool. LCM Operations Manager/Duty Manager must properly identify in the MAC that the work was already completed and reference the AOTS ticket number. iii. If successful and the change is determined to be “temporary” in nature by concurrence of client, LCM and MSS Operations, then NO follow on MACD is required. MSS will appropriately set a follow up time on the AOTS ticket to remove the “temporary” change. Once that change has been removed, the AOTS ticket will be closed out. MSS Change Request Guidelines The following guidelines apply to change requests when working with MSS: • An associate will evaluate all change requests to determine if the information provided is sufficient to complete the request. • If information is missing or unclear, the MACD will be placed on hold. The contact that submitted the request will be notified via email with a request for him/her to log in and update the request based upon the log entry left by the associate who returned the MAC. Once sufficient clarification has CONFIDENTIAL under TCA 10-7-504 49
  • 50. been received and validated, the request will be placed back into the queue to be processed. • NetTN customers should include AT&T MSS in their planning for internal network changes that affect their Internet accessibility and notify MSS at least 24 hours ahead of making changes if those changes require non hardware based changes to be made to the NetTN managed equipment. • If a NetTN customer fails to properly coordinate a change to their network thereby causing a NetTN service outage or impairment, and calls AT&T MSS to make changes to the managed equipment on the fly, AT&T will make every attempt to comply with the request immediately but due to other service issues may not be able to accommodate the request at that time. • Emergency change requests via the phone must be documented via the MAC process, referencing work already completed, within 24 hours of the emergency request. • If the customer calls/contacts the AT&T MSS team to verbally request a change be made to avert or cease a security threat/incident that is currently in action, AT&T will work with the customer to contain the issue. This is an Incident Management Team (IMT) responsibility not a Policy Maintenance Team (PMT) responsibility. Please choose the appropriate prompts to avoid delay in processing your issue. • When the security threat/issue is contained, the customer contacts will be given a ticket number. Additionally, an email will be sent to the customer outlining the issue that transpired and the changes that were made. MSS Change Control Guidelines • Available maintenance window (with appropriate documentation and notification) Sunday, 3:00 AM Central - 6:00 AM Central • Emergency maintenance windows (also require appropriate documentation and notification) Monday through Saturday, 2:00 AM Central - 5:00 AM Central. • For routine maintenance required during the week, AT&T will notify the NetTN Program Office of any perceived service affecting maintenance at least 24 hours in advance via email or phone. • NetTN Program Office approved change requests will include, at a minimum, the following information: a. Type of change being made. b. Ticket number for the maintenance event. c. Issues being addressed in the change. d. Start and End times for the change window. e. Impact to end sites. CONFIDENTIAL under TCA 10-7-504 50
  • 51. f. Projected duration of outage. g. Back-out plan. • If the maintenance extends longer than the projected timeframe, AT&T will notify the customer via phone contact and email. • When the maintenance window is complete, the customer will be notified via either email or phone contact indicating: a. Status of the managed components that were being modified. b. State of the change (Active, Deferred, Closed, etc…) c. If the change was deemed successful. MSS Change Request Escalation Procedure • When Managed Security Service’s Policy Management team receives a request for changes from the client within normal operational hours, Monday – Friday 0700-0000 including holidays, an associate will respond to Reactive and Proactive configuration changes as follows: • If these timeframes are exceeded, a client can contact the Policy Management team based on the timeframes in the table below. • To reach the Policy Management Team, dial the standard toll free service number and prompts that you have been provided. • The Team Lead is available during business hours, Monday – Friday from 0700 – 1600. The Escalation Manager is available outside of business hours. Time Frame Contact Escalation Manager No contact in 12 hours Policy Management Team Any Client Team Associate No contact in 18 hours or Provisioning Team Lead Shift Supervisor on Duty Not complete in 24 hours No contact in 24 hours Operations Manager Operations Manager on Duty Not complete in 24-36 hours No contact in 24 - 36 Group Manager Ihab Youssef hours CONFIDENTIAL under TCA 10-7-504 51
  • 52. No Contact in 24+ hours Security Services Director Matt Lucas or Not complete in 48 hours CONFIDENTIAL under TCA 10-7-504 52
  • 53. Business Continuity & Disaster Recovery Overview AT&T Corporate Business Continuity Planning Services (CBCP) provides technical consultation and program management expertise to address the business continuity, disaster recovery and managed security needs of both AT&T and its customers. Business Continuity Planning Services focuses on all aspects of business continuity required to protect business operations: availability, reliability, scalability, recoverability, performance and security. Working closely with internal and external customers, Business Continuity Planning Services develops a thorough understanding of business needs, applying its knowledge, expertise, and proven methodologies to implement customized solutions. An integral element of AT&T's business continuity and disaster recovery program is the mandatory process of certifying and assigning assurance levels to critical business operations. The goal of this process is to ensure, through certification, that no critical deficiencies exist. AT&T networks and services are designed with a level of redundancy and recovery capabilities that enable AT&T to meet contracted Service Level Agreements. Custom solutions with an additional level of redundancy or route diversity can be provided for unique customer needs under specific contractual agreements. Disasters create chaos, turmoil and heartbreak, but they do not diminish AT&T's commitment to our customers. AT&T recognizes that when a community, town, city, or region is struck by a catastrophic event, the rapid recovery of communications is critical. AT&T's Network Disaster Recovery plan has three (3) primary goals: 1. Route non-involved communications traffic around an affected area. 2. Provide the affected area communications access to the rest of the world. 3. Recover the communications service to a normal condition as quickly as possible through restoration and repair. AT&T conducts several major disaster recovery tests annually at different customer locations to review all aspects of emergency planning and response, and is leveraging investments in technology, equipment, and processes to support AT&T's Network Disaster Recovery capabilities throughout the world. Please refer to the “Master NetTN ATT Continuity of Operations Plan” document for more specific information. CONFIDENTIAL under TCA 10-7-504 53
