CONFIDENTIAL under TCA 10-7-504
SMP Version 2.2
February 10, 2010
CONFIDENTIAL under TCA 10-7-504
AUTHOR VERSION DATE COMMENTS
Robert Knight 1.0 8/31/2009 Initial Version
Robert Knight 1.1 9/3/2009 Incorporated Lisa
Robert Knight 1.2 9/10/2009 Incorporated Danny White
Robert Knight 1.3 9/18/2009 Updated MSS contacts
Robert Knight 1.4 9/22/2009 Changed font to Arial
Vickie Stanfill 1.5 10/15/2009 Revised
Robert Knight 1.6 10/29/2009 Incorporated Program
Office Changes; added
DR section language
Robert Knight 1.7 12/2/09 Add Mark Freifeld’s new
MRS & MSS Change
Robert Knight 1.8 12/16/09 Removed MRS MACD
change control as
requested by Program
Robert Knight 2.0 1/14/2010 Final Release, removed
draft watermark, minor
corrections; updated MSS
MACD Process to v1/7/10.
Robert Knight 2.1 2/10/2010 Added page numbers,
revised MSS contacts.
Robert Knight 2.2 2/10/2010 Realigned page numbers
CONFIDENTIAL under TCA 10-7-504 2
Table of Contents
About NetTN and AT&T................................................................7
AT&T Chief Security Office..........................................................9
The Worldwide AT&T Security Organization...............................9
Security Organization Mandate..................................................10
AT&T Security Responsibilities.................................................11
AT&T Senior Executive...........................................................11
AT&T Life Cycle Management (LCM) Team ...........................12
AT&T Global Customer Service Center (GCSC) .....................13
AT&T Global Customer Support Center (GCSC) Manager......13
AT&T GCSC Technicians.........................................................14
AT&T CMS Tier 1 Help Desk .................................................14
AT&T Help Desk Technicians .................................................15
AT&T System Administrators..................................................17
AT&T Managed Security Services (MSS)................................18
OIR Integrated Help desk (IHD) ..............................................22
OIR Network Operations & Security Center (NOSC) .............22
NetTN Program Office.............................................................23
AT&T NetTN Security Program.....................................................24
Security Standards & Policy.......................................................24
Network Segmentation Control Measures.................................25
CONFIDENTIAL under TCA 10-7-504 3
NetTN Strategic VRFs.............................................................26
NetTN Dirty VRFs.....................................................................26
Physical Access Control Measures............................................27
Logical Access Control Measures..............................................27
Network Element Access Controls............................................28
Access Validation Process.........................................................28
Network Perimeter (Firewall) Protection...................................29
NetTN Core Security Design....................................................29
NetTN IDSM Layout.................................................................33
NetTN IDSM Sensor Traffic Assignments...............................34
Workstation Security Management............................................34
Security Status Checking, EVM & Penetration Testing............35
Security Status Checking........................................................35
Enterprise Vulnerability Management Program (EVM)...........35
Security Status Reporting.......................................................36
Security Advisory Process .........................................................37
Security Incident Reporting and Management..........................38
Incident Response Plan ..........................................................38
State of Tennessee Security Incident Response Team.........39
AT&T Incident Response Analysts..........................................39
Incident Management Guidelines............................................39
Incident Management Escalation/Notification Process.........40
Threat Management Guidelines (includes Intrusion Detection)
Threat Management Escalation Procedure............................41
MSS Contacts and Escalation.................................................42
Incident Management Reporting.............................................43
Threat Management Email Alerts............................................43
Security Compliance Reviews....................................................44
CONFIDENTIAL under TCA 10-7-504 4
Customer Initiated Security Policy Change Options..............45
Contacting AT&T for a Change Request.................................45
MSS MACD* Process Flow Outlines........................................46
MSS Change Request Guidelines............................................49
MSS Change Control Guidelines..............................................50
MSS Change Request Escalation Procedure..........................51
Business Continuity & Disaster Recovery Overview.................53
GCSC Disaster Recovery.........................................................54
AT&T Corporate Management Engagement..............................56
Strategy of Continuous Improvement........................................56
Security Awareness and Education...........................................57
AT&T Cyber Security Conference..............................................57
Security Training and Certifications..........................................58
Appendix B. Statement Regarding ISO 27000 Standards.............59
CONFIDENTIAL under TCA 10-7-504 5
This document establishes the management plan for protecting data, services,
and resources related to the Network Tennessee (NetTN) network, and those
elements of the system that require protection.
The NetTN Security Management Plan (SMP) is designed to support the NetTN
Association Partners mission by providing direction and guidance to protect
automated information system (AIS) resources and define responsibilities and
authorities for carrying out the NetTN security program. This document is
intended as a living document. Changes that affect network security may be
added at anytime.
The NetTN Security Management Plan is specifically for those systems
described in the security architecture. The boundary of the Security Management
Plan includes all network devices from the Internet connection point to the
Partner end site locations.
This document will describe the plan for securing the NetTN network
Elements of the plan include:
• An overview of AT&T’s security policy and comprehensive programs that
strive to ensure security is incorporated into every facet of AT&T's
computing and networking environments. This overview focuses on the
key elements and initiatives to safeguard NetTN customers and their data
while managed by AT&T or in transit on the NetTN network
• High Level Roles & Responsibilities for AT&T & NetTN Association
• A summary of the customers’ security responsibilities to protect
CONFIDENTIAL under TCA 10-7-504 6
This document provides a summary of the AT&T security policy and program as
it relates to the NetTN network.
This document is provided as summary information only. It is not a contract, and
no statement, representation, characterization within this document shall be
construed as an implied or express commitment, obligation or warranty on the
part of AT&T Inc. or any of its affiliates, or any other person.
All contractual obligations between AT&T and the State of Tennessee are set out
exclusively in the NetTN Contract, and nothing in this document shall amend,
modify, supplement or otherwise change the provisions or terms of that
About NetTN and AT&T
The NetTN network serves the needs of all agencies in State Government,
Higher Education, including the University of Tennessee and all the Schools of
the Tennessee Board of Regents, as well as K-12, eHealth, E911, non-profits,
and private schools. In addition, the network serves as the platform for use by
Local Government in all 95 counties and promotes economic development
across Tennessee. The State of Tennessee’s prime contractor, AT&T, will
design and manage access connectivity with an overarching goal of ensuring
The NetTN Wide-Area-Network outsourced solution
• NetTN is based on a private Multi-Protocol Label Switching (MPLS) core
network with MPLS Virtual Private Networks (VPNs) to meet the State of
Tennessee’s communication requirements. This infrastructure is the basis
for all future services over Internet Protocol (IP) and collaborative
computing initiatives for the next ten years.
• The infrastructure is the enabler to building application-aware network-
based MPLS/VPNs to link locations and efficiently transmit applications
such as voice, data, and video over a single connection.
• Access options to connect to the network include Dedicated Private Line,
Ethernet, Wireless, and xDSL (where available).
Paramount features of the NetTN effort are security, availability and reliability
CONFIDENTIAL under TCA 10-7-504 7
• The physical NetTN network consists of a partial mesh topology designed
to eliminate a single point of failure from isolating a Network Access Point
(e.g. Nashville, Knoxville, Memphis) or Point of Presence (POP) (e.g.
Johnson City), and minimize increases in network latency in a failover
• All main core backbone links between NAPs are 10 Gigabits Ethernet
circuits. The partial mesh arrangement has been designed so that a failed
core link will not result in excessive latency across a surviving core link.
• The Johnson City POP will utilize, at minimum, redundant connections
(e.g. 1 to Knoxville, 1 to Nashville) and will be sized appropriately to meet
the NetTN Service Level Agreements (SLAs).
• The NetTN Core backbone is scalable to 40 Gigabit services, and as end
site bandwidth is ordered and aggregated, will be managed to the
AT&T Inc. is a premier communications holding company. Operating globally
under the AT&T brand, AT&T is recognized as the leading worldwide provider of
IP-based communications services to businesses and a leading U.S. provider of
wireless, high speed broadband Internet access, local and long distance voice,
as well as directory publishing and advertising services. AT&T operates one of
the worlds most advanced and powerful global backbone networks, carrying
more than 16.5 petabytes of data traffic on an average business day to nearly
every continent and country, with up to 99.999 percent reliability.
AT&T Laboratories is the driving force behind groundbreaking communications
innovations that transform the way people work, live and play. Innovations
include new technologies, applications and services that support our security
portfolio which enhance and safeguard the customer experience. NetTN
enhancements are fully tested in the AT&T lab environment prior to
implementation on the NetTN production Network.
CONFIDENTIAL under TCA 10-7-504 8
AT&T Chief Security Office
The AT&T Chief Security Office (CSO) organization establishes policy and
requirements, as well as comprehensive programs, to ensure security is
incorporated into every facet of AT&T's computing and networking environments
(including NetTN). AT&T CSO technical personnel work in partnership with other
AT&T Business Units and Divisions to evaluate threats, determine protective
measures, create response capabilities, and ensure compliance with best
The Worldwide AT&T Security Organization
AT&T maintains a comprehensive global security organization comprised of over
700 security professionals. This organization is dedicated to the physical and
logical security of the AT&T global network and its service offerings. It supports a
broad range of functions, from security policy management to customer-facing
The AT&T global security organization reviews and assesses the NetTN Network
security control posture to keep pace with industry security developments and to
satisfy regulatory and business requirements. Recommendations are made to
the Corporation on the technology solutions and critical skills that are to be
developed or acquired in order to maintain the required security posture. AT&T
actively participates in a number of global security organizations such as:
• Computer Emergency Response Team/Coordination Center (CERT/CC)
• Security activities within Internet Engineering Task Force (IETF) and the
World Wide Web consortium (W3C)
• Forum of Incident Response and Security Teams (FIRST).
