Preventing and managing risk

Security assurance is about preventing and managing Information Technology (IT) security risks for the services that use, store, and transmit information. It ensures compliance with industry standards and implementation of the right security policies to keep information secure.

The Security Assurance team are responsible for assessments and assurance activities including the secure design and development of services, control testing, IT risk management, and third-party risk assessments.

 

Preventing and managing risk

Security assurance is about preventing and managing Information Technology (IT) security risks for the services that use, store, and transmit information. It ensures compliance with industry standards and implementation of the right security policies to keep information secure.

The Security Assurance team are responsible for assessments and assurance activities including the secure design and development of services, control testing, IT risk management, and third-party risk assessments.

 


Control uplift
Increasing the maturity and effectiveness of a security control.


IT risk
The possibility that an IT system has a breach or other failure that leads to data loss, data integrity issues, or is unavailable. Risk is quantified in terms of likelihood and consequence. Most organisations have a ‘risk appetite’, which is the level of risk the organisation is prepared to accept. High likelihood and high consequence risks are never accepted, while low likelihood and low consequence risks may be completely acceptable unless they are easy to address.


IT systems
IT services and applications that support a set of business processes, and store and manage information.


Penetration testing
An intensive testing process where an expert in security testing (or “hacking”) techniques attempts to breach an IT system. This helps identify vulnerabilities that can be addressed before a malicious person finds them.

Personal Identifiable Information (PII)
Information about an identifiable individual, such as a member, employee, provider or adviser, governed by New Zealand’s privacy laws and (where it contains health information) the Health Information Privacy Code 1994.


Security control
A safeguard or measure that we’ve implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property.


Third-party provider
An external partner, vendor, consultant, or an independent contractor that provides specialised products, services and other expertise to Southern Cross.

 
Secure design and development

The Security Assurance team provides input into the design and implementation of IT systems. They identify the security requirements during the project planning phase, to ensure security is incorporated throughout all phases of design and development. This allows security to be tracked and tested at every stage until deployment. For more details on how we integrate security into the design and development of our IT systems, visit Security systems and information.
 


Classifying information

We collect, use, and store information for the purposes stated in our Member Privacy Statement. We hold Personal Identifiable Information (PII) and Personal Health Information (PHI) on behalf of our members and this is classified as Confidential and Highly Protected data.


GettyImages-1158848867

Classification of IT systems by criticality

By understanding the availability and resilience requirements of our information systems, we can gain comfort that the digital services we provide to our members will continue to operate in the event of a disaster or business disruption. To help us to do this we:

  • identify our critical information systems
  • understand vulnerabilities
  • perform risk assessments to understand the likelihood and impact of threats to the confidentiality, privacy, availability, and integrity requirements for systems and the data they handle

IT risk management

When IT risks are identified, we analyse and evaluate those risks to understand the severity and impact. Each risk is entered into our risk management system along with an assessment of the seriousness of the risk, and they are prioritised, assigned a due date, and tracked through to resolution.

If the risk falls within Southern Cross’ risk appetite - the level of risk we’re prepared to accept - then we may formally accept the risk. A risk resolution is documented, and the closure of a risk is only confirmed with the approval of a manager.
 


Controls testing

We regularly perform a programme of security control testing, where we assess our IT systems against the security standards recommended in the Centre for Internet Security (CIS) framework. Individual security controls listed in the framework are assessed for effectiveness and resilience, and any issues and defects are identified. The results are made available to our auditors and reported to the Board and management.

The issues and defects we identify are addressed by a variety of control uplift activities, including:

  • implementation of new security measures
  • secure configuration of IT systems
  • documentation of improved processes
  • security training and awareness

GettyImages-1171809405

Security testing

We thoroughly security test our IT systems and applications on a regular basis. For example, we might employ an independent security consultancy to perform penetration testing. This helps detect possible security risks and validates that the security controls are working exactly as they should be. 


Third-party assessments

We employ reputable third-party providers to manage some of our IT systems. As their systems may be located outside the Southern Cross environment, we perform a risk assessment on each third-party provider and on the services they offer. Risk assessment aims to ensure:

  • Southern Cross’ information assets are not exposed to any undue risks
  • the third-party provider meets compliance requirements
  • the third-party provider has also implemented policies and processes to maintain the security of their services

For more information on the types of services we use, and how we assess and approve third parties, see Third-party service providers.

 


Related information

 

Security governance
 


Learn more >

Security compliance
 


Learn more >

Security systems and information


Learn more >



Secure design and development

The Security Assurance team provides input into the design and implementation of IT systems. They identify the security requirements during the project planning phase, to ensure security is incorporated throughout all phases of design and development. This allows security to be tracked and tested at every stage until deployment. For more details on how we integrate security into the design and development of our IT systems, visit Security systems and information.


Classifying information

We collect, use, and store information for the purposes stated in our Member Privacy Statement. We hold Personal Identifiable Information (PII) and Personal Health Information (PHI) on behalf of our members and this is classified as Confidential and Highly Protected data.

GettyImages-1158848867

Classification of IT systems by criticality

By understanding the availability and resilience requirements of our information systems, we can gain comfort that the digital services we provide to our members will continue to operate in the event of a disaster or business disruption. To help us to do this we:

  • identify our critical information systems
  • understand vulnerabilities
  • perform risk assessments to understand the likelihood and impact of threats to the confidentiality, privacy, availability, and integrity requirements for systems and the data they handle

IT risk management

When IT risks are identified, we analyse and evaluate those risks to understand the severity and impact. Each risk is entered into our risk management system along with an assessment of the seriousness of the risk, and they are prioritised, assigned a due date, and tracked through to resolution.

If the risk falls within Southern Cross’ risk appetite - the level of risk we’re prepared to accept - then we may formally accept the risk. A risk resolution is documented, and the closure of a risk is only confirmed with the approval of a manager.


Controls testing

We regularly perform a programme of security control testing, where we assess our IT systems against the security standards recommended in the Centre for Internet Security (CIS)framework. Individual security controls listed in the framework are assessed for effectiveness and resilience, and any issues and defects are identified. The results are made available to our auditors and reported to the Board and management.

The issues and defects we identify are addressed by a variety of control uplift activities, including:

  • implementation of new security measures
  • secure configuration of IT systems
  • documentation of improved processes
  • security training and awareness

GettyImages-1171809405

Security testing

We thoroughly security test our IT systems and applications on a regular basis. For example, we might employ an independent security consultancy to perform penetration testing. This helps detect possible security risks and validates that the security controls are working exactly as they should be.


Third-party assessments

We employ reputable third-party providers to manage some of our IT systems. As their systems may be located outside the Southern Cross environment, we perform a risk assessment on each third-party provider and on the services they offer. Risk assessment aims to ensure:

  • Southern Cross’ information assets are not exposed to any undue risks
  • the third-party provider meets compliance requirements
  • the third-party provider has also implemented policies and processes to maintain the security of their services

For more information on the types of services we use, and how we assess and approve third parties, see Third-party service providers.


Related information

 

Security governance


Learn more >
 

Security compliance


Learn more >
 

Security systems and information


Learn more >