Trust, security, and compliance

Moody's is committed to protecting the confidentiality, integrity, and availability of your data. Data across our cloud product platforms is encrypted in transit and at rest using modern ciphers and methods recommended by security industry and standards organizations. We utilize multiple network controls, access controls, and container isolation to build security directly into our products.

Tenant isolation
For our SaaS based multi-tenant platforms, customer data is logically segregated based on unique customer identifiers in conjunction with role-based access controls (RBAC) and identity service management (MFA and user authentication).  Service level controls for all data access require customer ID validation and authorization to access and process customer data stored within the platform.

Access control
Moody's insurance solutions has an Access Control Policy in place. Moody's RMS classifies customer data as highly confidential, requiring our highest degree of controls and protections. Segregation of duties and least privilege is identified and enforced which includes review of access control lists. RMS support staff are restricted from accessing data that is not directly related to the service they are providing. 

Encryption
We protect customer data in-transit and at-rest using Industry standard encryption, such as latest safe version of Transport Layer Security (TLS) and Advanced Encryption Standard using 256-bit keys (AES-256). 

Hosting
Moody's insurance solutions leverages AWS and Azure cloud platforms. Each of the vendors for these platforms has committed that its cloud platform meets major compliance standards, including SOC 1, 2, 3, ISO 27001/27017/27701, PCI DSS and Cloud Security Alliance (CSA). They attest to having security programs that cover fundamental aspects of security, including Physical and Environment Security, Business Continuity Management, Network Security, Access Controls, Account Management, Secure Design Principles, Change Management, Logging and Audit Capabilities, and Security Checks.

Layers of security
Our Cloud [application] platform is built on isolated, private networks and uses multiple network controls such as container isolation, inbound/internal traffic restrictions, monitoring of traffic rates, sources and types at multiple network points. Our multi-tier architecture is designed to be scalable, resilient, and secure. The security layers include Web Application Firewall (WAF), network firewalls, DDoS protection, monitoring and alerting systems, and network isolation.

Reliability
We have designed, architected, and built the platform to be resilient with redundancy, scalability, and failover capabilities designed to minimize downtime. Additionally, we host our services with our cloud-hosting partners that offer multiple levels of built-in redundancy and geographical distribution. We also have monitoring and alerting systems in place so our engineers can promptly and proactively respond to issues that could lead to service disruptions.

In addition to integrating Security by Design principles into the product development, our products are put through security review prior to release and are protected at runtime by a Web Application Firewall (WAF).  Also, we use automated and manual security testing processes throughout the system development lifecycle (SDLC) to identify and patch potential security vulnerabilities. We conduct continuous:

• Static Application Security Testing (SAST) of application source code and binaries which identify potential security vulnerabilities
• Dynamic Application Security Testing (DAST) of our applications as they evolve, providing automatic detection and assessment of code changes and alerting for newly discovered vulnerabilities.
• Open-Source Scanning of its open-source code, map open source in use to known security vulnerabilities, and flag potential licensing issues to ensure open-source license compliance.

Moody's RMS analyses third-party dependencies to identify and remediate vulnerabilities.

Vulnerability management
The Moody's DevSecOps team embraces the concept of “shifting left” when it comes to remediating vulnerabilities. Moody's RMS is using a secure Image factory where images are iteratively built, scanned, and remediated before releasing to production. The factory images are built to satisfy international standards in many control domains, including automated patching for vulnerability management, Infrastructure as Code (IaC) for configuration management, baked in agents for Malware Detection and Response, and multi-region, automated image rotation for Disaster Recovery.

• Moody's RMS employs independent third parties to perform penetration tests annually.  
• Issues are resolved in line with the Moody's RMS vulnerability management and patch management processes.

Web application firewall
Moody's insurance solutions uses Web Application Firewalls (WAF) to protect against application layer attacks in our production environment. WAFs analyze http traffic between users and web servers for malicious http requests and acts as an additional layer of defense to traditional network firewalls.

Change management
Moody's insurance solutions has a change management policy in place to record, evaluate, authorize, prioritize, plan, test, implement, document, and review changes to IT services and their associated components in a controlled manner.

The Moody's Business Continuity Plan (BCP) is supported by standards that include requirements for program governance, operational impact assessments, gap analysis, contingency plan/strategy development, plan testing, crisis management training, awareness, and management reporting. 

The Moody's BCP is reviewed annually and updated based on operational risks and strategic business needs. Our review program is multi-dimensional and is designed to validate the effectiveness of the BCP during both short and long-term business disruptions.