Page 140 - NovDefComp
P. 140

Massachusetts Mutual Life Insurance Company
                    Defined Benefit and Defined Contribution Recordkeeping Operations
                                General Information Technology Controls System

                                                                                       ®
                               System and Organization Controls (SOC 1 ) Report
                         Applicable to Proprietary Recordkeeping (PRS), Case Accounting
                       (CAS), Participant Accounting (PAS), Investment Service Operations,
                         FIS OMNI Recordkeeping (OMNI) and DST TRAC Recordkeeping
                               (TRAC) Systems for the period October 1, 2019 through
                                                     September 30, 2020



                                                    Table of Contents

               SECTION I – INDEPENDENT SERVICE AUDITOR’S REPORT PROVIDED BY KPMG LLP...................1
               SECTION II – MASSMUTUAL’S MANAGEMENT’S ASSERTION .............................................................5
                  MASSMUTUAL’S ASSERTION ........................................................................................................................6
               SECTION III – DEFINED BENEFIT AND DEFINED CONTRIBUTION RECORDKEEPING OPERATIONS
               GENERAL INFORMATION TECHNOLOGY CONTROLS SYSTEM ..........................................................8
                  DESCRIPTION OF THE DEFINED BENEFIT AND DEFINED CONTRIBUTION RECORDKEEPING OPERATIONS
                  GENERAL INFORMATION TECHNOLOGY CONTROLS SYSTEM...........................................................................9
                    Scope of the Report ..............................................................................................................................9
                    Background ...........................................................................................................................................9
                    Complementary Subservice Organization Controls (CSOCs) ............................................................11
                  INTERNAL CONTROL ELEMENTS .................................................................................................................18
                    Control Environment ...........................................................................................................................18
                    Risk Assessment.................................................................................................................................19
                    Control Activities .................................................................................................................................20
                    Monitoring............................................................................................................................................20
                    Information and Communication .........................................................................................................21
                    Other Considerations ..........................................................................................................................25
                    Changes in the Control Environment ..................................................................................................25
                  INFORMATION PROCESSING .......................................................................................................................26
                    Enterprise Technology and Experience (ETX) Organization Overview..............................................26
                  DESCRIPTION OF OPERATIONS...................................................................................................................27
                    General Information Technology Controls ..........................................................................................27
                         Application Change Management.............................................................................................27
                         System Software Change Management ...................................................................................27
                         Physical Security and Environmental Controls .........................................................................28
                         Logical Security Access Controls..............................................................................................29
                         Job Processing..........................................................................................................................31
                         Data Transmissions ..................................................................................................................32
                    Control Objectives, Related Controls, and Tests of Operating Effectiveness ....................................32
                    Complementary User Entity Controls..................................................................................................33
               SECTION IV – MASSMUTUAL’S CONTROL OBJECTIVES AND RELATED CONTROLS, AND KPMG
               LLP’S TESTS OF CONTROLS AND RESULTS OF TESTS OF OPERATING EFFECTIVENESS .........34
                    Work of Others ....................................................................................................................................35
                    Completeness and Accuracy of Information .......................................................................................35
                  GENERAL INFORMATION TECHNOLOGY CONTROLS: APPLICATION CHANGE MANAGEMENT............................36
   135   136   137   138   139   140   141   142   143   144   145