Page 43 - NovDefComp
P. 43

MASSACHUSETTS MUTUAL LIFE INSURANCE COMPANY
                        Defined Benefit and Defined Contribution Recordkeeping

                                    Investment Service Operations System



               Business Continuity Planning


               MassMutual’s recovery strategy is focused on diversification. Data Center recovery utilizes capabilities in
               other states, currently Colorado, intended to protect against the impact from regional disasters and multiple
               replication/backup  technologies  are  used  to  protect  against  hardware  failure.  Workspace  recovery  is
               available within multiple MassMutual-owned buildings in Massachusetts and Connecticut, many of which
               have generator backup and diverse paths for network and utilities.

               The primary Data Center in Massachusetts has been outfitted with an uninterruptible power supply (UPS)
               and N+1 generation capacity. Should there be a larger issue, systems are backed up to MassMutual-owned
               hardware in Colorado (1700 miles away). MassMutual’s home office in Springfield has also been backed
               up with generators; capable of powering around 3,700 workstations, more than we believe would be needed
               for the first 30 days of a recovery event. If workspace becomes unavailable in the MassMutual home office
               in Springfield or the office in Enfield, Connecticut, employees may be relocated to the office not impacted
               or may work remotely. MassMutual has established critical operations and workspace outside of its home
               office region in Boston, New York, and Phoenix.
               MassMutual  maintains  a  continuity  planning  program  that  is  intended  to  address,  among  other  things,
               facility/systems failure due to cyber threats, pandemics and third party outages. MassMutual’s business
               continuity program was born out of Business Impact Analysis (BIA) results. MassMutual has opted to keep
               BIA results live within the body of the business continuity plan, requiring that information to be reviewed at
               least  semi-annually  and as there are changes within  the business  line. Company policy states that  all
               business functions must be covered by a business continuity plan that is maintained in the Company’s web-
               based planning tool.
               MassMutual maintains three types of technical continuity plans: Application, Infrastructure and Processor.
               Recovery  Time  Objectives  and  Recovery  Point  Objectives  are  governed  by  business  continuity  plan
               priorities. Essential applications are generally replicated using near-real-time replication to Colorado, while
               non-essential applications are backed up using virtual tape backup to Colorado. Essential applications are
               generally restored in less than 24 hours. By policy, all technology in the Data Center must be covered by
               the appropriate technical continuity plan in the Company’s web-based planning tool.
               Emergency  response  testing  is  done  throughout  the  year  and  includes  Crisis  Management  Team
               simulations, evacuation drills and exercising of specialized plans, such as Pandemic Response, Customer
               Disaster  Response,  Aircraft  Incident  and  others.  Information  Technology  disaster  recovery  testing  is
               conducted  on  an  annual  basis  and  includes  essential  applications  and  a  rotation  of  non-essential
               applications.  Finally,  business  continuity  testing  is  conducted  throughout  the  year  and  includes  annual
               testing through an online simulator, division-level simulations, tabletop walkthroughs and participation in
               the annual IT disaster recovery test. In addition to planned testing, internal auditors have an active role in
               auditing continuity plans and test results across the Company. When potential issues are identified, such
               issues  are  documented,  assigned  an  owner  and  tracked  through  to  completion.  Plan  maintenance  is
               handled through regularly scheduled reviews. Continuity plans and the hardware/application inventory in
               the Company’s Configuration Management Database are validated annually. Finally, ongoing reviews are
               conducted throughout the year to ensure all processes and technology items are covered by continuity
               plans and to ensure they meet the Company’s Guiding Principles framework within the company policy for
               recovery prioritization.
               Technical Support Teams provide support for continuity of critical business operations 24x7x365.
               MassMutual’s  Office  of  Enterprise  Resilience  annually  reviews  the  Business  Continuity  and  Disaster
               Recovery plans for critical third parties.





                MassMutual Defined Benefit and Defined                Other Information Provided by MassMutual
                Contribution Investment Service Operations
                System
                                                             32
   38   39   40   41   42   43   44   45   46   47   48