• In addition, AT&T participates in the following government and
government-sponsored organizations in the United States:
• National Coordinating Center for Telecommunications (NCC)
• U.S. Government Department of Homeland Security (DHS)
• Network Reliability and Interoperability Council (NRIC)
• Communications - Information Sharing and Analysis Center
• Network Reliability Steering Committee (NRSC)
• The National Telecommunications and Information Administration (NTIA)
• National Communications System (NCS)
• National Security Telecommunications Advisory Committee (NSTAC)
CONFIDENTIAL under TCA 10-7-504 9
• FBI InfraGard
• U.S. Secret Service (USSS) Cyber Crimes Task Force
• National Security Information Exchange (NSIE)
• Shared High Frequency Radio Resources (SHARES) Program
• Communications Sector Coordinating Council (SCC)
• Telecommunications Service Priority (TSP) Oversight Committee
Security Organization Mandate
AT&T considers network and information security to be a cornerstone of the
services that it delivers worldwide. By the security policy mandate of AT&T's
Chief Security Office, AT&T is committed to protecting its NetTN customers and
its own information and resources from unauthorized access, disclosure,
corruption or disruption of service. This security policy is designed to protect
AT&T and NetTN managed assets, and is applicable to network elements,
systems, applications and workstations owned or managed by AT&T. Execution
of the policy is led by the AT&T Chief Security Office organization whose role is
• Protect NetTN Managed assets and resources from security breaches by
monitoring potential security threats, correlating network events, and
facilitating compliance with legal and regulatory security requirements.
• Own and manage the AT&T security policies and standards for the
Corporation and maintain ultimate responsibility for all aspects of network
and information security within the Corporation.
CONFIDENTIAL under TCA 10-7-504 10
Specific roles and responsibilities are necessary for the effective management
and efficient administration and implementation of the NetTN Security Policies.
The following roles and their respective responsibilities are established and
outlined to meet administration requirements.
AT&T Security Responsibilities
All employees, suppliers, contractors, and agents of the AT&T companies are
responsible for protecting AT&T Information Resources to assure the
confidentiality, integrity, and availability of computing, networking, and
The following section outlines some of the security responsibilities of each AT&T
AT&T Senior Executive
• Senior executives own the responsibility for network and information security
within their organizations and are accountable to the AT&T Chief Security
• Accountable for protecting assets under their ownership and control.
• Responsible to revoke logical and physical accesses owned by an employee
on his/her job reassignment or termination from employment.
• Responsible for the compliance of their staff with the requirements of the
AT&T security policies.
• Responsible for conducting logical and physical access revalidation at regular
CONFIDENTIAL under TCA 10-7-504 11
• Responsible for developing skills of staff necessary to support the security
• Responsible for annual review and acceptance of AT&T Code of Business
Conduct with staff.
• Comply with AT&T security policies.
• Maintain and execute security status checking processes, security
profile/signature upgrades, etc., on systems under their control.
• Validate their personal logical and physical accesses on systems and facilities
on a regular basis.
• Comply with confidentiality requirements, customer privacy agreements,
government policies where applicable and necessary, and office "clean desk"
programs for securing confidential information.
• Comply with the AT&T Code of Business Conduct.
AT&T Life Cycle Management (LCM) Team
The NetTN Life Cycle Management Team supports the NetTN contract &
• Provide tier 4 level support related to infrastructure management, delivery,
break/fix, and daily operations of the NetTN Network
• Ensures the NetTN Network is operated in accordance with the
requirements of this document.
• Ensures requests for new NetTN Network infrastructure and services, or
changes to existing NetTN Network infrastructure and services, include
appropriate security requirements and that these requirements are
incorporated into the system design.
• Ensures coordination of significant security-related matters.
• Reviews Managed Security Service (MSS) break/fix tickets related to
firewalls and Intrusion Detection Systems with the NetTN Program Office
on a weekly basis.
• Provides assistance to NetTN Partner Member Information System
Security Officer Point of Contacts.
• Responsible for developing and maintaining the NetTN Security
CONFIDENTIAL under TCA 10-7-504 12
• Responsible for developing and maintaining the NetTN Incident Response
AT&T Global Customer Service Center (GCSC)
The operations and management function for the NetTN Network is supported by
AT&T. AT&T has many service support centers based upon service and function
Communication and information services entering and exiting end-sites via the
NetTN infrastructure fall under the operational control of the Global Customer
Service Center (GCSC). Currently, only OIR contacts GCSC directly as their
primary help desk.
• Oversees the NetTN Network through two primary support organizations,
MRS (network) and MSS (security).
• Provides network resources needed to achieve operational objectives.
• Using network management systems, the GCSC performs network
management and problem resolution for the backbone.
• Provides network support services, including managing issue tracking
tickets and providing coordination and communication with NetTN
Members and NetTN team for problem resolution.
AT&T Global Customer Support Center (GCSC) Manager
The AT&T GCSC Manager is responsible for the day-to-day operations of the
GCSC. The GCSC Manager is responsible for the infrastructure. The GCSC
Manager works with NetTN Member network managers to ensure that the AT&T
Security Policy is enforced at all appropriate levels.
• Provides proactive and reactive network administration.
• Monitors and controls the network, available bandwidth, hardware, and
distributed software resources.
• Responds to detected security incidents, network faults (errors), and user-
reported outages when such problems are referred from the help desk or
CONFIDENTIAL under TCA 10-7-504 13
AT&T GCSC Technicians
AT&T GCSC technicians use a central repository to archive technical advice and
solutions on network systems, software applications assistance, automatic data
processing support, hardware exchange, and repair service support. Because
they work closely with vendors and outside providers, users and workgroup
managers, GCSC technicians must be familiar with the contents of the SMP to
facilitate early detection of new vulnerabilities and incidents.
• They determine the type of reported systems problems (within defined
• Report the status of problem resolution to the affected client, and maintain
a historical database on problem resolution.
• Implement all troubleshooting and maintenance changes.
• Monitor the status and health of the NetTN Network
AT&T CMS Tier 1 Help Desk
The Help Desk function for the NetTN Network is located in AT&T Help Desk
Support Centers. The AT&T Help Desk uses a central repository to archive
technical advice and solutions on network systems, software applications
assistance, automatic data processing support, hardware exchange, and repair
service support. All NetTN partners (except OIR) contact the CMS Help Desk for
security and fault management issues.
• Tier one single-point-of-contact help desk to reactively take calls from
approved/authorized State of Tennessee end- users: Tennessee Board of
Regents (TBR), University of Tennessee System, Private Colleges and
Universities, State of Tennessee Department of Education, and City and
• Triage incidents from approved/authorized State Tennessee end-users,
route incidents to the appropriate Tier 2 center.
• Attend the AT&T Life Cycle Management (LCM) service delivery reviews
and customer meetings. The requirement is to be prepared to discuss
and report on.
• Help Desk activities as it relates to the approved end-users. Recurring
customer issues should be referred to the Operations Manager on the
LCM team for resolution.
CONFIDENTIAL under TCA 10-7-504 14
• Support the reporting of incident management tickets. May use AT&T’s
Business Direct to report incident tickets for approved/authorized State of
• Help Desk shall be available Monday through Friday 6 a.m. to 6 p.m. CST
for SDE K-12, and 6 a.m. to 6 p.m. CST Monday through Saturday for all
other NetTN end users..
• Help Desk shall provide as an option 24x7 support if required by any of
the NetTN end users as a separate cost element.
AT&T Help Desk Technicians
Help Desk technicians determine the type of reported systems problems (within
defined response times), report the status of problem resolution to the affected
client, and maintain a historical database on problem resolution. AT&T Help
Desk Help Desk technicians must be familiar with the contents of the NetTN SMP
to facilitate early detection of new vulnerabilities and incidents.
• The Help Desk will initiate a trouble ticket, determine the level of support
and route the incident to provide action necessary to accommodate the
End-Users needs. In the event the service or condition needs to be
escalated, the ticket and call will be transferred to Tier 2 support.
• Ticket prioritization for Critical, Major and Minor troubles based on the
following time frames:
a. Critical Problem Identification shall be immediate:
1) Level 3 ticket opened, work log entry within 10 minutes
2) Subsequent entries into work log within 30 minutes
3) First critical notification within 30 minutes and subsequent
critical notifications every hour until the problem is fixed
4) Critical Problem Fixed: three hours or less
b. Major Problem Identification shall be immediate:
1) Level 2 ticket work log generated within 30 minutes
2) Subsequent entries into log within two hours
3) Major Problem Fixed: six hours or less
CONFIDENTIAL under TCA 10-7-504 15
c. Minor Problem Identification shall be immediate:
1) Level 2 ticket work log generated within 30 minutes
2) Subsequent entries into log within four hours
3) Minor Problem Fixed: eight hours or less
• Ensure the issue is completely resolved to the reporting End-User’s
• Provide dedicated 1-800 numbers for contracting State of Tennessee End-
Customer Phone Number
TBR (888) 820-0341
K-12 (888) 820-0345
UT (888) 684-3366
EHE, CHN (888) 820-0347
LLG, PBS, PCU, TEM (888) 269-3248
OIR (866) 373-0524 pin # 78283
(GCSC for both MRS & MSS)
• Supplier will accept tickets via e-mail from authorized State of Tennessee
• Problem Reporting responsibilities:
a. AT&T will provide network management reports to track problem
volumes, patterns and trends to the State of Tennessee.
b. The AT&T LCM team will be responsible for reporting performance
metrics to the State of Tennessee.
c. Standard Ticket Management reporting includes:
1) Service Level Reporting on Help Desk
2) Number of tickets per month
3) ACD Call Detail
4) Ticket by problem type
5) Additional reports may be required
d. All support is provided in English
CONFIDENTIAL under TCA 10-7-504 16
AT&T System Administrators
System administrators ensure that servers, workstations, peripherals,
communication devices, and software are on line and are available to support
customers. System administrators must thoroughly understand the NetTN
mission and must be completely knowledgeable about the capabilities and
limitations of the network and about the NetTN Network Security Policy and
NetTN Security Management Plan.
