Page 23 - NovDefComp
P. 23

MASSACHUSETTS MUTUAL LIFE INSURANCE COMPANY
                        Defined Benefit and Defined Contribution Recordkeeping

                                    Investment Service Operations System

                             ®
                                                                                 ®
               Where  SOC  1 or  similar  attestations  are  not  available,  or  the  SOC  1 provided  does  not  cover  the
               operations pertinent to MassMutual, MassMutual conducts appropriate periodic quality and due diligence
               procedures.
               Enterprise Technology and Experience (ETX) organization provides the General Information Technology
               Controls (GITC) system in support of the IDT systems used to support MassMutual business operations.
               ETX should have controls over: documenting, authorizing, testing, approving and implementing application
               changes;  documenting,  authorizing,  testing,  approving  and  implementing  system  software  changes;
               physical security and environmental protection of computer equipment and storage media; provisioning,
               termination, and recertification of user access based upon job responsibilities; the scheduling of production
               processing and system backups, and the identification and resolution of deviations from the schedule; and
               the completion and security of data transmissions, and identification and resolution of failures. While these
               GITCs are not addressed in this report, they may be found in the “Defined Benefit and Defined Contribution
               Recordkeeping Operations General Information Technology Controls System SOC 1 Report” for the period
                                                                                         ®
               October 1, 2019 through September 30, 2020 which is available from MassMutual. All control objectives in
               this report rely on ETX as a subservice provider as the application controls within the business processes
               rely upon an effective GITC environment.
               Subservice Organization General  IT  Controls:  The  business  process  control  objectives  listed  in  the
               subservice  table  are  dependent  on  each  subservice  organization  having  appropriate  controls  over
               application change management and logical access, and if applicable physical security and environmental
               controls, job processing and data transmissions.












































                MassMutual Defined Benefit and Defined                    Description of the System Provided by
                Contribution Investment Service Operations                                       MassMutual
                System
                                                             12
   18   19   20   21   22   23   24   25   26   27   28