Governance, Risk and Compliance

The AT&T Consulting Governance, Risk and Compliance offer provides end-to-end consulting and advisory services for information security, governance, risk management, compliance and implementation. A key foundation for information protection and risk management is having a set of clear security policies. These need to be easily understood, up-to-date, fully implemented, complied with and consistently enforced. Our consultants can help you develop, update and/or validate security policies - especially those required for compliance such as: Enterprise Risk Assessments, Regulatory and Industry Standards  Assessments and AT&T SureSealSM Security Certified Program.

Enterprise Risk Assessments

This service enables you to optimize operational and financial decisions by providing a holistic view of threats, vulnerabilities and business impacts. The assessments help you understand the impact of existing and emerging threats, the adequacy and effectiveness of implemented controls and potential information security policy changes, while measuring compliance with both internal and external policies and regulations.

The key services include:

  • Risk Assessment
  • Remediation Roadmap
  • Implementation

Regulatory and Industry Standards-based Assessments

Based on the compliance needs of the various regulatory and industry standards, we offer compliance assessments that help determine the security and compliance posture of an organization.

The key services include:

  • Security Assessment
  • Planning
  • Remediation and Implementation

FTC Mandated Assessments

AT&T Consulting provides assessments mandated by the United States Federal Trade Commission to ensure the protection of personal information. Because of the increase in the number of data security breaches, the FTC now requires organizations that fail to protect consumer data to undergo rigorous security assessments. The Security Program Assessment identifies the administrative, physical and technical controls implemented to reasonably protect personal information, based upon the size, complexity, and scope of operations.

The key services include:

  • Security Program  Assessment
  • Initial and Biennial Assessment Planning
  • Remediation


Recent reports of health record data breaches, and the transformation of healthcare industry data practices and requirements, require assessments and guidance on the implementation of controls that meet the information protection requirements of HIPAA/HITECH/HITRUST. Our assessments help you benchmark security and privacy posture as well as provide insight on how to improve existing compliance controls and address organizational information risk.

Gramm-Leach-Bliley Act (GLBA)

In order to comply with the GLBA mandate, financial institutions are required to identify and assess security risks, plan and implement security solutions to protect sensitive information and establish measures to monitor and manage security systems. The GLBA Assessment Services helps identify immediate security concerns and gaps between the current infrastructure and identified requirements for GLBA compliance, overall system security and projected growth. Using the assessment and gap analysis, we provide prioritized recommendations for improving performance, mitigating risk and ensuring compliance with the identified requirements.

Agreed Upon Procedure (AUP) Assessments

The growing trend for outsourcing business processes to third parties has enabled businesses to focus on core competencies while containing costs. This trend has also increased information security risks by extending access to third parties. It is good business practice to evaluate and address the risks that outsourcing has on your organization, and this is required by some standards and laws, too. Good practices in this area can make all the difference when protecting brand and reputation. Some organizations have hundreds of outsource partners. To address this, the Shared Assessments Program by BITS was established to create standardized processes and methodologies in which to gather information and report information security-related outsourcing risk. As part of this program, AT&T Consulting conduct AUP Assessments based upon the controls and testing procedures established within the AUP so that you can provide an objective view of control implementation.

State Privacy Laws

With the increase in the number of state laws that cover the protection of sensitive information and personally identifiable information, elements of the security program such as Incident Response, Breach Identification and Notification and Identity Theft Prevention need to be strengthened to meet the requirements specified by the state laws. As part of our services, AT&T Consulting conducts a baseline assessment to determine the current compliance status with the applicable state laws, identify gaps, provide recommendations to achieve compliance and improve your overall security posture, as well as offer remediation services to achieve compliance with the State Privacy Laws including Massachusetts and Nevada.

ISO 27001/2 Assessments and Certification

AT&T Consulting performs an assessment of your organization's ISMS using the ISO 27001 requirements and the Statement of Applicability as the assessment baseline and /or a comprehensive review of your posture against the controls identified within ISO 27002.
Our approach to an ISO 27001/2 Assessment addresses people, technology and processes. AT&T Consulting has an in-depth knowledge of information security standards of good practice and regulatory requirements, as well as considerable experience in providing assessments to and understanding information security management practices.

The key services include:

  • Readiness Assessment
  • Planning and Implementation

AT&T SureSealSM Security Certified

The AT&T SureSealSM Security Certified Program is designed to assess an enterprise's information security program (or critical business components or applications) and certify that it meets industry standards and applicable regulatory requirements. This Program provides trust and assurance for companies that are required to communicate security practices to third parties and government regulators and can reduce the complexity and expense of multiple redundant compliance initiatives. The assessment phase consists of a detailed assessment of your business, networks and data flow. Typically, this phase is performed through documentation reviews, interviews, and technical analysis. As part of the remediation roadmap service, we provide guidance on the implementation of recommendations to optimize or close the gaps based on the vulnerabilities identified as part of the assessment phase.

Product Briefs

White Papers