  • 54. GCSC Disaster Recovery Over the past several years, AT&T’s Managed Services practice has improved the geographic diversity and the resiliency of the major infrastructure components which are used in support of our Business Services. The Managed Services practice has developed a globally available, diverse, resilient system which protects our ability to manage our client networks. The asset management system components have a distributed redundant platform. The Vantive/GPS is AT&T’s configuration and provisioning DB which is one of several asset management systems in use today. The software operates on several computers to provide a highly available system which can be accessed by AT&T associates from anywhere in the world. The computers are housed in at least two geographically distant AT&T hosting centers. The software foundation of the Vantive / GPS system utilizes relational database technology with transaction replication features. As work is accomplished with in the DB, the records are replicated at a regular interval to keep all the records synchronized. In this way, the client asset data which forms the foundation of our management practice is always available. The network management system components of the iGEMS platform are deployed in a dual configuration at geographically distant AT&T data centers. Each of these identical systems is configured to use the SNMP and ICMP protocols to monitor the client networks. Additional management and control elements are also deployed in the redundant management zones. These control elements include TACACS device authentication and logging systems. The systems are configured to monitor the client network elements. There are software processes within the configuration DB to check the management target files against the inventory systems that will identify and report discrepancies. Associates work to reconcile the discrepancy reports against change control records. The network management systems are monitored by the AT&T IT/Operations teams. IT/O teams are organizationally separate from the management services associates providing complete separation of duties. The network management systems send events and alarms to the AT&T One Ticketing System ( AOTS ). The AOTS system is also hosted on redundant geographically diverse computers. Associates connect through standard access methods which provide a uniform connection between the client software on Associate PCs and the AOTS database system. CONFIDENTIAL under TCA 10-7-504 54
  • 55. The Global Client Support Centers (GCSCs) are designed to comply with the AT&T Security policies, and to provide segregated access to the client managed devices by way of the network management system. The GCSCs all follow a consistent design template, and associates are granted access to client networks using a consistent authorization mechanism. Authorized associates may access the asset management tools and the network management system components using standard methods which encapsulate the architectural details described above. The GCSC operations teams are located at separate sites from the tools which are used to manage the client networks. Many of the associates are equipped with laptop computers and SecurID token based remote access technology. Associates so equipped may access AT&T systems and tools from any internet connection anywhere in the world. None of the components are located in the same locations. Asset management systems are separate from network management systems, and AOTS ticketing tools. Operations staff is located at different locations from the systems. This infrastructure provides greater flexibility. Inbound toll free telephone numbers are assigned for client use. These telephone numbers have advanced features defined in the AT&T network, which allows us to terminate calls in any desired telephone system. The network management systems are able to be connected to our AOTS system. We can switch the source of ticket messages from one network management system to the other one in the pair. Operations can continue with little degradation when any single component has failed. AT&T has experience with repairing network system elements while client network management continues unabated. Responding to disaster scenarios in this extended system involves both short term and long term planning. In the short term, if a GCSC operation center is inoperable, the network management responsibilities are passed to other GCSC teams. These teams modify their operations procedures to expand their responsibilities to include the clients from the inoperable GCSC. Clients can be parceled out to a variety of different GCSC teams depending upon the mix of contractual and skill set constraints. Longer term planning involves accommodating the inoperable center, and providing alternate work locations for the GCSC associates who find themselves without their customary work location. GCSC business continuity plans can take advantage of any other AT&T work location to host the displaced team members. Team members equipped with laptops can relocate to hotels or other internet accessible locations outside of the impacted area. CONFIDENTIAL under TCA 10-7-504 55
