Page 129 - NovDefComp
P. 129
MASSACHUSETTS MUTUAL LIFE INSURANCE COMPANY
Defined Benefit and Defined Contribution
Recordkeeping Operations System
DC and DB Plan Administration: Investment Changes
Control Objective 8
Controls provide reasonable assurance that participant and plan investment transfers are
authorized and processed completely and accurately.
Controls Specified by
MassMutual Business Testing Performed by KPMG LLP and Results of Tests
8.1 Participants can initiate Observed a member of the MassMutual System Support Team
investment transfers through, attempt to access the Automated Phone System and noted that
RetireSMART SM or the Participant when the caller’s PIN was entered incorrectly multiple times, the
Call Center. Participants can caller was directed to the Participant Call Center.
rebalance their existing investment Observed a member of MassMutual attempt to sign into
portfolios using the RetireSMART SM SM SM
Mobile App. Plan Sponsors can also RetireSMART , TRC, and RetireSMART Mobile App and
noted that the user ID will lockout after a specified number of
initiate participant transfer changes
through RetireSMART SM via the invalid logon attempts to limit unauthorized access.
TRC. Access to all systems requires Following lockout, observed a member of MassMutual reset the
a unique user identifier and a account passwords by answering a set of predefined security
Participant Identification Number questions within RetireSMART SM and TRC.
(PIN) or password.
Observed a member of MassMutual acting as a Plan Sponsor
Failure to enter the correct logging into the TRC production environment for the first time
RetireSMART , RetireSMART SM and determined that they were prompted to make a password
SM
Mobile App or TRC password or change and add three security questions and answers.
PIN after a predefined number of Additionally, observed that TRC passwords were allowed to be
attempts will result in the user ID reset only after successfully answering the security questions.
being locked, participants can reset SM
their password by answering Observed a series of attempts to sign into RetireSMART and
SM
predefined security questions. RetireSMART Mobile App and noted that participants must
pass identity proofing and authenticate using multi-factor
The first time a Plan Sponsor logs authentication.
into the TRC, they are prompted to
enter a password change and add No Exceptions Noted.
three security questions and
answers. TRC passwords can be
reset by the account holder after
successfully answering the security
questions.
Effective 11/6/2019, prior to
accessing RetireSMART SM and the
RetireSMART SM Mobile App
participants must pass identity
proofing and authenticate using
multi-factor authentication. (DB &
DC)
MassMutual Defined Benefit and Defined Control Objectives, Related Controls and Tests of
Contribution Recordkeeping Operations System Operating Effectiveness
81