• Installs and configures software and hardware
• Adds, deletes, or modifies user accounts
• Enforces password control
• Sets permissions
• Performs security management functions
• Coordinates maintenance and changes with the GCSC help desk
End-users or Users are defined as any person that has access to the NetTN
Network and/or with access to internal information or internal information
systems. End-users accept some restrictions on their ability to use information
systems in the interest of good security controls.
End-users are required to abide by all security requirements defined in this
document and to familiarize themselves with NetTN Network Security Plan. End
Users may include LCM team members, penetration testers, etc.
• Follows good security practices by protecting against viruses, protecting
their passwords, abiding by specific NetTN Network Security Plan
concerning e-mail and the Internet, and otherwise practicing safe
• Backs up and protects their files.
• Uses computer resources for authorized purposes only. Users must sign
a User Agreement before being granted access to information technology
• Notifies management if their requirements for access have changed.
• Reports suspected compromise of good security practices to
CONFIDENTIAL under TCA 10-7-504 17
• Receives periodic security training.
• Refrain from penetration testing the NetTN network infrastructure.
AT&T Managed Security Services (MSS)
Security for the NetTN Network is provided by AT&T Managed Security Services.
The Security management function for the NetTN Network Security Architecture
is located in Durham, North Carolina in the Security Operations Center (SOC).
MSS personnel are responsible for overseeing security for the NetTN WAN
Services. By using firewalls, intrusion detection systems (IDS), intrusion
prevention systems (IPS), fault-correlation software, and vulnerability
assessment tools, the SOC monitors all traffic entering and leaving the NetTN
Network via the MSS managed Internet Gateway points.
The AT&T MSS team is made up of 3 primary teams to support various security
1. Policy Management Team (PMT):
The team is responsible for integrating new customers into the AT&T MSS
lifecycle process, managing change requests via MAC’s (moves, adds, or
changes), and providing answers to general questions regarding NetTN
managed security service.
2. Incident Management Team (IMT):
The team provides initial notification of non-scheduled impact events such as
network, and hardware failures. Additionally, they support NetTN MSS
customers through effective and prompt attention to any Fault Management
issue you may encounter with the NetTN managed security service.
3. Threat Management Service (TMS):
The team supports the Intrusion Detection devices and provides written
notification either in automated or manual format for events of varying
severity. The notification is for monitored traffic and is reported per the level
contract. In the event of potential compromise the client will be engaged via
phone and a qualified analyst will aid in mitigation.
These three teams contain various security experts, including firewall Engineers,
IDS Engineers, and Information Assurance Security Analysts, which are
CONFIDENTIAL under TCA 10-7-504 18
The Firewall Engineer ensures that all applicable operating system patches and
software revisions are installed. The GCSC Firewall Engineer provides oversight
for the maintenance of the NetTN Firewall Enforcement Policy and serves as a
resource for handling violations of that policy.
• Maintains firewall rule enforcement policy & configuration.
• Conducts periodic firewall enforcement policy reviews to ensure
compliance with network security procedures.
• Evaluates known firewall vulnerabilities to see if additional safeguards are
• Troubleshoots firewall related problems
• GCSC Firewall Engineers support firewalls accepted into GCSC
maintenance (including when a new site is added into an existing virtual
firewall instance). A different (non-GCSC) firewall engineering team is
focused on provisioning new firewall CMA builds for new NetTN partners.
Network Intrusion Detection Systems (IDS) Engineer
The Network Intrusion Detection Systems Engineer ensures that all applicable
operating system patches and software revisions are installed. The Network
Intrusion Detection Systems Engineer provides oversight for the design &
maintenance of the NetTN IDSM blades and serves as a resource for design
• Maintains IDS equipment design & configuration.
• Creates IDS design diagrams and engineering specifications
• Troubleshoots IDS related problems
Information Assurance (IA) Security Analysts
IA Security Analysts work in the SOC and employ firewalls, intrusion detection
systems, intrusion prevention systems, fault correlation software, and
vulnerability assessment tools, to enhance the security of the NetTN Network.
CONFIDENTIAL under TCA 10-7-504 19
The IA analysts perform proactive security functions to assist NetTN Association
Partners in deterring, detecting, isolating, containing, mitigating and recovering
from information system and network security intrusions. The IA Security
Analysts also monitor, and direct proactive and reactive network information
protection defensive measures to help ensure the availability and integrity of the
• AT&T Managed Security System maintenance – Operating system
updates, configuration changes, etc.
• Monitors – Review, oversee, and manage configuration of IDS/IPS and
• Event Resolution – Identify vulnerabilities and proactively prevent attacks
on through MSS managed platforms.
• Audits – Maintain and review log files collected at the from security
devices identified as part of the NetTN network and managed by MSS.
• Ensures that logical measures to protect the network/Data are in effect
and those measures to protect sensitive data processing are
• Reviews security policy changes to identify any potential to network
security degradation or compromise.
• Investigates Network security events identified by the MSS managed
• Reports network security violations
• Recommends mitigation activities in the event a network compromise is
• Monitors the system recovery processes to assure that security features
are correctly restored. This would pertain to all MSS managed security
• Notifies the Security Incident Response Teams (SIRT), which is dedicated
to handling security incidents.
• Implement the NetTN Security Policy (including IDS signature selection &
shunning) on the MSS Managed devices in accordance with the
requirements as specified by the customer.
• Provides security guidance for information systems within the AT&T
• Assists in coordination with AT&T GCSC staff on security-related matters.
CONFIDENTIAL under TCA 10-7-504 20
NetTN customers are responsible for safeguarding the security of their
enterprise, their data, and any connection to the NetTN Network from loss,
disclosure, unauthorized access or service disruption. The customer is expected
to promptly notify AT&T of any actual or suspected security incidents or
vulnerabilities relating to NetTN services of which the customer becomes aware.
Prompt notification is required if the customer believes that an unauthorized party
has obtained access to the customer's user identifications and passwords,
personal identification numbers or tokens.
Each NetTN Partner should have a security policy defined and a security
program in place to support the policy. The program should address, at a
minimum, physical and logical security, and confidentiality of data.. The State of
Tennessee Security policy is located at http://Tennessee.gov/finance/oir/security/
secpolicy.html. The State of Tenneesee Chief Security Officer is the owner of the
security policy and program. The NetTN customer's security obligations include,
but are not limited to:
• Responsible for gathering firewall & IDS business requirements and
memorializing them within NetTN Technical Provisioning Documents for
each newly built security asset.
• Responsible for submitting Business Direct MACs to maintain firewall
enforcement policies where required
• Responsible for maintaining URL filtering (white list & black list) policies
• Responsible for defining IDS shunning policy where required
• Responsibility for protecting the customer's confidential information from
• Responsible for defining & provisioning State employee and/or Partner
user access to Business Direct security applications
• Responsibility for the management of customer data, content and
transaction information stored on or transmitted over the NetTN Network,
e.g., backup and restoration of data, erasing data from disk space that
• Responsibility for the selection and use of appropriate services and
security features and options to meet the customer's business and
security requirements, such as encryption to protect privacy of personal
• Responsibility for developing and maintaining appropriate management
and security procedures, such as, physical and logical access controls
and processes, (e.g., application logon security, including unique user
CONFIDENTIAL under TCA 10-7-504 21
identifications and passwords/pins/tokens complying with prudent security
policies) on any customer provisioned and managed networked devices
• Responsibility for the protection and physical security of devices and
systems on the customer's premises, including preventing unauthorized
sensors, sniffers and eavesdropping devices from being installed on the
• Responsibility to ensure no security testing or scanning, etc sourced by
the customer occurs on network or application components outside the
responsibility and ownership of the customer.
• Responsibility to ensure that its End-Users comply with applicable law and
also with the State of Tennessee Acceptable Use Policy in using any
service offered by NetTN that is provided over or includes access to the
• Responsibility for the acts and omissions of the customer's End-Users of
any service obtained from NetTN.
Responsibility to notify AT&T promptly of any security breaches detected by the
customer related to the services provided by the NetTN Network.
OIR Integrated Help desk (IHD)
The OIR Integrated Help Desk takes user calls on a great variety of support
issues. The primary responsibility for the IHD in reference to NetTN support is
the resetting of Remote Access Platform (RAP) account passwords. All other
calls received regarding NetTN issues are escalated to the Network Operations &
Security Center (NOSC).
OIR Network Operations & Security Center (NOSC)
The Network Operations and Security Center’s primary role regarding NetTN is
to provide a liaison between the NetTN GCSC technicians, and OIR aagency end
users. The NOSC maintains POC (point of contact) information for all State of
Tennessee service locations, and works directly with both NetTN and the State
customers who are experiencing any of a number of communication issues.
• Reports latency and high utilization issues to NetTN for further
CONFIDENTIAL under TCA 10-7-504 22
• Assists in the coordination of technicians’ access to facilities when a
dispatch is required.
• Works in conjunction with Security Policy and Audit to identify potential
Security threats and reports them to NetTN for further investigation and
isolating actions when needed.
NetTN Program Office
Beyond contract management, the NetTN Program Office is responsible for
governance & oversight of the NetTN environment from a security perspective.
