Secure design and development

The Security Assurance team provides input into the design and implementation of IT systems. They identify the security requirements during the project planning phase, to ensure security is incorporated throughout all phases of design and development. This allows security to be tracked and tested at every stage until deployment. For more details on how we integrate security into the design and development of our IT systems, visit Security systems and information.

Classifying information

We collect, use, and store information for the purposes stated in our Member Privacy Statement. We hold Personal Identifiable Information (PII) and Personal Health Information (PHI) on behalf of our members and this is classified as Confidential and Highly Protected data.

Classification of IT systems by criticality

By understanding the availability and resilience requirements of our information systems, we can gain comfort that the digital services we provide to our members will continue to operate in the event of a disaster or business disruption. To help us to do this we:

• identify our critical information systems
• understand vulnerabilities
• perform risk assessments to understand the likelihood and impact of threats to the confidentiality, privacy, availability, and integrity requirements for systems and the data they handle

IT risk management

When IT risks are identified, we analyse and evaluate those risks to understand the severity and impact. Each risk is entered into our risk management system along with an assessment of the seriousness of the risk, and they are prioritised, assigned a due date, and tracked through to resolution.

If the risk falls within Southern Cross’ risk appetite - the level of risk we’re prepared to accept - then we may formally accept the risk. A risk resolution is documented, and the closure of a risk is only confirmed with the approval of a manager.

Controls testing

We regularly perform a programme of security control testing, where we assess our IT systems against the security standards recommended in the Centre for Internet Security (CIS)framework. Individual security controls listed in the framework are assessed for effectiveness and resilience, and any issues and defects are identified. The results are made available to our auditors and reported to the Board and management.

The issues and defects we identify are addressed by a variety of control uplift activities, including:

• implementation of new security measures
• secure configuration of IT systems
• documentation of improved processes
• security training and awareness

Security testing

We thoroughly security test our IT systems and applications on a regular basis. For example, we might employ an independent security consultancy to perform penetration testing. This helps detect possible security risks and validates that the security controls are working exactly as they should be.

Third-party assessments

We employ reputable third-party providers to manage some of our IT systems. As their systems may be located outside the Southern Cross environment, we perform a risk assessment on each third-party provider and on the services they offer. Risk assessment aims to ensure:

• Southern Cross’ information assets are not exposed to any undue risks
• the third-party provider meets compliance requirements
• the third-party provider has also implemented policies and processes to maintain the security of their services

For more information on the types of services we use, and how we assess and approve third parties, see Third-party service providers.

Related information