Information Security

Home » Security » Information Security

Information Security

Be it be mobile communications, fixed networks or a data centers: The A1 Group is an operator of system-critical infrastructure in all its core markets. The Group is aware of the particular responsibility this entails. For this reason, it is committed to initiatives that consistently increase security – going beyond what is required by law. To continuously improve cyber security, the network operators of the A1 Group also cooperate with the respective authorities. Relevant security-related information is shared via the A1 CERT (Computer Emergency Response Team), which is also a member of the Austrian Trust Circle (ATC). Security know-how is exchanged within the A1 Group, as well as at specialist conferences in Austria and abroad. Since 2021, the security division at A1 Austria has also been responsible for the entire A1 Group’s security governance.

To ensure that services such as cloud services or new working models (home or mobile office, agile teams, remote operation & support, etc.) can continue to be developed or operated in a reliable and secure manner, the security requirements are being harmonised across the Group in the form of state-of-the-art standards and guidelines governing information security. The company is particularly focused on risk prevention for critical and important network elements. The A1 Group follows the international IT standards for security techniques (ISO 27001). An essential element in managing cyber risks are continuous monitoring and software updates for the infrastructure that needs to be protected, as well as training and education for employees. The “A1 Telekom Austria Security Committee” is formed by highly qualified security experts from all A1 Group countries and it regularly discusses current local, regional and global cyber risks and cyber attacks. Moreover, this working group also informs and coordinates cross-border security measures should an urgent need arise.

The position of Chief Information Security Officer (CISO) has been established within the A1 Group to lead and coordinate a wide array of security initiatives, from creating security guidelines to fighting cyber incidents.

Information Security Organisation

Security initiatives

A1 Group is participating in a wide variety of initiatives to continuously improve security (including cyber security) and availability. In 2022, the exercise “Schutzschild 2022” was conducted in Salzburg and the company also participated in the Europe-wide exercise “Cyber Europe 2022”. In 2023, the A1 Security Team achieved 2^nd place out of 300 participants in the international “Splunk Boss of the SOC” event.

It is widely known that malware – also known as viruses – can infect and damage computers. A1 offers business customers professional ICT services that effectively mitigate the impact of ransomware attacks on their business. Secure configurations and procedures within the ICT infrastructure can reduce the likelihood of such attacks. A consistently applied backup service and contingency plan makes sure that customers can recover from a ransomware attack as quickly as possible.

Staff awareness and training

In order to sensitise and train all A1 employees on information security, there are company-wide e-learning and in-depth training for the individual departments as well as regular contributions in an internal social interaction tool.

Responsible Disclosure

The security of our systems and products is of highest priority for us. Despite all the effort we put in our services, there is still the chance of vulnerabilities, which we are not aware of. If you find a vulnerability, we would be grateful if you notify us.

Please be compliant with the following conditions:

1. You can exploit the vulnerability for demonstration purpose, but this should not lead to service outages (DoS) as well as the manipulation or loss of data. The purpose of the demonstration should show the attack vector and should not cause any damage.
2. Do not share gathered information with third parties.
3. These areas/fields are not part of the responsible disclosure process:
– Physical security
– Social engineering
– Distributed Denial of Service (DDoS) attacks
– Spam & Phishing
– Exploiting vulnerabilities on systems which are dedicated to our customers
4. Please make sure to provide enough information so that we can reproduce the issue. A short description including a problem description and the URL/IP of the affected system should be sufficient.

What we will do:

1. We will not press any legal charges caused by demonstrating the vulnerability. The prerequisite is that you comply with the conditions above.
2. We will not share your data with third parties without your consent. Our correspondence will be treated as confidential.
3. We will keep you updated on the resolution of the vulnerability.

This text is based on content from Floor Terra (responsibledisclosure.nl).

Contact details:

E-Mail: responsible.disclosure(at)a1.group
PGP Key ID: C451 95B3 EB90 8ADB CDD2 982C 8F52 2AE8 1AE8 85B2

Note:
This mail address shall only be used to submit vulnerabilities.