• Oversight of NetTN enterprise security, including engineering &
• Oversight of NetTN penetration testing program
• Oversight of security management reporting (break/fix and incident
• Administration of Business Direct Portal for NetTN End-User access
CONFIDENTIAL under TCA 10-7-504 23
AT&T NetTN Security
Security Standards & Policy
AT&T has developed and maintains a comprehensive set of security standards
based in part to similar leading industry standards (COBIT, ISO/IEC 27001:2005,
etc.). The library of AT&T security standards is continually re-evaluated and
modified as industry standards evolve and as circumstances require. In addition,
operating procedures, tools and other protective measures are regularly
reviewed to ensure the highest standards of security are observed throughout the
AT&T’s corporate security policies and standards are proprietary to AT&T and
are not generally disclosed to any organization or entity external to the AT&T
corporate family. Maintaining the confidentiality of this information is, in itself, a
facet of our security program that protects AT&T customers. However, for the
purposes of this contract, NetTN specific policies have been developed and
articulated within this Security Management Plan document.
To ensure confidentiality, information is accessible only to those authorized.
AT&T has implemented a three-tiered Information Classification framework for
categorizing information based on sensitivity of the content and specific legal
requirements. Document markings are specified for each data classification in
order to identify the means and levels of protection required to safeguard
information in each classification.
Sensitive customer information especially related to the provision and
administration of NetTN services is accorded significant protections, including
encryption (where permitted by law) when stored or transmitted on untrusted
networks. Customer information managed by AT&T is further protected by
requiring personnel to commit to a standard confidentiality agreement on
commencement of their employment, and a code of business that assigns severe
penalties to violations of these commitments.
CONFIDENTIAL under TCA 10-7-504 24
AT&T employs information and data destruction and sanitization procedures to
ensure that electronic and hard media containing proprietary data and
information are physically destroyed or shredded, or properly erased or wiped
according to commercially accepted practices when the media or hard copy
leaves the control of the company or is no longer required for business purposes.
Equipment containing storage media are checked to ensure that any proprietary
data and licensed software has been removed or securely overwritten prior to
Network Segmentation Control Measures
The NetTN Network consists of the WAN infrastructure backbone equipment
beginning at the Internet Border Router (IBR) and through to the Customer Edge
Router (CE Router), which is used to connect organizational LANs to the NetTN
Network managed by AT&T GCSC.
NetTN is a layer-3 VPN delivery structure, set up in accordance with principles
and constructs as set forth in RFC 4364. An MPLS core is used to provide a
platform for VPN deployment across a common IP infrastructure.
Communication and information services entering and exiting End Sites via the
NetTN infrastructure fall under the operational control of the GCSC.
Organizational LANs connect to the NetTN Network for Intranet and Internet
connectivity. These LANs provide office automation services for the member
agencies and are managed by NetTN Association Member system
administrators. Organizational LANs normally include servers (file, mail, and
Web), networking devices (routers, bridges, and the like), media, user
workstations, and printers.
Each of the Nashville and Knoxville NAPs has a pair of redundant Crossbeam
X80 firewalls in a High-Availability configuration. In addition, each NAP has dual
Egress PE routers, or External Gateway Routers (EGR) and dual Internet Border
Routers (IBR) to provide redundant connectivity to the Crossbeam HA
CONFIDENTIAL under TCA 10-7-504 25
NetTN Strategic VRFs
The NetTN core has 10 strategic user VRFs assigned to the TN Associated
2. Office of Information Resources (OIR)
3. Community Health
4. Tennessee Board of Regents (TBR)
5. University of Tennessee (UT)
6. Libraries and Local Government (LLG)
7. K-12 (includes multiple discrete Checkpoint VSX instances)
8. Private Community Colleges & Universities (PCU)
9. Public Broadcasting Systems (PBS)
10. Tennessee Emergency Management Agency (TEM)
NetTN Dirty VRFs
A ‘dirty’ VRF (virtual routing and forwarding network) is a type of user VRF
that is considered unfiltered by the NetTN security infrastructure. All traffic
originated from non-secure/un-trusted remote access methods such as via
the AT&T mobility network or ANIRA dial-up access must be routed across
the MPLS core to the firewall demark. This traffic must remain separate from
the trusted ‘clean’ traffic prior to it being processed through the security
Example Data Path:
ANIRA Dialup User > Dirty VRF (untrusted zone) network & firewall >
Corresponding NetTN Partner network & firewall (trusted zone)
CONFIDENTIAL under TCA 10-7-504 26
Physical Access Control Measures
AT&T operates in a highly secured environment where physical access to staff
office space, switching centers, global network and service management centers
and other network facilities is strictly monitored and controlled. AT&T employs
many strategies to safeguard these assets by:
• Limiting and monitoring physical access to, and movement throughout,
AT&T facilities through the use of physical monitoring and intrusion
• Screening access through the use of trained security personnel and/or
technical means such as automated card access systems and biometric
• Conducting periodic in depth Physical Security surveys and audits of its
facilities and locations.
Logical Access Control Measures
Logical access controls are based on the principle of "Least Privilege". A user
who needs access to AT&T's and customers' systems must have a current
business requirement, must be allocated a unique identifier (a User ID), and must
verify that they are who they claim to be. The following control processes are
used to manage logical access:
• Authentication is the process of proving a claimed identity to the
satisfaction of an access permission-granting authority. All individual users
must be positively and uniquely identified prior to granting access.
Authentication of the user is achieved utilizing several methods such as:
passwords, personal identification numbers (PIN) and tokens.
• UserIDs and accounts must be reviewed regularly by system and network
administrators or access providers to verify that continued authorization
and associated command and data access permissions are appropriate
for the person's respective job responsibilities. If a valid business reason
does not exist for the continuance of such privileges, the access must be
• The "Least Privilege" principle ensures that all access to computer
resources is restricted to only the commands, data and systems
necessary to perform the authorized functions.
• Security administration of access control measures restricts access to
sensitive information by authorized personnel and system network
processors, and limits the ability to set, modify or disable system security
CONFIDENTIAL under TCA 10-7-504 27
functions. Privileged access to systems and network elements is tightly
• Audit logging provides a record for each successful and unsuccessful
access attempt. Suspicious access attempts are recognized as security
violations and reported. Repeated failed attempts result in the blocking of
• All passwords for user authentication (employee, contractor, business
partner, etc.) must conform to established rules that specify minimum
number and types of characters, uniqueness from previous user
passwords, uniqueness from user name or dictionary words, avoidance of
repeated characters, limitations on sharing or group use, etc. The
passwords must also be changed at regular intervals.
Network Element Access Controls
Current industry tools are utilized for managing the authentication and approval
of support personnel to access network routers in the NetTN network. Access is
provided to AT&T technical support personnel only on an as-needed basis for
individuals with responsibility for network element maintenance and support.
Access is controlled by an authenticating server that validates and verifies user
access, ensuring that only personnel currently responsible for managing the
customer networks have access. All access to the customer premises devices is
logged and repeated failed login attempts are flagged and result in blocking of
the offending accounts. Passwords for routers are changed at regular intervals
and comply with State of Tennessee and AT&T internal password policies.
Passwords on routers, or their management application, are also reviewed
whenever an employee possessing such a password ceases to be employed or
has been re-assigned. When strong authentication is required, two-factor token-
based authentication is available for access to customer’s managed elements.
Access Validation Process
Only those AT&T personnel with a current business need are authorized physical
and logical access to facilities and systems. All managers are obligated to
remove staff accesses, (physical and logical accesses) upon staff re-assignment
or termination of employment. As a control measure, physical and logical
accesses are revalidated regularly at defined time intervals. The owner or
operator of the network elements or of the facility is obligated to conduct the
revalidation of personnel accesses with their supervising manager to ensure that
the staff continues to have a legitimate business requirement for the access.
CONFIDENTIAL under TCA 10-7-504 28
Network Perimeter (Firewall) Protection
AT&T external network connections are protected by firewalls that screen
incoming and outgoing traffic based on source and destination address, protocol
and port, in accordance with the security policy. In particular, Internet
connections and Extranets are protected by firewalls and demilitarized zones
(DMZs) that block any direct network routing between the Internet and internal
External customer and partner connections to the NetTN network are protected
by access controls (such as access control lists or network based firewalls) that
screen incoming and outgoing packets to ensure only authorized traffic is
NetTN Core Security Design
y In te
P rima r t h IBR1
IBR2 AT&T (ISP)
eHLTH Backup Internet
EGR1 IBR1 LC (ISP)
NetTN Core IBR 2
CONFIDENTIAL under TCA 10-7-504 29
The Crossbeam firewall has the ability to logically segregate security policy and
firewall blades within a single chassis into multiple virtual firewall instances.
These virtual firewall instances are called Virtual Systems (VSX). The NetTN
core network provides VPN services to more than 47 strategic VRFs. Therefore,
each NetTN user VRF and NetTN dirty VRF will have a dedicated connection to
the Crossbeam chassis and a dedicated VSX firewall instance.
The configuration of the Checkpoint VSX firewalls for member’s network is
established to protect the WAN connectivity between that end-site and the
internet. At a minimum, default/implied configurations are recommended by
AT&T to block all inbound traffic from outside the NetTN wide area network
infrastructure from and to RFC 1918 Intranet addresses, block all inbound traffic
with source addresses of locally assigned IP addresses (local to NetTN clients),
block all outbound traffic from non-locally assigned IP addresses to prevent
internal users from generating IP spoofing attacks and block all loose and strict
source-routed packets at every router.
Firewall enforcement policy is the sole responsibility of the customer. In many
cases, NetTN Association Partners have requested, and been provisioned with
unrestricted VSX firewall enforcement policies, due to business requirements,
including, but not limited to, asymmetrical routing needs, and in support of
customer managed perimeter firewalls.
