An independent third party auditor issued Morningstar an unqualified SSAE16 Type II certification. Morningstar is proud to provide clients peace of mind knowing that their data is secure under the SSAE16 auditing industry standard. In addition to certifying the design of internal controls for the SSAE16 standards, controls were qualified related to Information Security (including Access Security and Application Security) to the ISO 27001/2 standards.
The independent third party auditor verified that Morningstar has the following controls and protocols in place:
Logical security: Controls provide reasonable assurance that logical access to Morningstar production systems and data is restricted to authorized individuals
Privacy: Controls provide reasonable assurance that Morningstar has implemented policies and procedures addressing the privacy of customer data related to Morningstar applications
Data center physical security: Controls provide reasonable assurance that data centers that house Morningstar data and corporate offices are protected
Incident management and availability: Controls provide reasonable assurance that Morningstar systems are redundant and incidents are properly reported, responded to, and recorded
Change management: Controls provide reasonable assurance that development of and changes to Morningstar applications undergo testing and independent code review prior to release into production
Organization and administration: Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact Morningstar