The firm is committed to designing and maintaining an appropriate, robust program of information security to secure data, systems and services.
Current highlights of our information security program include:
- A dedicated group – the Information Technology Risk group – that provides oversight and guidance to our information security and resiliency program;
- Use of specialized technology, such as stateful inspection firewalls and IP-based permissions, to limit connectivity to our hosted services, applications, and client data;
- Testing of our applications and services in a controlled testing environment before they are released into production;
- Coordinated change management processes which include applications, infrastructure and facilities;
- Comprehensive business resiliency planning with extensive disaster recovery and business continuity testing;
- Regular internal and external security audits and vulnerability assessments by third party security vendors and in house staff;
- 24x7 cyber security operations monitoring of our sites and services to detect and act on weaknesses and potential intrusions;
- Role-based access controls to identify, authenticate, and authorize individuals to access systems based on their responsibilities;
- Disabling accounts after defined periods of inactivity and conducting access reviews periodically;
- Protection, including encryption, for the secure communication of sensitive data; and
- Review of our applications, infrastructure and security program in light of new threats and vulnerabilities.
The MSCI Security Awareness program for all employees includes mandatory annual security training and testing. Security awareness materials are periodically distributed to all employees and made available for reference on our corporate intranet. Additionally, all new employees must undergo compulsory security awareness training.