  • 56. AT&T maintains standard software images, and SMS processes which enable AT&T to procure and install desktop computers into service very quickly. Disaster recovery drills include placing archived images into service on available computers, and then performing network management duties using those newly configured computers to validate the utility of our operating plans. AT&T continually revises and reviews our disaster recovery and business continuity plans, searching for service improvements, and cost savings – in the ordinary course of business. We bring this persistent focus on continuous improvement to our clients to provide very high availability network management practices. AT&T Corporate Management Engagement AT&T management is engaged on a regular basis by various aspects of the security program and administration on a level and frequency commensurate with the criticality and impact of results of the programs or incidents as they occur. Following is a summary of some of the situations where management in the service lines is engaged: • Security incidents as they occur • Progress from security initiatives • Threat intelligence gathered by trend analysis • Results of internal and external audits and reviews In addition, the management chain receives consolidated reports on a regular basis outlining the results of the security programs and the key issues for their area of responsibility. These reports are delivered to the senior executives as well as the line management. The most senior executives are required to annually acknowledge their commitment to support corporate compliance. As a part of this requirement, senior executives attest that they and the areas of their responsibility are in compliance with the AT&T security requirements. Strategy of Continuous Improvement The world of networked computing and application security is fast moving and highly dynamic. As a result, AT&T is continually improving security through active security research and development programs, tracking of industry development, CONFIDENTIAL under TCA 10-7-504 56
  • 57. and evaluation of new security technologies and products. New tools are employed based on a cost/benefit analysis. The tools and systems selected are those which deliver effective security safeguards. Personnel Security The AT&T Human Resources and Vendor Management organizations have controls in place to ensure that employees, contractors, and subcontractors are properly screened, authorized to perform their job functions, properly trained, and aware of their responsibilities with regard to AT&T and customer assets. Security Awareness and Education The AT&T global security organization is charged with directing and coordinating security awareness and education across AT&T. The AT&T global security organization maintains an internal security awareness website, a quarterly internal newsletter, all-employee bulletins, technology conferences, workshops and security courses to deliver general and targeted security awareness initiatives internally within AT&T. The program uses subject matter experts from the various security groups and disciplines for content development and partners with the AT&T education and training organization as well as other AT&T organizations for delivery channels. In addition, all AT&T personnel are required to annually acknowledge their responsibilities to adhere to AT&T’s Code of Business Conduct and AT&T’s security policy. AT&T Cyber Security Conference AT&T Chief Security Office hosts the annual AT&T Cyber Security Conference to enable open communications with our enterprise customer community on emerging threats and countermeasures within the security industry. The conference promotes awareness of AT&T’s strategy and direction to further protect business customers utilizing AT&T network and systems. Contact your AT&T account team for more information. CONFIDENTIAL under TCA 10-7-504 57
  • 58. Security Training and Certifications AT&T encourages its employees to obtain security training, achieve accreditation and certifications. This training is conducted both within AT&T and through corporate training organizations such as: • The International Information Systems Security Certification Consortium, Inc. (ISC)2 • Information Systems Security Association (ISSA) • The SANS Institute • Vendor and product-specific training and certification, such as, Cisco, Microsoft, Checkpoint and others. Our large population of security professionals maintains certifications and credentials such as: • Certified Information System Services Professionals (CISSP) • Certified Information Systems Auditors (CISA) • Certified Information Security Management (CISM) • Certified Ethical Hacker (CEH) • Global Information Assurance Certification (GIAC) • RSA Certified Security Professional (CSP) • Microsoft Certified Professional (MCP) • Cisco Qualified Professional CONFIDENTIAL under TCA 10-7-504 58
  • 59. Appendix B. Statement Regarding ISO 27000 Standards AT&T Services Inc. Chief Security Office ISO/IEC 27001 and ISO/IEC 27002, part of the ISO/IEC 27000 family of standards, are Information Security Management System (ISMS) standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These standards are normally used together in practice. ISO/IEC 27001 documents information security controls, while ISO/IEC 27002 provides additional information and implementation advice regarding those controls. Previous versions of such security standards include ISO/IEC 17799:2000, which was a copy of the British Standard BS 7799-1:1999. As a company that provides security services to protect corporate assets and the information and assets of others, AT&T is familiar with the ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements and the ISO/IEC 27002 Information technology – Security techniques - Code of Practice for information security management. AT&T has developed and maintains a comprehensive set of security standards based in part on these and other leading industry standards, such as COBIT. AT&T has successfully undergone a pre-audit to a previous version of the ISO 27001 standard but to date has not performed any formal certification. Considering the breadth of AT&T’s services and global service environments, it is neither economical nor essential to perform a formal certification given the volume and depth of other internal and external audits that AT&T and its customers perform to address security policy, regulatory, and customer requirements (e.g., SAS 70). However, AT&T has established that the security requirements contained in the AT&T Security Policy & Requirements (ASPR) Library, along with processes, procedures and responsibilities of other AT&T organizations, are consistent with the 133 controls documented within ISO/IEC 27001:2005. CONFIDENTIAL under TCA 10-7-504 59
  • 60. It is AT&T’s policy to comply with all applicable laws and regulations in each country where it operates and to protect AT&T's corporate assets and the information and assets of others that AT&T is obligated to protect. AT&T’s global security programs strive to ensure security is incorporated into every facet of AT&T's computing and networking environments to safeguard AT&T's customers and their data while managed by AT&T or while in transit on an AT&T network. These programs apply to all AT&T operations on a global basis. Compliance with AT&T security policies helps to ensure that the highest level of standards are met in AT&T operations and in the services AT&T offers to its customers. CONFIDENTIAL under TCA 10-7-504 60