For Partner networks that have opted for securely-configured firewall
enforcement policies, all attempted violations of the RFC 1918 address or
spoofing filters is logged and these logs should be provided to the appropriate
NetTN Operations Group for interfacing directly with the End-User on a daily
CONFIDENTIAL under TCA 10-7-504 30
The Cisco IDSM provides network-based intrusion detection that transparently
monitors network traffic to detect and respond to the network-based attacks. It
operates on the high-speed back plane of the NetTN Network’s high performance
equipment. It is capable of accepting new attack signature definitions and is set
up at each NAP in Nashville and Knoxville. The Cisco IDSM2s are mated for
each internal NetTN entity as appropriate. The IDSM modules are managed by
the AT&T Managed Security Services (MSS) team.
The Cisco IDSMs are configured to perform logging of selected network activity,
which is deemed suspicious. Logs are monitored, analyzed and used in
conjunction with any and all reporting methodologies and requirements
mandated by Security Policy.
• The IDS system performs shunning inbound and outbound for the
OIR10 NetTN Virtual Private Network (VPN). Shunning allows an IDS
event (based on a signature match) to be automatically blocked by a
router ACL for a customer-defined length of time.
• Many IDSM sensors are dedicated to specific partners, while others
are shared (see the NetTN IDSM diagrams below for sensor to partner
• For each of the 19 IDSM sensors, several distinct IDS metric reports
are available for daily, weekly or monthly time windows.
• Reports can be found in the AT&T Business Direct customer portal and
are retained historically for one year.
• The IDS system creates near real-time Threat Management Alert
emails that can be sent to an alerting distribution list. Each sensor can
have a separate email distribution list. Customers can submit an MSS
MAC change request to be added or removed from any sensor
• See the Reporting section for more details on Business Direct and
Threat Alert eMails.
CONFIDENTIAL under TCA 10-7-504 31
NetTN IDSM Sensor Traffic Assignments
Sensor Location IP address Agency Active/Standby
MIDTEN01S NSHEGR1 Slot 2 220.127.116.11 OIR & OIRd Active
MIDTEN02S NSHEGR1 Slot 8 18.104.22.168 OIR & OIRd Active
MIDTEN03S NSHEGR2 Slot 7 22.214.171.124 MBS OIR & OIRd Active
MIDTEN04S NSHEGR2 Slot 8 126.96.36.199 OIR & OIRd Active
MIDTEN05S KNXEGR1 Slot 7 188.8.131.52 OIR & OIRd Standby
MIDTEN06S KNXEGR1 Slot 8 184.108.40.206 CHLTH, K-12, LLG Standby
MIDTEN07S KNXEGR2 Slot 8 220.127.116.11 MBS OIR & OIRd Standby
MIDTEN08S KNXEGR2 Slot 9 18.104.22.168 CHLTH, K-12, LLG Standby
MIDTEN09S KNXEGR1 Slot 9 22.214.171.124 Spare Standby
MIDTEN10S NSHEGR1 Slot 1 126.96.36.199 OIR & OIRd Active
MIDTEN11S NSHIBR1 Slot 7 188.8.131.52 EHLTH, CHLTH, K-12, LLG TBR Active
MIDTEN12S NSHIBR1 Slot 8 184.108.40.206 EHLTH, CHLTH, K-12, LLG TBR Active
MIDTEN13S NSHIBR2 Slot 8 220.127.116.11 EHLTH, CHLTH, K-12, LLG TBR Active
MIDTEN14S NSHIBR2 Slot 9 18.104.22.168 EHLTH, CHLTH, K-12, LLG TBR Active
MIDTEN15S KNXIBR1 Slot 7 22.214.171.124 TBR, EHLTH Active
MIDTEN17S KNXIBR1 Slot 8 126.96.36.199 TBR, EHLTH Active
MIDTEN18S KNXIBR2 Slot 8 188.8.131.52/ TBR, EHLTH Active
MIDTEN19S KNXIBR2 Slot 9 184.108.40.206 TBR, EHLTH Active
Workstation Security Management
The workstation security policies protect AT&T and customer assets through a
series of processes and technologies including verification of personnel
workstation accesses, PC anti-virus protection, Operating System hardening and
updates, full disk encryption where permitted by law to protect sensitive
information on portable assets, along with a personal firewall intrinsic to remote
access software implemented on workstations or portable PCs that remotely
connect to the NetTN network.
Securing of the personal computer while in use is further managed by the
requirements for power-on passwords, hard drive passwords where possible,
and password-protected keyboard or screen-locks that are automatically
triggered through inactivity. Management at AT&T is responsible for ensuring
compliance with these policies.
CONFIDENTIAL under TCA 10-7-504 34
AT&T workstations are required to have active, up-to-date "anti- virus" software.
AT&T's antivirus software vendor regularly provides virus signature updates,
which are propagated automatically to workstations across the Corporation.
Furthermore, security advisories forwarded by the AT&T global security
organization provide key AT&T personnel with details on virus warnings, new
security patches and newly discovered vulnerabilities. The anti-virus vendor
provides updates almost every business day as well as during virus outbreak
emergencies; these updates are propagated automatically throughout the
Security Status Checking, EVM & Penetration Testing
AT&T conducts regular tests and evaluations to ensure that security controls are
maintained and are functioning in accordance with policy. These initiatives
include Security Status Checking, Vulnerability Testing & Penetration Testing.
Results from these activities are reviewed and tracked to ensure timely
remediation and follow-up actions.
Security Status Checking
• Status Checking is performed on a regular basis to review and verify
system security settings, computer resource security settings and status,
and users having security administrative authority or system authority.
• Status Checking also includes the testing of network elements to ensure
the proper level of security patches, to ensure that only required system
processes are active, to ensure the existence and retention of activity
logs, and to verify support personnel accesses.
• Validation of server compliance to AT&T security policy is conducted on a
regular basis on AT&T servers.
Enterprise Vulnerability Management Program (EVM)
Vulnerability Testing (known as the Enterprise Vulnerability Management
Program) is performed by authorized AT&T personnel to verify whether controls
can be bypassed to obtain any unauthorized access.
CONFIDENTIAL under TCA 10-7-504 35
• Vulnerability tests to evaluate the level of safeguards on network
components are performed utilizing authorized leading-edge testing tools.
• EVM vulnerability scans are performed on the NetTN network weekly.
• In addition to AT&T-developed tools, leading-edge scan tools from
recognized commercial software providers are used by AT&T for network,
computer host and application scans.
• AT&T uses McAfee Foundstone Enterprise, a comprehensive solution that
uses threat intelligence and correlation to immediately determine how
emerging threats affect risk profile. The appropriate resources can quickly
be deployed where they are needed most. The loop closes with
remediation tracking and reporting.
Network or computer security analysis is commonly referred to as penetration
testing, intrusion testing, sweeps, profiling, and vulnerability analysis. Performing
security analysis of the NetTN network or AT&T computers or applications is the
responsibility of AT&T.
• NetTN Penetration Testing is performed bi-annually by an independent
• Penetration Testing is used to baseline NetTN asset security & perform
• Penetration Testing may include theme development and different attack
• Penetration Testing does not test customer assets or customer-defined
firewall enforcement policies
• All NetTN network & firewall assets are typically in scope
• AT&T Coordinates Penetration Testing closely with the NetTN Program
Office & discloses findings and remediation efforts
Security Status Reporting
Information regarding the security status of the NetTN infrastructure and services
is managed and communicated as requested by the NetTN Program Office.
Results of security health checking, vulnerability testing and penetration testing
are tracked and reported by the security programs responsible for compliance
management of those activities. Security status, as well as progress on security
initiatives, is combined with threat intelligence gathered through trend analysis
and reported to security organization executives.
CONFIDENTIAL under TCA 10-7-504 36
Security program managers share security status information to ensure
alignment of program objectives and prioritization of efforts. This disciplined
sharing of security status information and reporting enables AT&T to achieve
synergy and cooperation among security teams and appropriate management
attention on our overall security posture.
AT&T’s approach to identifying and mitigating network and application
vulnerabilities is formalized in the Risk Management program. When
vulnerabilities are identified, they are assessed as to severity, potential impact to
AT&T, NetTN and its customers, and likelihood of occurrence. Plans are
developed, implemented and tracked to address vulnerabilities within prescribed
timeframes according to security policy. When business needs preclude timely
resolution, the risk level is documented and mitigating controls are put in place
where practicable. AT&T executives are expressly accountable for unmitigated
vulnerabilities and accept responsibility for the potential risk. AT&T coordinates
risk management efforts with the NetTN Program Office and Partners to address
threats and risks to each customer’s environment. Examples include assembling
a Tiger Team to address K-12 URL filtering issues and providing security
resources to facilitate firewall lock down strategies for Partners. Other risks may
be socialized with the Program Office through the change control (CR) process,
where engineering changes are required to mitigate technology risk.
Security Advisory Process
AT&T utilizes an internal global process to acquire and distribute security
advisories, coupled with compliance and review processes as a follow-up to
these advisories. The advisories originate from industry security organizations,
equipment and systems suppliers. They predominately consist of newly identified
flaws to established network software, systems and equipment which could
potentially allow unauthorized users to bypass access controls and/or gain
access to data.
AT&T continually reviews security patch and vulnerability announcements from
vendors and organizations such as CERT for all managed components. The
security integrity and advisory process oversees that security patches are applied
to network systems in a timely manner.
Each security advisory is categorized, assigned a severity rating and published
by the AT&T global security organization, which in turn, dictates the timeframe
within which the vulnerability must be resolved.
CONFIDENTIAL under TCA 10-7-504 37
Security Incident Reporting and Management
A security incident can be defined as the attempted or successful unauthorized
access, use, disclosure, modification, or destruction of information or interference
with system operations in an information system.
Security incidents may result from intentional or unintentional actions. Examples
of security incidents include unauthorized attempts to gain access to information,
introduction of malicious code or viruses, loss or theft of computer media, and
failure of a security function to perform as designed.
