Restricting Information Access
Access to systems containing personal information is restricted to employees with a legitimate business need to access such information.
Service providers are contractually bound to implement and maintain our requirements for the protection of your personal information. They are also required to comply with legal and regulatory requirements related to data privacy and information security.
Information Security Platform & Infrastructure
We use a multi-tiered architecture, which provides multiple levels of firewalls between the Internet and intranet designed with multiple levels of defense.
Security Information Event Management (SIEM) system intrusion detection and protection sensors monitor for irregular activity and attack signatures.
All external connections to company networks, applications, or data over the public Internet require multi-factor authentication.
Employees working remotely who need access to information are required to go through a multi-tiered “firewalled” demilitarized zone and a virtual private network (VPN) client.
Our antivirus technology infrastructure and content controls are maintained in order to address the introduction of malicious code at the gateway, server, and client levels, using multiple technologies to diminish the risk relating to new viruses and prevent inappropriate communications, or leakage of personal or confidential information.
Multiple Internet service providers (ISPs) are used to maintain availability and short response times for our customers. Multiple Internet points of presence are geographically dispersed to facilitate availability and mitigate the risk of catastrophic events.
Our Enterprise Continuity Program is designed to drive projects to build resilience and eliminate common or predictable business interruptions. The program also develops and regularly tests protocol to ensure efficient recovery of critical business applications and functions when unavoidable incidents occur.
Testing and Assessing Risk
We continuously assess the risk and vulnerability of changes to the security of our infrastructure.
Regular Monitoring, Evaluation, and Adjustment
We continuously monitor, review, and adjust our cyber security policies and procedures based on changes in technology and sensitivity of information in order to ensure that we are operating in a manner reasonably designed to protect against reasonably foreseeable threats or hazards to the confidentiality, security, or integrity of personal information. A cross discipline Incident Response Team exists to investigate and manage potential information security incidents.
Protecting MassMutual Systems
Data centers, operations centers, and other key buildings and assets are subject to physical security measures and related monitoring.
Ongoing Cyber Security Awareness
Our cyber security awareness program includes focused communications, events, and training intended to reinforce management’s expectation that employees comply with MassMutual’s Information Technology Policies and Standards.
Information Technology messages are also integrated into corporate programs such as new employee orientation and the employee Code of Business Conduct and Ethics (“Code”).
Employees are required to acknowledge the Code annually, which reinforces the commitment to adhere to all of our policies and procedures, including those applicable to privacy and information security.