Restricting Information Access:
- Access to systems containing personal information is restricted to employees with a legitimate business need to access such information.
- Service providers are contractually bound to implement and maintain our requirements for the protection of your personal information. They are also required to comply with legal and regulatory requirements related to data privacy and information security.
Information Security Platform & Infrastructure:
- We use a multi-tiered architecture, which provides multiple levels of firewalls between the Internet and intranet designed with multiple levels of defense.
- Security Information Event Management (“SIEM”) system intrusion detection and protection sensors monitor for irregular activity and attack signatures.
- All external connections to company networks, applications, or data over the public Internet require multi-factor authentication.
- Employees working remotely who need access to information are required to go through a multi-tiered “firewalled” demilitarized zone and a virtual private network (“VPN”) client.
- Our anti-virus technology infrastructure and content controls are maintained in order to address the introduction of malicious code at the gateway, server and client levels, using multiple technologies to diminish the risk relating to new viruses and prevent inappropriate communications, or leakage of personal or confidential information.
- Multiple Internet service providers (ISPs) are used to maintain availability and short response times for our customers. Multiple Internet points of presence are geographically dispersed to facilitate availability and mitigate the risk of catastrophic events.
- Our Enterprise Continuity Program is designed to drive projects to build resilience and eliminate common or predictable business interruptions. The program also develops and regularly tests protocol to ensure efficient recovery of critical business applications and functions when unavoidable incidents occur.
Testing and Assessing Risk:
- We continuously assess the risk and vulnerability of changes to the security of our infrastructure.
Regular Monitoring, Evaluation, and Adjustment:
- We are continuously monitoring, reviewing and adjusting our cybersecurity policies and procedures based on changes in technology and sensitivity of information in order to ensure that we are operating in a manner reasonably designed to protect against reasonably foreseeable threats or hazards to the confidentiality, security or integrity of personal information. A cross discipline Incident Response Team exists to investigate and manage potential information security incidents.
Protecting MassMutual Systems:
- Data centers, operations centers, and other key buildings and assets are subject to physical security measures and related monitoring.
Ongoing Cybersecurity Awareness:
- Our cybersecurity awareness program includes focused communications, events, and training intended to reinforce management’s expectation that employees comply with MassMutual’s Information Technology Policies and Standards.
- Information Technology messages are also integrated into corporate programs such as new employee orientation and the employee Code of Business Conduct and Ethics (“Code”).
- Employees are required to acknowledge the Code annually, which reinforces the commitment to adhere to all of our policies and procedures, including those applicable to privacy and information security.