Incident Response Plan
The NetTN Incident Response Plan provides a framework for the NetTN Program
Office, in conjunction with Association Partners, to escalate to the appropriate
resources within AT&T to coordinate a network security incident response effort.
The AT&T global network operation centers maintain 24 x 7 real-time security
monitoring of the NetTN network for investigation, action and response to
network security events. AT&T’s NetTN Threat Management platform and
program provides real-time data correlation, situational awareness reporting,
active incident investigation and case management, trending analysis, and
predictive security alerting.
In the event of a security incident, AT&T identifies the level of the potential
impact and notifies at-risk NetTN designated customer contacts via email threat
Incidents are reported to AT&T’s senior management to draw attention to the
types of attacks reported by our incident response team as well as other
noteworthy incident and vulnerability information.
The NetTN Incident Response Plan does not specifically address physical
disruptions to, or the loss of, information, automated information systems or
networks as a result of manmade or natural disasters impacting the NetTN
While the NetTN Incident Response Plan is described here, the plan is partially
maintained in a separate document that contains:
CONFIDENTIAL under TCA 10-7-504 38
• Organizational Structure (roles and responsibilities)
• Current Department, Team, and Escalation Contact Lists
• Incident Declaration and Response Procedures
• Services Provided
• Incident Severity Definitions
State of Tennessee Security Incident Response Team
In support of the State of Tennessee’s Enterprise Information Security Policy,
section 4.2, AT&T NetTN Team resources (LCM, GCSC, MSS) will participate in
the State’s Security Incident Response Team (SIRT) as appropriate.
AT&T Incident Response Analysts
The Information Assurance (IA) Security Analysts at the AT&T GCSC will use
automated tools to help identify intrusions into, or attacks on, the network
infrastructure. These tools will be configurable to provide immediate notification
to a security monitoring console in the GCSC and notification of appropriate
Incident Management Guidelines
This section provides guidelines for the effective handling of security incidents.
Incidents may include network attacks directed against NetTN managed assets,
or customer assets connected to the NetTN infrastructure.
• When a NetTN end-site has an issue with the Managed Security Service
(for example: customer can’t access a service that is allowed in the
firewall policy, slow response, etc…), the Incident Management Team is
available to resolve issues in a proficient manner.
• The MSS Incident Management associate will open a ticket to track the
issue, provide the ticket number to the Security Contact, and will began
investigating the issue.
• If the MSS Proactive Monitoring Tools detects an issue/outage with the
Managed Security equipment (transport circuit drops, firewall stops
responding to a poll, etc): an Incident Management associate will contact
CONFIDENTIAL under TCA 10-7-504 39
ASAP the authorized Security Contact (LCM Operations team in many
cases) that is designated as an “Outage” contact to provide a ticket
number and any update to the issue.
• The MSS team will provide updates of issues to the Security Contact as
Incident Management Escalation/Notification Process
• Clients can request status of an active maintenance issue based on the
information and time frames set forth in the table below.
• The Team Lead is available Monday – Friday from 0700 – 1600. The
Escalation Manager is available outside of these hours.
a. Dial the standard toll free service number and prompts that you
have been provided.
b. Ask to be connected to the MSS Tier II Team. (This is the level
two center for Security Services.)
c. When you reach an associate, ask to contact the appropriate
level of management based upon you issue, as listed below.
Time Frame Escalation Contacts Escalation Mgr.
No Resolution in 30 Incident Management Team Shift Team Lead on Duty
No resolution in 1 hour Security Managers Shift Supervisor on Duty
No resolution in 2 hours Operations Manager Operations Manager on Duty
No resolution in 3 hours Group Manager Ihab Youssef
No resolution in 4 hours Security Services Director Matt Lucas
For after hours Notification/Escalation, the team personnel will contact the
appropriate level of management to address the problem.
CONFIDENTIAL under TCA 10-7-504 40
Threat Management Guidelines (includes Intrusion Detection)
• The best and preferred method to reach the Threat Management Team to
resolve an issue is to call the issued customer support numbers listed in
this document. This method will bring prompt attention to your issue.
• The Threat Management Analyst will open a ticket to track the issue,
provide the ticket number to the customer and will began investigating the
Threat Management Escalation Procedure
• Clients can request status of an active maintenance issue based on the
information and time frames set forth in the table below.
• While working an outage, the following Escalation/Notification table will be
strictly adhered to.
• The Team Lead is available Monday – Friday from 0700 – 1600. The
Escalation Manager is available outside of these hours.
a. Dial the standard toll free service number and prompts that you
have been provided
b. Ask to be connected to the GCSC. (This is the Level Two Center
for Security Services.)
• When you reach an associate, ask to contact the appropriate level of
management based upon you issue, as listed below.
CONFIDENTIAL under TCA 10-7-504 41
MSS Contacts and Escalation
Title / Role Name Office Email
MSS Daily Prompt 8, 2
MSS Help Managed.security
Desk (Managed FW, @ems.att.com
Notification Proxy, or Anti-
MSS Off Shift
contact the 30 Minutes
MSS Off Shift
Critical 30 Minutes
Network Ihab Youssef (919) 474-1525 email@example.com 3 Hours
Matt Lucas (949) 221-1930 firstname.lastname@example.org 4 Hours
CONFIDENTIAL under TCA 10-7-504 42
Incident Management Reporting
Significant security incident responses include a follow-up report to the NetTN
Program Office. These follow-up reports will describe the nature of the incident,
resolution, countermeasures taken, and suggested configuration changes to
prevent future incidents.
Threat Management Email Alerts
Reporting of newly discovered vulnerabilities and incidents ensures the
containment of impacts, recovery of network availability, identification of breach
and perpetrator, and countermeasure implementation. Detected issues (attacks
& malicious code propagation) are delivered in near real-time to designated email
recipients in the form of IDS and Firewall Threat Management Alerts.
Security reporting provides intelligence to senior management. It also
provides quantitative costs and benefits of security. The reporting should
align with NetTN goals and policy; provide data regarding residual risks and
highlight significant trends and events. These reports are to help make
strategic security decisions. Security reports are provided by the NetTN LCM
Team and use standard reports from the AT&T Managed Security Services
Security reports are made available to the NetTN Association Partners
through the AT&T BusinessDirect web portal. The reports are updated daily.
CONFIDENTIAL under TCA 10-7-504 43
These reports include:
• Critical intrusion detection system events:
a. Top 20 IDS Events by Destination IP
b. Top 20 IDS Events by Service
c. Top 20 IDS Events by Signature
d. Top 20 IDS Events by Source IP
• Critical firewall events:
a. Top 20 Accepts by Destination IP
b. Top 20 Accepts by Service
c. Top 20 Accepts by Source IP
d. Top 20 Denies by Destination IP
e. Top 20 Denies by Service
f. Top 20 Denies by Source IP
A weekly security summary report (Security Operations Report) is presented
to the NetTN Program Office. This report includes the following:
• Summary of security tickets
• Security operational issues
• Security events investigated
• Incident reports
Security Compliance Reviews
AT&T considers reviews of operations and applications functions for compliance
to security requirements essential to evaluating the adherence to the established
security procedures worldwide. Results of these reviews are reported to regional
security managers and executive management.
Security reviews may be facilitated or conducted by the Chief Security Office; by
a business area sponsor of a product, service, or supplier or partner relationship;
CONFIDENTIAL under TCA 10-7-504 44
or by an operations team responsible for life cycle service management.
Business and operations areas are encouraged to perform self-reviews to verify
compliance with published security requirements.
To ensure that the integrity of the security infrastructure is not degraded, AT&T
uses change management processes to enter, approve, and report change
requests. A new change request initiates approval processing and subsequent
scheduling of maintenance activity for an ‘approved’ change request.
The scope of change management program includes but is not limited to:
• Installing or removing software
• Modifying configuration parameters including Operating System (OS) and
application security logging and security parameters
• Upgrading to a new release level
• Installing patches or fixes
• Changes to application software
• Changes to hardware
Customer Initiated Security Policy Change Options
Customers can initiate the following types of security policy changes:
• Firewall Policy changes can be requested via Business Direct web portal
using the MAC feature. GCSC performs the actual change.
• IDS Policy changes can be requested via Business Direct web portal
using the MAC feature. GCSC performs the actual change.
• URL Filtering Policy changes can be performed directly by URL Filter
Administrators via SmartPortal web portal, or by calling the appropriate
AT&T Help Desk number.
Contacting AT&T for a Change Request
CONFIDENTIAL under TCA 10-7-504 45
MSS Hours of Operation
• Policy Management: 24 hours per day X 7 days per week X 365 days per
• Incident Management: 24 hours per day X 7 days per week X 365 days
per year coverage
• Threat Management: 24 hours per day X 7 days per week X 365 days per
The MSS Operations team has the responsibility of being the SPOC (Single
Point of Contact) for NetTN Security Issues related to an Emergency
circumstance on a Sev1 or emergency MACD.
For issues with the customer network related to the Managed Security device,
accessing AT&T Business Direct to submit a trouble ticket is the fastest way for
the AT&T Operations team to work the security issue. If the NetTN customer
needs to speak with an AT&T MSS Operations by a phone call to, the call will be
picked up by an MSS Operations Associate to resolve the problem/issue (use the
appropriate dedicated support line).
URL for submitting Firewall & IDS Change Requests to AT&T
MSS MACD* Process Flow Outlines
MSS MACD Classifications:
• Major A.19: 6 hours or less
• Critical A.18: 15 minutes or less for video & 3 hours or less for all
* Referred to as “MACs” for MSS changes within Business Direct Portal
CONFIDENTIAL under TCA 10-7-504 46
Customer can open a MACD ticket several ways;
1. Business Direct – All Business Partners
https://www.businessdirect.att.com (“Manage Your Network Security” Tool for
2. Tier 1 – OIR IHD NOSC – OIR sites (615-741-1001 Option 3 or
800-342-3276 Option 3)
3. Tier 1 – Arlington Heights – Customer will call their corresponding 800
• SDE - 888-820-0345
• TBR - 888-820-0341
• PCU - 888-820-0341
• UTS - 888-684-3366
• EHE - 888-820-0347 Option 2
• CHN - 888-820-0347 Option 2
• LLG - 888-269-3248
• PBS - 888-269-3248
• TEM - 888-695-3627
4. Designated Operations Manager;
• Danny White – OIR Locations
(615) 401-4233 office (615) 618-7598 Mobile
• Chuck Tillman – SDE Locations
(901)761-6422 office (901)-268-0693 Mobile
• Jim Snyder – CHN, EHE, LLG, PBS, PCU, TBR, UTS, TEM Locations
(615) 271-3716 Office (615) 916-1289 Mobile
MSS MACD (Major) – Customers With “Manage Your Network Security” Access
In Business Direct
I. Customer Opens MSS MACD under “Manage Your Network Security”
in Business Direct.
II. Customer calls the dedicated SOTN phone number (800-727-2222
Option 8, Option 2) to reach MSS Operations and alert them to the
Expedited MAC Request.
i. The Manage Your Network Security tool itself will generate an
email (to the individual who opened the ticket) when the ticket is
CONFIDENTIAL under TCA 10-7-504 47
ii. The tool will also generate an e Mail (to the individual who
opened the ticket) when put in a state “pending customer
III. Tier II Security Engineer is assigned to work the MAC request.
IV. If Tier II requires additional information, they will follow up with a phone
call (to the individual who opened the ticket).
V. When the MAC is completed, the system will generate an e Mail back
to the individual who opened the ticket acknowledging completion.
MSS MACD (Major) Customers Without Access To Business Direct
I. Customer Site Contact will Call Arlington Heights Tier I Help Desk using
their corresponding 800 # in the ticket creation section.
II. Arlington Heights will contact corresponding LCM Operations Manager /
Duty Manager for the specific Business Partner.
III. LCM Operations Manager / Duty Manager will open the MAC using the
Managed Network Security Tool in Business Direct. If they require help
with the MAC, they will contact the Security Engineer.
i. The Managed Network Security tool itself will generate an email
when the ticket is acknowledged.
ii. The tool will also generate an e Mail when put in a state “pending
iii. LCM Operations Manager / Duty Manager calls the dedicated
SOTN phone number (800-727-2222 Option 8, Option 2) to reach
MSS Operations and alert them to the Expedited MACD Request.
IV. Once MAC is submitted, Tier II Security Engineer is assigned to work the
V. Tier II will follow up with a phone call to the LCM Operations Manager /
Duty Manager if additional information is required.
VI. Once MAC is completed, the system will generate an e Mail. The LCM
Operations Manager / Duty Manager will notify the customer.
CONFIDENTIAL under TCA 10-7-504 48
MSS MACD (Critical) All Business Partners
I. Customer Opens Ticket as a Severity 1 (Using any method listed under
Ticket Creation section above)
i. Customer Notifies Corresponding LCM Operations Manager / Duty
Manager about the ticket.
ii. LCM Operations Manager / Duty Manager will call the SOT
Dedicated Number (800-727-2222 Option 8, Option 2) to connect to
II. MSS Operations will begin to investigate and troubleshoot issue.
III. MSS Operations determines an “Emergency” change needs to be made.
IV. Per authorization from client, MSS Operations implements “Emergency
V. Client and MSS Operations test to ensure “Emergency Break/Fix” change
restores desired functionality.
i. If not successful, MSS Operations continues to troubleshoot to
ii. If successful and the change is determined to be “Permanent”,
MSS Operations contacts LCM Operations Manager/Duty Manager
to have Standard MAC created from Customer’s AOTS MSS ticket
in Business Directs’ Managed Network Security Tool. LCM
Operations Manager/Duty Manager must properly identify in the
MAC that the work was already completed and reference the AOTS
iii. If successful and the change is determined to be “temporary” in
nature by concurrence of client, LCM and MSS Operations, then
NO follow on MACD is required. MSS will appropriately set a follow
up time on the AOTS ticket to remove the “temporary” change.
Once that change has been removed, the AOTS ticket will be
MSS Change Request Guidelines
The following guidelines apply to change requests when working with MSS:
• An associate will evaluate all change requests to determine if the
information provided is sufficient to complete the request.
• If information is missing or unclear, the MACD will be placed on hold. The
contact that submitted the request will be notified via email with a request
for him/her to log in and update the request based upon the log entry left
by the associate who returned the MAC. Once sufficient clarification has
CONFIDENTIAL under TCA 10-7-504 49
been received and validated, the request will be placed back into the
queue to be processed.
• NetTN customers should include AT&T MSS in their planning for internal
network changes that affect their Internet accessibility and notify MSS at
least 24 hours ahead of making changes if those changes require non
hardware based changes to be made to the NetTN managed equipment.
• If a NetTN customer fails to properly coordinate a change to their network
thereby causing a NetTN service outage or impairment, and calls AT&T
MSS to make changes to the managed equipment on the fly, AT&T will
make every attempt to comply with the request immediately but due to
other service issues may not be able to accommodate the request at that
• Emergency change requests via the phone must be documented via the
MAC process, referencing work already completed, within 24 hours of the
• If the customer calls/contacts the AT&T MSS team to verbally request a
change be made to avert or cease a security threat/incident that is
currently in action, AT&T will work with the customer to contain the issue.
This is an Incident Management Team (IMT) responsibility not a Policy
Maintenance Team (PMT) responsibility. Please choose the appropriate
prompts to avoid delay in processing your issue.
• When the security threat/issue is contained, the customer contacts will be
given a ticket number. Additionally, an email will be sent to the customer
outlining the issue that transpired and the changes that were made.
MSS Change Control Guidelines
• Available maintenance window (with appropriate documentation and
notification) Sunday, 3:00 AM Central - 6:00 AM Central
• Emergency maintenance windows (also require appropriate
documentation and notification) Monday through Saturday, 2:00 AM
Central - 5:00 AM Central.
• For routine maintenance required during the week, AT&T will notify the
NetTN Program Office of any perceived service affecting maintenance at
least 24 hours in advance via email or phone.
• NetTN Program Office approved change requests will include, at a
minimum, the following information:
a. Type of change being made.
b. Ticket number for the maintenance event.
c. Issues being addressed in the change.
d. Start and End times for the change window.
e. Impact to end sites.
CONFIDENTIAL under TCA 10-7-504 50
f. Projected duration of outage.
g. Back-out plan.
• If the maintenance extends longer than the projected timeframe, AT&T will
notify the customer via phone contact and email.
• When the maintenance window is complete, the customer will be notified
via either email or phone contact indicating:
a. Status of the managed components that were being modified.
b. State of the change (Active, Deferred, Closed, etc…)
c. If the change was deemed successful.
MSS Change Request Escalation Procedure
• When Managed Security Service’s Policy Management team receives a
request for changes from the client within normal operational hours,
Monday – Friday 0700-0000 including holidays, an associate will respond
to Reactive and Proactive configuration changes as follows:
• If these timeframes are exceeded, a client can contact the Policy
Management team based on the timeframes in the table below.
• To reach the Policy Management Team, dial the standard toll free service
number and prompts that you have been provided.
• The Team Lead is available during business hours, Monday – Friday from
0700 – 1600. The Escalation Manager is available outside of business
Time Frame Contact Escalation Manager
No contact in 12 hours Policy Management Team Any Client Team Associate
No contact in 18 hours or Provisioning Team Lead Shift Supervisor on Duty
Not complete in 24 hours
No contact in 24 hours Operations Manager Operations Manager on Duty
Not complete in 24-36
No contact in 24 - 36 Group Manager Ihab Youssef
CONFIDENTIAL under TCA 10-7-504 51
No Contact in 24+ hours Security Services Director Matt Lucas
or Not complete in 48
CONFIDENTIAL under TCA 10-7-504 52
Business Continuity & Disaster Recovery Overview
AT&T Corporate Business Continuity Planning Services (CBCP) provides
technical consultation and program management expertise to address the
business continuity, disaster recovery and managed security needs of both AT&T
and its customers. Business Continuity Planning Services focuses on all aspects
of business continuity required to protect business operations: availability,
reliability, scalability, recoverability, performance and security. Working closely
with internal and external customers, Business Continuity Planning Services
develops a thorough understanding of business needs, applying its knowledge,
expertise, and proven methodologies to implement customized solutions.
An integral element of AT&T's business continuity and disaster recovery program
is the mandatory process of certifying and assigning assurance levels to critical
business operations. The goal of this process is to ensure, through certification,
that no critical deficiencies exist.
AT&T networks and services are designed with a level of redundancy and
recovery capabilities that enable AT&T to meet contracted Service Level
Agreements. Custom solutions with an additional level of redundancy or route
diversity can be provided for unique customer needs under specific contractual
Disasters create chaos, turmoil and heartbreak, but they do not diminish AT&T's
commitment to our customers. AT&T recognizes that when a community, town,
city, or region is struck by a catastrophic event, the rapid recovery of
communications is critical.
AT&T's Network Disaster Recovery plan has three (3) primary goals:
1. Route non-involved communications traffic around an affected area.
2. Provide the affected area communications access to the rest of the world.
3. Recover the communications service to a normal condition as quickly as
possible through restoration and repair.
AT&T conducts several major disaster recovery tests annually at different
customer locations to review all aspects of emergency planning and response,
and is leveraging investments in technology, equipment, and processes to
support AT&T's Network Disaster Recovery capabilities throughout the world.
Please refer to the “Master NetTN ATT Continuity of Operations Plan”
document for more specific information.
CONFIDENTIAL under TCA 10-7-504 53
GCSC Disaster Recovery
Over the past several years, AT&T’s Managed Services practice has improved
the geographic diversity and the resiliency of the major infrastructure
components which are used in support of our Business Services.
The Managed Services practice has developed a globally available, diverse,
resilient system which protects our ability to manage our client networks. The
asset management system components have a distributed redundant platform.
The Vantive/GPS is AT&T’s configuration and provisioning DB which is one of
several asset management systems in use today. The software operates on
several computers to provide a highly available system which can be accessed
by AT&T associates from anywhere in the world. The computers are housed in
at least two geographically distant AT&T hosting centers.
The software foundation of the Vantive / GPS system utilizes relational database
technology with transaction replication features. As work is accomplished with in
the DB, the records are replicated at a regular interval to keep all the records
synchronized. In this way, the client asset data which forms the foundation of our
management practice is always available.
The network management system components of the iGEMS platform are
deployed in a dual configuration at geographically distant AT&T data centers.
Each of these identical systems is configured to use the SNMP and ICMP
protocols to monitor the client networks. Additional management and control
elements are also deployed in the redundant management zones. These control
elements include TACACS device authentication and logging systems. The
systems are configured to monitor the client network elements. There are
software processes within the configuration DB to check the management target
files against the inventory systems that will identify and report discrepancies.
Associates work to reconcile the discrepancy reports against change control
The network management systems are monitored by the AT&T IT/Operations
teams. IT/O teams are organizationally separate from the management services
associates providing complete separation of duties.
The network management systems send events and alarms to the AT&T One
Ticketing System ( AOTS ). The AOTS system is also hosted on redundant
geographically diverse computers. Associates connect through standard access
methods which provide a uniform connection between the client software on
Associate PCs and the AOTS database system.
CONFIDENTIAL under TCA 10-7-504 54
The Global Client Support Centers (GCSCs) are designed to comply with the
AT&T Security policies, and to provide segregated access to the client managed
devices by way of the network management system. The GCSCs all follow a
consistent design template, and associates are granted access to client networks
using a consistent authorization mechanism. Authorized associates may access
the asset management tools and the network management system components
using standard methods which encapsulate the architectural details described
The GCSC operations teams are located at separate sites from the tools which
are used to manage the client networks. Many of the associates are equipped
with laptop computers and SecurID token based remote access technology.
Associates so equipped may access AT&T systems and tools from any internet
connection anywhere in the world.
None of the components are located in the same locations. Asset management
systems are separate from network management systems, and AOTS ticketing
tools. Operations staff is located at different locations from the systems. This
infrastructure provides greater flexibility. Inbound toll free telephone numbers are
assigned for client use. These telephone numbers have advanced features
defined in the AT&T network, which allows us to terminate calls in any desired
telephone system. The network management systems are able to be connected
to our AOTS system. We can switch the source of ticket messages from one
network management system to the other one in the pair.
Operations can continue with little degradation when any single component has
failed. AT&T has experience with repairing network system elements while client
network management continues unabated.
Responding to disaster scenarios in this extended system involves both short
term and long term planning. In the short term, if a GCSC operation center is
inoperable, the network management responsibilities are passed to other GCSC
teams. These teams modify their operations procedures to expand their
responsibilities to include the clients from the inoperable GCSC. Clients can be
parceled out to a variety of different GCSC teams depending upon the mix of
contractual and skill set constraints.
Longer term planning involves accommodating the inoperable center, and
providing alternate work locations for the GCSC associates who find themselves
without their customary work location. GCSC business continuity plans can take
advantage of any other AT&T work location to host the displaced team members.
Team members equipped with laptops can relocate to hotels or other internet
accessible locations outside of the impacted area.
CONFIDENTIAL under TCA 10-7-504 55
AT&T maintains standard software images, and SMS processes which enable
AT&T to procure and install desktop computers into service very quickly.
Disaster recovery drills include placing archived images into service on available
computers, and then performing network management duties using those newly
configured computers to validate the utility of our operating plans.
AT&T continually revises and reviews our disaster recovery and business
continuity plans, searching for service improvements, and cost savings – in the
ordinary course of business. We bring this persistent focus on continuous
improvement to our clients to provide very high availability network management
AT&T Corporate Management Engagement
AT&T management is engaged on a regular basis by various aspects of the
security program and administration on a level and frequency commensurate
with the criticality and impact of results of the programs or incidents as they
occur. Following is a summary of some of the situations where management in
the service lines is engaged:
• Security incidents as they occur
• Progress from security initiatives
• Threat intelligence gathered by trend analysis
• Results of internal and external audits and reviews
In addition, the management chain receives consolidated reports on a regular
basis outlining the results of the security programs and the key issues for their
area of responsibility. These reports are delivered to the senior executives as
well as the line management.
The most senior executives are required to annually acknowledge their
commitment to support corporate compliance. As a part of this requirement,
senior executives attest that they and the areas of their responsibility are in
compliance with the AT&T security requirements.
Strategy of Continuous Improvement
The world of networked computing and application security is fast moving and
highly dynamic. As a result, AT&T is continually improving security through active
security research and development programs, tracking of industry development,
CONFIDENTIAL under TCA 10-7-504 56
and evaluation of new security technologies and products. New tools are
employed based on a cost/benefit analysis. The tools and systems selected are
those which deliver effective security safeguards.
The AT&T Human Resources and Vendor Management organizations have
controls in place to ensure that employees, contractors, and subcontractors are
properly screened, authorized to perform their job functions, properly trained, and
aware of their responsibilities with regard to AT&T and customer assets.
Security Awareness and Education
The AT&T global security organization is charged with directing and coordinating
security awareness and education across AT&T. The AT&T global security
organization maintains an internal security awareness website, a quarterly
internal newsletter, all-employee bulletins, technology conferences, workshops
and security courses to deliver general and targeted security awareness
initiatives internally within AT&T. The program uses subject matter experts from
the various security groups and disciplines for content development and partners
with the AT&T education and training organization as well as other AT&T
organizations for delivery channels. In addition, all AT&T personnel are required
to annually acknowledge their responsibilities to adhere to AT&T’s Code of
Business Conduct and AT&T’s security policy.
AT&T Cyber Security Conference
AT&T Chief Security Office hosts the annual AT&T Cyber Security Conference to
enable open communications with our enterprise customer community on
emerging threats and countermeasures within the security industry. The
conference promotes awareness of AT&T’s strategy and direction to further
protect business customers utilizing AT&T network and systems. Contact your
AT&T account team for more information.
CONFIDENTIAL under TCA 10-7-504 57
Security Training and Certifications
AT&T encourages its employees to obtain security training, achieve accreditation
and certifications. This training is conducted both within AT&T and through
corporate training organizations such as:
• The International Information Systems Security Certification Consortium,
• Information Systems Security Association (ISSA)
• The SANS Institute
• Vendor and product-specific training and certification, such as, Cisco,
Microsoft, Checkpoint and others.
Our large population of security professionals maintains certifications and
credentials such as:
• Certified Information System Services Professionals (CISSP)
• Certified Information Systems Auditors (CISA)
• Certified Information Security Management (CISM)
• Certified Ethical Hacker (CEH)
• Global Information Assurance Certification (GIAC)
• RSA Certified Security Professional (CSP)
• Microsoft Certified Professional (MCP)
• Cisco Qualified Professional
CONFIDENTIAL under TCA 10-7-504 58
Appendix B. Statement
Regarding ISO 27000
AT&T Services Inc.
Chief Security Office
ISO/IEC 27001 and ISO/IEC 27002, part of the ISO/IEC 27000 family of
standards, are Information Security Management System (ISMS) standards
published by the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC). These standards are normally
used together in practice. ISO/IEC 27001 documents information security
controls, while ISO/IEC 27002 provides additional information and
implementation advice regarding those controls. Previous versions of such
security standards include ISO/IEC 17799:2000, which was a copy of the British
Standard BS 7799-1:1999.
As a company that provides security services to protect corporate assets and the
information and assets of others, AT&T is familiar with the ISO/IEC 27001:2005
Information technology – Security techniques – Information security management
systems – Requirements and the ISO/IEC 27002 Information technology –
Security techniques - Code of Practice for information security management.
AT&T has developed and maintains a comprehensive set of security standards
based in part on these and other leading industry standards, such as COBIT.
AT&T has successfully undergone a pre-audit to a previous version of the ISO
27001 standard but to date has not performed any formal certification.
Considering the breadth of AT&T’s services and global service environments, it is
neither economical nor essential to perform a formal certification given the
volume and depth of other internal and external audits that AT&T and its
customers perform to address security policy, regulatory, and customer
requirements (e.g., SAS 70). However, AT&T has established that the security
requirements contained in the AT&T Security Policy & Requirements (ASPR)
Library, along with processes, procedures and responsibilities of other AT&T
organizations, are consistent with the 133 controls documented within ISO/IEC
CONFIDENTIAL under TCA 10-7-504 59
It is AT&T’s policy to comply with all applicable laws and regulations in each
country where it operates and to protect AT&T's corporate assets and the
information and assets of others that AT&T is obligated to protect. AT&T’s global
security programs strive to ensure security is incorporated into every facet of
AT&T's computing and networking environments to safeguard AT&T's customers
and their data while managed by AT&T or while in transit on an AT&T network.
These programs apply to all AT&T operations on a global basis. Compliance with
AT&T security policies helps to ensure that the highest level of standards are met
in AT&T operations and in the services AT&T offers to its customers.
CONFIDENTIAL under TCA 10-7-504 60